The second US city in less than a month has cowed to the demands of a ransomware hacker, handing over $660,000 worth of bitcoin in exchange for regaining control of its email and phone systems.
Lake City in Florida was targeted in what it has called a “triple threat” malware attack on June 10.
More than two weeks later, Associated Press reports that the city has agreed to the ransom demands, paying $US460,000 ($657,700) worth of Bitcoin to the hacker.
In a series of statements released on June 10 and 11, the City of Lake City reported all its email systems and most landline phones were inoperable as a result of the attack.
Building permits were being hand-written, and utility bills had to be paid in person at City Hall, with no credit card payment options available.
There was no disruption to emergency services, however, as they operate on an isolated network protected by encryption.
“Our IT staff have been working non-stop to isolate our systems and recover any lost data. We have also contracted an outside consultant with expertise in combating this sort of attack,” city manager Joe Helfenberger said in a statement at the time.
Chief of police Argatha Gilmore added that the city has partnered with the Florida Department of Law Enforcement, “to help initiate a criminal investigation into who perpetrated this attack”.
However, attempts to revive the computer systems were largely unsuccessful, and according to a BBC report, officials in Lake City eventually voted to give the hackers what they wanted.
“I would have never dreamed this could have happened, especially in a small town like this,” Lake City mayor Stephen Witt told local media.
Bitcoin ransoms abound
Lake City became the second Florida municipality to pay out bitcoin ransoms in a matter of weeks.
At the end of May, Riviera Beach was hit with a malware attack that the police department said caused a failure of most of its main computer systems.
“Information technology staff has identified the source of the computer system failure and are working, almost around the clock, to restore it,” the Riviera Beach Police Department said in a Facebook post on May 31.
“They anticipate all systems will be returned to normal at some point during this weekend,” the post added.
However, the outage was ongoing, and it became clear that it was caused by hackers demanding a ransom for regained access.
On June 20, Associated Press reported that the Riviera Beach council had voted unanimously to give in to the hacker’s demands, handing over bitcoin worth about $US600,000 ($857,800).
The council had reportedly not planned on paying the attackers, instead spending almost $US1 million on new hardware, with plans to rebuild.
But the city still had no access to prior records, and outside security consultants eventually recommended the ransom be paid.
In both cases, the majority of the payout will be covered by the cities’ insurance.
Elsewhere, just yesterday CBS Miami reported a third data breach in a third Florida town, the Village of Key Biscayne, which has about 3,000 residents.
“Key Biscayne is working with outside counsel and third-party forensic experts to ensure that its systems are secure, and to determine the scope of event,” city manager Andrea Agha told CBS Miami.
So far, the Village of Key Biscayne has not commented as to whether it has received a ransom demand.
Demanding payment in Bitcoin obviously makes the hackers difficult to trace.
At the same time, the relatively low ransom price tags — at least in comparison to any alternative resolution — means simply paying up seems to be the most viable option for many local councils.
Speaking to the BBC after Riviera Beach opted to pay the ransom, Cesar Cerrudo, chief technology officer at security firm IOActive, noted that cyber criminals will go for maximum payout for minimum effort.
“That’s why targeting city technology is a good business opportunity to them,” he said.
While large organisations have become savvier to cyber threats, local governments have not. The Riviera Beach malware was uploaded to the systems after an employee clicked on an email link.
While there haven’t been any reports of this kind of attack in Australia (yet), this string of hijacked cities in Florida serves as yet another reminder to watch what you click on, especially if the running of your whole city depends on it.