Huge Ransomware FUBAR at Florida Beach Town

The city of Riviera Beach, Florida, has “given in” to ransomware. And it’s the biggest municipal ransom we’ve seen.

65 Bitcoin—about $600,000. Insurance will cover it, but wouldn’t it be better not to encourage these shysters?

Cybersecurity Live - Boston

Yes, once again, an IT department that doesn’t have a workable disaster-recovery plan. In today’s SB Blogwatch, we test our backups.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: dab-ID.

IT − DR = ₿65

What’s the craic? Terry Spencer reports—“Florida city pays $600,000 ransom to save computer records”:

 [It’s] the latest in thousands of attacks worldwide aimed at extorting money from governments and businesses. … The hackers apparently got into the city’s system when an employee clicked on an email link that allowed them to upload malware.

The city of 35,000 residents has been working with outside security consultants, who recommended the ransom be paid. … The payment is being covered by insurance.

Numerous governments and businesses have been hit … in recent years. Baltimore refused to pay hackers $76,000 … last month. The U.S. government indicted two Iranians last year for allegedly unleashing more than 200 ransomware attacks, including against … Atlanta and Newark, New Jersey. The men … received more than $6 million in payments [say] prosecutors.

Surely paying a ransom only encourages the perps? Curtis Franklin Jr. agrees—“It almost guarantees greater attacks against other governments”:

 On May 29 … a police department employee opened a malicious email attachment, [which] ultimately disabled all of the city’s online systems, including email, a water utility pumping station, some phones, and the ability to accept utility payments. … As of press time, Riviera Beach has not reported whether it has been given the key to decrypt the locked files.

Paying the ransom for ransomware is rarely recommended, but that didn’t stop Riviera Beach. … The payment could have far-reaching consequences.

No ****, Sherlock? Hamza Shaban—@hshaban—mashes his CAPSLOCK and splits an infinitive:

 In a jaw dropping move, a city in Florida … voted unanimously to PAY THE HACKERS … to maybe get their files back. The city council claims that security consultants recommended the decision to give in to extortion.

Florida Man: watch me smother bbq sauce all over my face and then put my head into this chill alligator’s mouth
Florida City: hold my beer.

But DadBod—@db—doesn’t much like the alternative:

 Or they could’ve not paid the hackers—like Baltimore—and had their infrastructure messed up for weeks.

Baltimore? jrochkind1 reminds us of the situation there:

 Damages have not been repaired in Baltimore. 6 weeks later, most city services are still down. You can’t pay a parking ticket or a water bill online.

There were two weeks when real estate transfers were frozen, because there was no way to check city liens. They can be done now, using a paper-based system that actually has those involved in the transaction sign an unusual contract agreeing to take on liability for unknown liens.

The Baltimore ransomers only wanted ~$100K. If I were the mayor, yeah I’d pay it.

The cause of the pain is that they haven’t been running their IT in a secure fashion, and this is the real problem. … I hope that the ‘recovery’ efforts, done in an emergency fashion, don’t distract them from … figuring out what they’re going to do about it.

But are we victim shaming? No, says Mashiki, summarizing the problem:

 Piss poor infosec. Followed by piss poor … backup policies. Followed by even worse internal protection … allowing machines to run rampant across the network and do whatever they want.

It’s going to take multiple serious issues to get people to do even the most basic precautionary measures. Poor backup polices are perhaps my least favorite.

A friend of mine was dealing with the aftermath of the Slave Lake (Alberta) fire ~8 years ago. There was no offsite, no remote, no rotational backups. They lost a decade worth of data, everything from tax records to lien information to payroll.

The kicker? Their IT service was farmed out to another company which was supposed to have setup a policy, and taught everyone what to do. … When the city came knocking? They closed up shop and both owners fled out of the country.

But why a small Floridian city? Pollux thinks objectively:

 Let’s say I was a hacker, and I wanted to make some money. And I had a ransomware tool that I could deploy—nothing custom or fancy, just some run-of-the-mill, cookie-cutter package I got for cheap off the dark web.

Do I target a mega corporation, that likely pays for high-tier security experts to keep their data locked tight … or do I go after some public entity, someone with valuable data necessary to their daily operations, but lacking the security expertise to keep it properly protected, secured, and redundant?

So Danny Bradbury follows the money—“Florida city will pay over $600,000”:

 Waiting to make the payment has cost Riviera Beach even more money. On 30 May 2019, the day after the infection, … 65 Bitcoins … equated to $540,765. … As of yesterday, 20 June 2019, it amounted to $619,265.

Bitcoin’s volatility can make an already tense situation even more problematic for victims.

Meanwhile, Steve Faktor—@ideafaktory—is dripping with sarcasm:

 $600K is a very reasonable ransom for a smallish city. I commend the hackers on such conscientious market sizing & customer-centricity.

This will likely generate lots of positive Yelp reviews. Kudos.

And Finally:

How the heck does fingerprint recognition actually work?

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Boston Public Library (cc:by)

Richi Jennings

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 360 posts and counting.See all posts by richi

API Poll

Step 1 of 5

Do you have an API security project in 2022?