"We never negotiate" might be the expectation whenever law enforcement or government agencies get targeted by criminals or even terrorists. But outside Hollywood, the reality is often disappointingly far less rigid.
Take the town government of Medfield, Mass., which in December 2015 paid a ransom demand of half a bitcoin - worth $300, it said - to a cybercrime gang after it successfully infected a town server with ransomware and encrypted its contents, the Boston Globe reported Feb. 2.
"Paying the ransom was the most expedient option."
"After numerous attempts were made to unlock the town's files, it was determined paying the ransom was the most expedient option for the town," according to a statement the town provided to the newspaper.
Officials in the town - population: 12,000 - haven't responded to my questions about the ethos of paying criminals for their crimes, or if it's taken steps to ensure that attackers can't just infect its systems again and demand another ransom, ad infinitum.
Luckily for Medfield, the gang did provide a decryption key after receiving its ransom demand. Likewise, the town believes there was no data breach or exfiltration of files, not least because it stores payroll records offsite and "department information and records" were stored on a server that wasn't infected. The town is also - better late than never - reportedly now backing up all of its files and seeking guidance on better overall information security practices.
Cops Cave to Ransom Demand
Unfortunately, Medfield is not the only government body opting to pay its way out of information security troubles, despite the moral dubiousness of that proposition. Just 35 miles to the north in Tewksbury, Mass., for example, the town's police department in December 2014 suffered a Cryptolocker infection, the Tewksbury Town Crier reported.
Tewksbury Police Chief Timothy Sheehan defended paying off the attackers, telling the newspaper that it was the best option after the town suffered an attack that he described as being "like cyberterrorism," only to discover that its oldest intact backup for the affected system was 18 months old.
"Nobody wants to negotiate with terrorists. Nobody wants to pay terrorists," he added. "We did everything we possibly could. ... Paying the bitcoin ransom was the last resort."
Pay Now or Pay Later
Many security experts would beg to differ, at least when it comes to the first-resort concept of planning ahead. One such example comes via Lincolnshire County Council in England, which last week disclosed that 300 of its systems had been infected with a new type of ransomware, and that it declined to pay demanded ransoms, the BBC first reported.
"The council was subject to a malicious software attack delivered as an email attachment," says Judith Hetherington Smith, the council's CIO, in a statement. "We immediately took action to look after all our data and closed down our systems so they couldn't be compromised. This was a new piece of malware so we worked with our security vendors to find and test a solution." In the interim, she notes that many employees had to resort to using paper and pen, and that some services - including libraries - were disrupted while systems were restored.
So far, it's not clear if the ransomware was brand new, or if attackers repacked existing malware so it didn't match existing signatures for known viruses. Also, the initial BBC report claimed that the malware flashed a Â£1 million ($1.5 million) ransom demand, payable in bitcoins. In reality, however, the ransomware was actually "asking for $500 in bitcoin, increasing over time if not paid," Smith says. "But as a public authority this was never something we were going to do."
Who's Not Paying Attention?
Despite some public sector agencies getting targeted, the threat from ransomware isn't new. As the FBI warned in June 2015, over the preceding 12 months, U.S. businesses and consumers had experienced more than $18 million in fraud just from a single CryptoWall ransomware gang. That's why the bureau urged all computer users to take proactive - and let's be honest, easy and commonsense - security steps to defend systems against ransomware.
Security experts have long offered the following advice for defending against ransomware attacks:
- Use anti-malware: Employ up-to-date anti-malware tools on desktops, laptops and servers to block ransomware from being able to infect systems.
- Back up everything: Regularly back up all systems and servers, maintain offsite backups so any ransomware-infected systems can be wiped and restored, and continually test all backups (see Ransomware: 7 Defensive Strategies).
- Don't pay: Whether it's ransomware or cyber-extortion rings threating distributed denial-of-service attack disruptions, law enforcement agencies recommend never paying attackers, since it will just keep them - and their peers - coming back for more.
Organizations that properly prepare to defend themselves against ransomware attacks avoid having to even consider paying bitcoin ransoms to anyone.