Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security United States

Florida City Pays $600,000 To Ransomware Gang To Have Its Data Back (zdnet.com) 294

The city council for Riviera Beach, Florida, voted this week to pay more than $600,000 to a ransomware gang so city officials could recover data that has been locked and encrypted more than three weeks ago. From a report: The city's decision, as reported by CBS News, came after officials came to the conclusion that there was no other way to recover the city's files. Access to Riviera City data has been locked since May 29, this year, when a Riviera Beach police department employee opened an email and unleashed ransomware on the city's network. The ransomware locked files and shut down all the city's services. Operations have been down ever since, with the exception of 911 services, which were able to continue to operate, although limited. The city's website, email server, billing system, and everything else has been down ever since, with all city communications being done in person, over the telephone, or via posters. The city has been having a hard time recovering from the incident ever since.
This discussion has been archived. No new comments can be posted.

Florida City Pays $600,000 To Ransomware Gang To Have Its Data Back

Comments Filter:
  • Bad idea... (Score:5, Insightful)

    by Anonymous Coward on Thursday June 20, 2019 @09:07AM (#58793330)

    That city just became a bigger target since they'll pay.

    • Re:Bad idea... (Score:5, Insightful)

      by forkfail ( 228161 ) on Thursday June 20, 2019 @09:55AM (#58793624)

      Have to agree.

      There is absolutely nothing that is going to stop the bad guys outside of significant penalty when apprehended, and this simply encourages them.

      These are folks willing to lose their ransomware on hospitals, to shut down utilities, basically, hold entire populations ransom. The term terrorism gets thrown a lot these days, but I'd say that this fully qualifies as monetarily motivated terrorism, and it ought to be treated as such.

      • Re:Bad idea... (Score:4, Insightful)

        by apoc.famine ( 621563 ) <apoc.famine@gm[ ].com ['ail' in gap]> on Thursday June 20, 2019 @10:16AM (#58793734) Journal

        There is absolutely nothing that is going to stop the bad guys outside of significant penalty when apprehended...

        Absolutely wrong.

        There's a pretty damn good way to stop the bad guys: Have their efforts fail to be rewarded. If they try and try and fail and fail, most people outside of those with a mental issue stop after awhile.

        But I 100% agree with you on this encouraging them. And not just them, others who read the headline and go, "Holy shit, that actually works? I could do that!"

        • Re:Bad idea... (Score:5, Insightful)

          by forkfail ( 228161 ) on Thursday June 20, 2019 @10:28AM (#58793814)

          Oh, I am not arguing against a good defense.

          But no matter how deep the depth of your defense is, no matter how diligent, the good guys always have to get it right, the bad guys, only once.

          So, my point is that yes, they will get through once in a while. And when they do, track them down, and exercise maximum penalty under the law.

          This isn't disrupting some chat forum; this is impacting life critical systems, and disrupting untold people's lives out of simple greed. There ought, I think, to be a significant cost associated with someone attempting such blackmail.

          • PS: In no way am I arguing pay the ransom. Never pay the ransom. Thought that was understood; apologies for lack of clarity.

            • Re:Bad idea... (Score:4, Interesting)

              by kenh ( 9056 ) on Thursday June 20, 2019 @11:35AM (#58794212) Homepage Journal

              How's that working out in Baltimore? Their attack is on-going, we're at six weeks with no end in sight, costing taxpayers $18 million and counting [engadget.com].

              In principle, never pay ransom... but... at some point you cut your losses, don't you? I mean, in the case of Baltimore, the attackers asked for $80K [govtech.com], and after $18 million of expenses and losses, maybe paying the $80K would have been the prudent solution?

              • by chill ( 34294 )

                Considering Baltimore's IT security situation is so bad, once they paid what's to stop the attackers from doing it again under another name? Or selling the info about Baltimore's weak spots for others to take a shot?

                Unless they're certain they're patched and protected, paying is just insane.

                And being in the situation in the first place is proof positive they don't have working backups.

              • Comment removed (Score:4, Insightful)

                by account_deleted ( 4530225 ) on Thursday June 20, 2019 @01:04PM (#58794972)
                Comment removed based on user account deletion
        • Re: (Score:2, Insightful)

          by Anonymous Coward

          There's a pretty damn good way to stop the bad guys: Have their efforts fail to be rewarded.

          One of the things I've noticed (maybe you don't, if you have someone else running your filters) is that after all these years, I'm still being sent email spam.

          It costs them almost nothing to do it; it's automated. But someone, somewhere, is buying the penis enlargers, paying masturbation-webcam-video ransoms, and looking for hot chicks in their area. You cannot stop this shit by having a policy of not rewarding the

      • There is absolutely nothing that is going to stop the bad guys outside of significant penalty when apprehended,

        Make the significant penalty death and these criminals will never hold anyone for ransom ever again.
        • by EvilSS ( 557649 )

          There is absolutely nothing that is going to stop the bad guys outside of significant penalty when apprehended, Make the significant penalty death and these criminals will never hold anyone for ransom ever again.

          Where has that every actually worked?

      • Doesn't the blockchain record the ownership history of each bitcoin. I doubt that the city of Riviera Beach conducts many transactions in bitcoin. Surely these coin can forever be considered "tainted" and therefore subject to forefiture.

        After the transaction, simply post a message saying that the coin was extorted illegally and will be recovered from whoever holds it as soon as a warrant and the technology becomes available to do so. That should make bitcoin users more wary of the provenence of their coins

    • Re:Bad idea... (Score:4, Insightful)

      by Anonymous Coward on Thursday June 20, 2019 @09:59AM (#58793644)

      Agreed.

      Also, why is Windows still being used in mission-critical deployments?
      Billy G. has always sold it as a gamer's operating system; it was never
      meant for this use-case. I mean, that's the real problem here, isn't it?

      CAP === 'ferments'

      • by EvilSS ( 557649 )

        I mean, that's the real problem here, isn't it?

        Not really, not in this case. Most ransomware doesn't need to exploit admin privileges or any sort of exploit to do its work. Just needs dumb users to be dumb users. Most use system encryption APIs just like many legit programs, and the user's access to shared documents (which most require for their job functions). And yes, Linux ransomware is a thing. It's not a bigger thing because it's not the usual desktop OS of choice. If it were, you would see more of it. It really comes down to user training and adm

    • by Cito ( 1725214 )

      If I work for a certain city hall, and would like a nice payday, send me the ransomware, I'll unleash it and steer officials to vote for paying ransom. Once paid i log in to my PayPal one day or check my bitcoin wallet and see a nice kickback.

      That's how I see this going.

      • by SirSlud ( 67381 )

        I don't know how stupid you have to be to think it's a more likely that they personally compromised and rewarded somebody on staff both brave enough and dumb enough to think they wouldn't couldn't caught deliberately infecting a workplace than simply wait for a dumb user (of which there there are thousands upon thousands) to open a payload in an email sent to thousands of email addresses.

        Email attachments are are an attack vector that amounts to thousands open doors, only one of which needs to open, and doe

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Thursday June 20, 2019 @09:09AM (#58793334)
    Comment removed based on user account deletion
    • by Just A Gigolo ( 5876130 ) on Thursday June 20, 2019 @09:11AM (#58793352)
      Apparently lots of Florida men on Florida City council.
    • by dargaud ( 518470 )
      Yes. They should have used that money for a bounty on the hackers heads. It would work great for everyone in the end.
    • Where to start (Score:4, Insightful)

      by Pollux ( 102520 ) <speter@[ ]ata.net.eg ['ted' in gap]> on Thursday June 20, 2019 @10:47AM (#58793912) Journal

      Every single person involved in this decision should be bounced off the taxpayers' teat immediately.

      Then start with the mayor and the city council.

      Speaking as a public IT employee, if you want to see a difference in how tech is being managed, start with the political leaders. Because year after year, they keep telling their IT staff to do more, provide more, make it happen sooner, and do it without adequate funding. Furthermore, since budgets get constrained, they hire fresh-out-of-college staff who typically do not have the experience necessary to know how to plan, develop, and maintain data-redundant solutions. Even if they did, good luck getting management to approve it.

      Let's pretend that there was competent IT staff. And they went to management to request $600,000 for a data-redundant solution. What do you think the answer would be?

      On the other hand, I guarantee you that every large city has an emergency slush fund. Can't get work done, because your data is encrypted? Yea, there's a budget for that. Though, let's cross our fingers that Miami doesn't get hit by a hurricane this year, because that budget's now spent.

      Not happy about how these priorities are managed? Then speak up at your city council meeting [youtube.com].

    • by kenh ( 9056 )

      They are watching Baltimore still suffering after six weeks and $18 million in expenses and losses [govtech.com] to avoid paying $80K to the attackers, and decided they didn't have millions of dollars to indulge in their lofty "we don't negotiate with terrorists" principles.

    • Of course they should have had backups, or better security, or on and on... but this has to be the only part of society that we blame and go after the victims of crimes. Can you think of another crime that the majority react and find ways to tear apart the victim involved?
      • by EvilSS ( 557649 )

        Can you think of another crime that the majority react and find ways to tear apart the victim involved?

        Off the top of my head? Neo-nazis who get assaulted at rallies.

  • Comment removed (Score:3, Interesting)

    by account_deleted ( 4530225 ) on Thursday June 20, 2019 @09:13AM (#58793364)
    Comment removed based on user account deletion
  • Website? Email? (Score:5, Interesting)

    by Jaime2 ( 824950 ) on Thursday June 20, 2019 @09:16AM (#58793384)
    It's one thing for ransomware to lock up internal files that makes sense for employees to directly access. But what level of incompetence does it take for an employee to have enough access for ransomware to shut down the email system?
    • by rsilvergun ( 571051 ) on Thursday June 20, 2019 @10:18AM (#58793740)
      I know some guys that work in municipal IT and despite what you might have heard it's not all fun and games. The work is steady, health benefits are good and you will get a retirement package. You'll make about 20% less than you would in the private sector though in exchange.

      There's also constant pressure to do more with less, a _lot_ less. Businesses will spend money to make money but gov't is viewed as either a sunk cost or a way to line your buddy's pockets. And let's not forget that last one. You're often given crap hardware and software because the mayor's brother in law or maybe the guy that funded his campaign sold it to you.

      One time a buddy got a shipment of 1000 NICs in. The NICs were cheap and sold by a local outfit with ties to one of the elected schoolboard members. Every single one had the same MAC address. That meant setting up hacks to use them (because you weren't gonna get anything else) and a ton of extra work. That kind of thing is all over muni IT....

      We could fix all this of course. End the corruption, properly fund departments, etc, etc. But nobody seems to want to do it...
      • by Solandri ( 704621 ) on Thursday June 20, 2019 @01:49PM (#58795310)
        The city's budgets and financial statements [rivierabch.com] are available online. The city's population [wikipedia.org] is 32,488. It's budget for FY2019 is $74,994,567, or $2308 per citizen. Their IT department has 10.5 employees with a personnel budget of $1,088,825, or an average of $103,697 per IT employee, which would put it above the US average [indeed.com]. Looking through their other department budgets, it's their fourth-highest paying per position (fire dept paid an average of $125k per employee, legal dept paid $139k, legislators were paid $189k). It was ramped up quickly from $80k/employee in 2017 to $94k in 2018.

        IT budget was 3.3% of the city's total budget, which is about the same as private industries [computereconomics.com]. Non-personnel funding was $1.3 million in 2019, which was ramped up quickly from $660k in 2017, and $1 million in 2018. 10.5 IT positions vs 578 total employees gives them a 1:55 ratio, which would put them around the 75th percentile [workforce.com] - low but not egregiously bad. This confirms that they were paying their IT staff higher than the industry average (average budget but higher salary = lower IT to employee ratio).

        This sounds more like outright incompetence and insufficient oversight, rather than lack of funding.
  • Piss poor infosec, followed by piss poor or non-existent backup policies. Followed by even worse internal protection on allowing machines to run rampant across the network and do whatever they want. Not even surprised anymore, it's going to take multiple serious issues to get people to do even the most basic precautionary measures.

    Poor backup polices are perhaps my least favorite to see in action, a friend of mine was dealing with the aftermath of the Slave Lake(Alberta) fire ~8 years ago. There was no offsite, no remote, no rotational backups. They lost a decade worth of data, everything from tax records to lien information to payroll. What was the kicker? Their IT service was farmed out to another company which was supposed to have setup a policy, and taught everyone what to do. Never happened, but when the city came knocking? They closed up shop and both owners fled out of the country. Even the radio station had a better backup policy and only lost 7 days worth of data.

  • It's 2019, for fuck's sake. Who doesn't take care of their backups?

    Let's hope these retards read slashdot; you deserve to be fired. You deserve to be held criminally liable for your incompetence. I hope you never work in this field again. That goes for the idiot IT workers who didn't give 2 shits about their backups AND everyone up the chain of command who was in charge of hiring and managing this crack team of morons.

  • Does Florida have 911 services? I thought they just took care of those things on their own by shooting whatever bothered them. Plenty of large carnivorous reptiles down there to take care of the results.
  • At a minimum, the Riviera Beach IT Manager should be fired.

    http://www.rivierabch.com/cont... [rivierabch.com]

  • by Pollux ( 102520 ) <speter@[ ]ata.net.eg ['ted' in gap]> on Thursday June 20, 2019 @09:29AM (#58793460) Journal

    Alright, so let's say I was a hacker, and I wanted to make some money. And I had a ransomware tool that I could deploy...nothing custom or fancy, just some run-of-the-mill cookie-cutter package I got for cheap off the dark web. Do I target a mega corporation, that likely pays for high-tier security experts to keep their data locked tight, a high-risk, high-reward gambit, or do I go after some public entity, someone with valuable data necessary to their daily operations, but lacking the security expertise to keep it properly protected, secured, and redundant?

    I'd go after the public sector, every time.

    In fact, I'd probably target a place that's recently hiring, someone more likely to have a bit of chaos in their system due to a transitional phase. And since the public sector advertises all openings publicly, all the easier to target. Sure, the payout may not be as big, but any payout is still a win in my book.

    Plus, $800K can buy me a lot better ransomware.

  • Shouldn't funding criminal organisations be illegal?
  • I highly question if after paying the ransom, this city will really get back what it has lost. Maybe partial recovery but even then I'm not sure if it will be delivered. All to easy to just run with the cash and not do anything else that might reveal who and where you are.

    • by Jaime2 ( 824950 )

      They'll probably get it back. It's hard to get the next $600,000 payday if you don't deliver on the previous one. Victims usually lose their data permanently when they get infected by ransomware whose infrastructure has either been abandoned or taken down by the authorities.

      Also, there is little for the criminals to gain by not delivering the unlock key. They will sometimes raise their demands, but they want payment to be seen as a sure-fire way to put this event behind them.

      • they can also stop payment or do an CC change back

        • they can also stop payment or do an CC change back

          Pretty sure the attackers are not taking the cities corporate Amex LOL!

          Aren't all of these ransomware guys taking Bitcoin? How do you "stop payment" on Bitcoin?

        • That's why I don't take credit cards for my ransoms. Too many people were doing chargebacks. I was having to charge credit card victims 8% extra (over and above cash victims) and then the credit card company said I couldn't do that because it gave their service "a conspicuous competitive disadvantage" so it was in violation of our crime agreement. Eventually I just had to fire them.

          If you don't have cash, I won't even provide decryption services anymore. You're just not worth the potential trouble. If you somehow manage to get my malware and install it, I'll just tell you here now: the passphrase is "password123$5" and please don't bother contacting me for support or payment because I can't deal with that shit anymore.

          Note, though, that if you do have cash, then it is a violation of the EULA (which, yes, you did agree to as part of the installation process) to use that passphrase without making payment. It's also a DMCA violation, as I inject some of my data, copyrighted by me, into the ciphertext, thus making the encryption be a technological measure which effectively limits access to a copyrighted work.

          Don't like my cash-only policy? Then be someone else's victim. For all I care, you can get your precious malware from the big malware suppliers instead of us mom'n'pops. They'll always take CCs. Just remember, though, that 8% of your payments are being skimmed, so the malware vendor has to raise their prices (on everyone, even cash victims!) to account for that. You'll get ripped off.

    • by kenh ( 9056 )

      If the terrorists don't restore the files, then their source of income dries up. There are two fundamental principles at work here; 1) keep ransom demands reasonable (like $80K in the case of Baltimore), and 2) Always restore the files. Ignore either, and you've killed the goose that lays the golden eggs.

  • to see if they actually get their data back.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Thursday June 20, 2019 @10:01AM (#58793654)
    Comment removed based on user account deletion
    • Not if the guy in charge of maintaining the files on the cloud leaves everything public by default for 'easier' access. You always need competent people to handle complex problems...
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Not necessarily. There are a lot of deleted elastic, mongo and S3 buckets out there with ransom notes. They still have to try harder cloud or on-prem.

    • I'm not sure about Florida, but in Minnesota, we have MGDPA, or the Minnesota Government Data Privacy Act [mn.gov]. Any 3rd party managing government data MUST comply with its rules and regulations.

      So when I get on the phone with your run-of-the-mill cloud solutions sales rep, and ask him/her if their company complies with the MGDPA, the response is usually the same. "I'll get back to you on that." Most never do, though I did get one who said about two days later, "I just heard back from legal, and we can't."

      And

    • What if... local governments... outsource their IT... to the cloud?

      A lot of people are using M$ and the rest for messaging, etc, with things like O365.
      They do a decent job of stopping "bad" emails, like phishing with links/attachments, etc;
      They also give admins the ability to fine tune blacklists, etc;

      But I assume that a phishing email or somesuch showed up in a users inbox and the link/attachment was activated, thus starting the problem.

      Cloud based messaging services are good but not a complete answer to this issue.

  • Backups (Score:4, Insightful)

    by fluffernutter ( 1411889 ) on Thursday June 20, 2019 @11:02AM (#58794000)
    Wow, how did this ransomware encrypt their OFFSITE TAPE BACKUPS?
    • "Wow, how did this ransomware encrypt their OFFSITE TAPE BACKUPS?"

      They all do that. It's of no use to encrypt their real data until you have thoroughly disrupted all their backups, only then do you reveal yourself and encrypt the live data.

      We finally got people to make backups but the morons never test any restore operations, so backups are useless when they are needed.

  • I personally don't understand how it is even legal to knowingly transfer large sums of cash to an illicit criminal enterprise.

    There should be federal law which makes these kinds of ransom payments illegal. Don't want to get owned and lose everything? At the very least backup your shit and don't keep backup media online. Backups don't cost 600k.

  • Paying the ransom may be the best strategy, but at least, keep it secret.
    Just say you paid $600k to some data recovery company.

    At least they are honest, but sending the message that crime pays is not a good idea. That's unless they can catch the criminals after, but I doubt it.

  • I have to say that this story absolutely terrifies me in just how ineptly their infrastructure is being managed.

    There is no way one infection should have been able to cause that kind of damage if their infrastructure had been configured properly. Properly segmenting your network and implementing reasonable permission management alone would have been enough to prevent this from happening. Throw in regular backups, anti-virus protection, etc, and the impact would have been minimal.

    They either have grossly i

  • I've recently interviewed with a few small city/county I.T. shops, they were funded for 2 to 8 positions.
    In general the head of I.T. wouldn't have been even a team leader in an average corporation, but they don't have the experience to know that.
    Most of what they are doing is help desk functions with little time or funding to do anything else.
    When I asked how they were doing backups, disaster recovery, trouble ticketing, the answers were little more than hand waving.
    The cities hire people than can swap out

  • by Dunbal ( 464142 ) *
    Pretty sure a regular backup service costs less than that. Nobody does backups anymore?

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...