A coucil has fired its IT director after a ransomware attack bought the municipality's operations to a halt last month, which could set a dangerous precedent for the industry.
Manager Brian Hawkins had been a member of Florida's Lake City IT department for five years before the incident crippled its network for two weeks.
The ‘triple-threat’ attack began in early June when another employee opened an email attachment infected with the polymorphic Emotet trojan.
Emotet then dropped the TrickBot trojan onto the network which finally downloaded the Ryuk ransomware and locked out all the organisation's users.
After being locked out for a fortnight, Lake City instructed its insurers to pay the ransom of 42 Bitcoins (then worth US$460,000) to de-encrypt their computer systems with the council subject to a $10,000 excess – a cost that Lake City hopes to only absorb once.
"Our city manager did make a decision to terminate one employee,” Lake City Mayor Stephen Witt told local journalists.
“And he is revamping our whole IT department to comply with what we need to be able to overcome what happened this last week or so, and so it doesn't happen again."
Hackers targeting councils
Lake City was the second of three Florida city councils to succumb to ransomware in recent weeks.
Riviera Beach paid hackers US$600,000 in Bitcoin last month, after their network was also infected with the Ryuk ransomware, while the Key Biscayne council is in the process of managing its own ransomware event.
There has been a spate of attacks on US municipalities this year.
A court in Georgia largely deflected the Ryuk ransomware this month thanks to a swift response to the infection.
Baltimore City is still struggling to deal with the effects of a ransomware attack that began in May.
In Baltimore's case, hackers using the Robbinhood ransomware asked for an initial ransom of 13 Bitcoins (roughly US$76,000 at the time) which the city refused to pay.
Initial estimated costs for a full systems recovery and lost revenue from the lockout were upwards of US$18 million.
Baltimore’s decision not to pay the ransom, while costly, is the recommended response.
Former FBI cyber expert James Trainor explained why.
“Paying a ransom doesn’t guarantee an organisation that it will get its data back,” Trainor said.
“We’ve seen cases where organisations never got a decryption key after having paid the ransom.
“Paying a ransom not only emboldens current cyber criminals to target more organisations, it also offers an incentive for other criminals to get involved in this type of illegal activity.
“And finally, by paying a ransom, an organisation might inadvertently be funding other illicit activity associated with criminals.”
A hefty price to pay
Here in Australia, small businesses, rather than local councils, remain the main target for ransomware.
Just last month, Adelaide news site InDaily reported that a newsagent had fallen victim to a ransomware attack that risked his entire operation.
“The software program a list of all my customers, the orders we do the runs, how much money they owe me – everything,” newsagent Steve Hewish told InDaily.
“If we lost that and tried to rebuild it, the potential financial cost could have closed the company.”
Beyond general improvements to an organisation’s cyber security, Professor of Cyber Security at Deakin University, Matthew Warren, told Information Age that regular backups were the best way to avoid suffering the worst costs of ransomware.
“This is becoming a more common attack situation that is very easy to deal with if organisations are prepared because the mitigation solution to the attack is a very simple one: scrub the entire system and restore data from backups,” Warren said.
“The problem is that most organisations don’t have up-to-date backups due to the complexity of their tech systems.
“It indicates that an organisation has problems managing the complexity of its own systems and awareness of its resilience.
“This isn’t so much a problem to do with the tech as having the right processes in place.”