Earlier this year, the city of Atlanta was struck with a crippling SamSam ransomware attack. The city lost critical functions for weeks due to downtime, and permanently lost terabytes of historical data. The city opted not to pay the $50,000 bitcoin ransom to recover their data from the hackers. The rebuild is estimated to have cost Georgia taxpayers more than $17 million.
More recently, the Pennsylvania Senate Democratic Caucus sustained a ransomware attack in which the attacker demanded close to $30,000 to decrypt their data. Rather than pay, the organization opted to rebuild at a cost of more than $700,000, 23x the ransom amount.
While there is no guarantee that data will be recovered if ransomware is paid, industry surveys point to a recovery rate of 70 percent to 80 percent.
These cases present a different angle on the “never pay for ransomware” debate, as unlike a small commercial entity, municipal organizations are not at risk of bankruptcy or systemic failure as a result of the attack. A small business that must meet the demands of a supply chain can easily be dropped from that supply chain if its business gets bound up by a crippling ransomware attack. That is why 75 percent of small businesses that sustain a ransomware attack note that the downtime is potentially life-threatening. The government of the city of Atlanta was not going to disappear as a result of its attack—a luxury that only taxpayer-funded organizations can consider, as evidenced by its choice to pay 340 times the ransom amount to rebuild, rather than pay the ransom.
Negotiating with Hackers: Stick To Principles or Be Practical?
These situations are increasingly common and pose a challenging dilemma to the representatives making the decisions. On one hand, it is fundamentally not palatable to pay a hacker a ransom amount, and even more so if the organization is part of the state municipal government. On the other hand, spending 340x the ransom amount, of taxpayer money on the recovery effort is also a bit jarring. To put that in perspective per budget forecasts for 2018, the $17 million the city spent on recovering is equivalent to:
- The total compensation received by every executive employee of the City of Atlanta.
- The total amount contributed to the City of Atlanta’s Firefighters Pension fund.
- The total operating budget of the City of Atlanta’s Finance Department.
If the city had put forth a ballot measure to vote on the course of action that should be taken, how would Atlanta’s constituents have voted, given the magnitude of the taxpayer cost? How will future constituents of other municipalities react when a similar story unfolds with their tax dollars on the line?