Another public administration in the U.S. surrenders cybercriminal demands as La Porte County, Indiana, pays $130,000 to recover data on computer systems impacted by ransomware.
The attack occurred on Saturday, July 6 and was spotted before it propagated to all the computer on the network. The IT department reacted was able to confine it to less than 7% of the laptops.
Despite this response, two domain controllers were impacted so network services became unavailable. Three days later, the government emails and the county website were still not working, The News Dispatch reported.
A forensic investigation firm and the FBI were involved but attempts to recover the data encrypted by the malware without paying the ransom were fruitless.
Insurance covers part of the cost
The cybercriminals got about $130,000 in Bitcoin from this attack, with $100,000 being covered by insurance. The impact may not be immediate but it does create some ripples in the long run.
"Fortunately, our county liability agent of record, John Jones, last year recommended a cybersecurity insurance policy which the county commissioners authorized from Travelers Insurance" - Dr. Vidya Kora, La Porte County Board of Commissioners President, told The News Dispatch.
The decision to pay the cybercriminals came after seeing that the decryption keys from the FBI could not restore the encrypted files.
Blame it on Ryuk
According to WSBT, the county had backup servers but the malware infected them.
The news publication says that the ransomware affecting La Porte County's systems is Ryuk, the same one that attacked the City of Lake City on June 10 in what the municipality called a "triple threat" because it came from an Emotet infection that delivered Trickbot trojan, which then deployed Ryuk.
In the case of Ryuk, antivirus maker Emsisoft states that they have between 3% and 5% chances of success to decrypt the files. The odds are poor, but they are better than nothing.
Paying is a short-term solution
The infosec community and the law enforcement agencies consider bad practice to pay the criminals for the decryption key. This only enforces the idea that a successful attack will yield a profit and embolden crooks to deploy more of these attacks. Moreover, there is no sure way to know that the attackers will keep their promise once the money gets to them.
In lack of decryption keys, the method that works best to protect data from being encrypted by ransomware is to set up a backup system that runs regularly and stores copies in a safe place, isolated from the network.
La Porte County is not the only administration to pay for getting their files back. Attackers collected over $1 million (107 Bitcoins) in June from just two municipalities in Florida, Lake City and Riviera Beach.
However, there is a concerted effort to fight this type of attacks. Mayors in the US adopted a resolution not to pay cybercriminals after ransomware infections, in order to discourage them.
Comments
whitedragon551 - 4 years ago
This is why its important for enterprise backup systems to have access only through a service account that nobody knows the credentials too.
the_moss_666 - 4 years ago
"La Porte County Pays $130,000 Ransom"
Well, next ransomware victim should thank La Porte County for sponsoring the attack. Only long term solution is not to pay ransom. Otherwise, rate of these attacks grows exponentially.
SamSepiol - 4 years ago
Easy to say when your data is not at stake.
the_moss_666 - 4 years ago
This is where good backup solution takes place. It's necessary step in "do not pay" strategy to stop ransomware plague. Police can't solve this problem. We can play Whack a Mole forever, but as long as it's profitable, there will allways be one or two popping out next time.
Also, I believe that lack of backup (or insufficient backup) in enterprise environment should be officially considered as a safety hazard.
SR71BlkBrd86 - 4 years ago
Ugh, this is some nasty business. CryptoLocker and all the variants that have come out since then have made me a very strong believer in quarterly cold storage backups.