Second Florida City Pays Up Following Ransomware AttackAfter Struggling With Recovery, City Negotiates a Ransom Payment
A second small city in Florida is paying off cybercriminals to recover from a ransomware attack that has crippled the municipality's local network since June 10.
On Monday, officials in Lake City voted to allow the municipality's insurance carrier to pay 42 bitcoins, or about $530,000, to the attackers to decrypt files and restore the network, according to local television station WCJB.
Although it's paying through its insurance company, Lake City will be responsible for the $10,000 deductible on its policy with the League of Cities, according to WCJB.
This is the second time this month that a Florida community has agreed to pay attackers rather than try to recover from a ransomware attack on its own.
On June 17, officials in Riviera Beach authorized the city's insurance carrier to pay about $600,000 in bitcoins to end a ransomware attack. In addition, the community is paying nearly $900,000 to buy new IT equipment and gear following the attack (see: Florida City Paying $600,000 to End Ransomware Attack).
Law enforcement agencies, including the FBI, generally discourage the payments of ransoms after ransomware attacks because that can embolden the attackers to attempt other attacks.
After a recent ransomware attack, the city of Baltimore refused to pay a ransom, and so far, it has spent about $18 million to recover (see: Baltimore Ransomware Attack Costing City $18 Million).
On June 10, Lake City posted a notice on its website that the municipality's network had been attacked by malware called "Triple Threat," and that files and other systems, including phones and email, had been encrypted. The local police and fire department were not affected, according to the notice.
After the attack, the city's IT department attempted to recover, but the effort was unsuccessful; that led to the city’s decision to pay the attackers, a Lake City Police Department spokesperson told WCJB. An investigation into the incident is continuing, and the municipality is working with the Florida Department of Law Enforcement and a third-party security company, city officials say.
“Based on the advice of the vendors the purchase provided a mechanism to the city to retrieve the city’s files and data, which had been encrypted, and hopefully return the city's IT system to being fully operational,” City Manager Joe Helfenberger said on Wednesday. “If this process works it would save the city substantially in both time and money.”
Some security experts say that it appears that the city’s reference to “triple threat” may refer to an attack described by security firm Cybereason earlier this year that involves using the Emotet and TrickBot Trojans to deliver Ryuk ransomware.
As the Cybereason report and other security researchers note, TrickBot is better known as a banking Trojan, but the malware has the capability to communicate with a command-and-control server and to exfiltrate sensitive data from servers. By combining Emotet and TrickBot, the attackers have many different choices in infecting a network.
"This [attack] works by having a single infection of Emotet happen on an endpoint. From there, the Emotet malware tries to spread itself via malicious spam to the contacts of the infected user; meanwhile it will download and launch Trickbot," Adam Kujawa the director of Malwarebytes Labs, tells Information Security Media Group. "Trickbot will use various exploits and credential brute forcing functionality to push its way through the network of the organization. Once all systems are infected - or as many as the attacker wants - they may push the Ryuk ransomware."
Ryuk made headlines in late 2018 when a ransomware infection hit Chicago-based Tribune Publishing, leading to a disruption in printing all of its newspapers, as well as the distribution of west coast editions of The New York Times and The Wall Street Journal (see: 11 Takeaways: Targeted Ryuk Attacks Pummel Businesses).
Although security researchers have studied Ryuk over the past several months, it's not clear who is behind the malware or if there is more than one group deploying these attacks, according to analysis by McAfee and other firms.
After receiving a ransom note late last week, the Lake City mayor and city council, working with the city’s insurance company, decided it was easier and more cost-effective to pay off the attackers rather than continue recovery efforts, according to WCJB.
Following a negotiation, the insurance company and the attackers agreed to a 42 bitcoin ransom payment, WCJB reports. The city received a decryption key earlier this week, which the IT department is using to restore all systems and files.
Kujawa speculates that the city’s IT department lacked proper backup and recovery plans to help it overcome the ransomware attack. While paying is sometimes easier in such cases, Kujawa suggests that local communities need to consider all options before negotiating with cybercriminals.
"Paying the full ransom seems foolish, and most cybercriminals are willing to work with victims to negotiate some payment for certain files or systems to be unlocked or decrypted," Kujawa says. "This is why accepting the ransom at face value is something the victim should only consider after they have done an inventory of the damage done and finding out if the attacker will negotiate for a lower ransom."