- The Washington Times
Thursday, July 11, 2019

Over 300 U.S. mayors have signed a pact to not pay “ransomware” in the face of a wave of hacker crimes that have taken over the computer networks and frozen systems in cities across the country, but leading cybersecurity experts are wary the united front will actually discourage attacks.

Cities large — Baltimore, Atlanta — and small — Lake City, Florida — are among the targets of the cyberattacks, which can shut down a city or county’s vital processing systems for an extended period of time.

“I agree with the mayors that you should never pay a ransomware ransom because it encourages them to attack other cities, but ultimately it will have zero impact,” said John Zanni, CEO of the Scottsdale, Arizona-based cybersecurity firm Acronis SCS.

The attacks, cybersecurity experts and city officials agree, have created such an expensive dilemma for cities over whether to pay or resist, that the U.S. Conference of Mayors earlier this week unanimously adopted a resolution to “de-incentivizing these attacks to prevent further harm.”

While the move has no legal binding, it does provide some cover for mayors willing to resist the demands of cybercriminals, who have increasingly held hostage a broad range of government services from emails and voicemails to property tax portals, comptroller finance systems, and even water pumping and testing stations.

The resistance, mayors argue, is sorely needed, citing recent statistics showing that “at least 170 county, city, or state government systems have experienced a ransomware attack since 2013” while “22 of those attacks have occurred in 2019 alone.”

Some cities, like Baltimore, have refused to pay and wound up facing even higher losses as a result.

In Baltimore’s case, hackers in May used ransomware to demand $76,000 in bitcoin. Instead of paying officials rebuilt their IT network with costs ballooning to more than $18 million, according to The Baltimore Sun.

Florida, long a haven for criminal scams, has gone the opposite direction. There, the cities of Riviera Beach and Lake City were so frozen by ransomware attacks that officials admitted to paying a combined $1 million.

The flurry of activity has caused both the FBI and Department of Homeland Security to intensify warnings that, as in kidnappings, paying victims only “encourages” additional crimes.

But more attacks look like the trend, experts say, because foreign hackers have clearly figured out that smaller cities are much easier to penetrate that the U.S. federal government, where massive budgets and expertise personnel protect data and operations.

“Ransomware attackers have now gotten a taste for attacking state and local government. They’ve found honey pots of opportunity and they’re not going to stop.” Mr. Zanni told StateScoop.com.

The ransomware behind the attacks is also rapidly evolving, from viruses called CryptoLocker and CryptoWall to a more recent malware known as SamSam, which attacked Atlanta, Newark, the port of San Diego and the Colorado Department of Transportation before disappearing last fall.

The most potent and problematic, however, appears to be a program originally developed by the National Security Agency, known as Eternal Blue.

Earlier this year, The New York Times reported that cybercriminals in 2017 gained access to Eternal Blue, which some experts say is the main culprit in the rising wave of attacks.

Leading Johns Hopkins University cybersecurity expert Thomas Rid has argued that the loss of Eternal Blue, which was stolen by a still-unidentified group calling itself the Shadow Brokers, was “the most destructive and costly NSA breach in history.”

An additional frustration, analysts say, is that even when cities pay a ransom, there is no guarantee the data will actually be recovered.

“You expect to actually pay the ransom and receive a key that will unlock everything,” Zohar Pinhasi, CEO of cybersecurity firm MonsterCloud, told UPI.

But often hackers only unlock some encrypted data, not the entire batch of data that they held hostage and corrupted, he added.

“They just want to get their money and they’re going to leave,” Mr. Pinhasi said. “They don’t really care about anything else.”

Copyright © 2019 The Washington Times, LLC.