ransomware in cities

NY proposes outlawing ransomware payments

Nothing encourages ransomware attacks like victims who pay up.

That's why two New York state senators introduced bills to ban local governments from using taxpayer money to pay ransoms. The two bills are similar: S7289 amends the general municipal law to prohibit paying ransoms to hackers, citing the Albany International Airport's payment to attackers that rendered the airport's computer systems inoperable. S7246 would additionally provide "financial assistance to villages, towns, and cities with a population of one million or less for the purpose of upgrading the cyber security of their local government."

Most people would agree with the senators. According to a recent survey by PandaSecurity, 86% of Americans do not believe their local government should pay the ransom on a ransomware attack and would rather see investments in preventative training and technologies.

However, cities that refuse to pay ransoms often face steep costs. Baltimore spent over $18 million to restore its systems, and Atlanta upwards of $17 million. The average cost to recover from ransomware is now over $84,000 across 16 days, according to a new report from Coveware, which also documented a rise in the number of attacks on public-sector organizations in the third quarter of last year.

And that's just the remediation costs. According to Gartner, downtime from unplanned disruptions can cost an organization as much as $540,000 per hour. The number of attacks and their associated costs are rising. In 2019 attacks on nearly 1,000 government agencies, educational establishments and health care providers added up to over $7.5 billion, according to the Emsisoft Malware Lab.

As if the recovery costs were not enough to pressure victims into paying ransoms, hackers have a new way to exert pressure. Beyond simply holding their data for ransom, some are also threatening to leak it onto the web -- an especially grim prospect for public sector organizations holding vast stores of citizens' personally identifiable information. In fact, attackers published 2GBs of data stolen from the City of Pensacola, Fla., online to prove they held vast stores of data and were serious about releasing it.

That makes paying even a few hundred thousand dollars ransom an attractive option for cash-strapped municipalities, even as the FBI warns victims not to pay because victims may not get the key to unlock their data and paying encourages and facilitates further criminal activity.

Several states are tackling ransomware from the statehouse. A bill in Maryland would make possessing ransomware with the intent of using it for malicious purposes a misdemeanor, carrying a penalty of up to 10 years imprisonment and/or a fine of up to $10,000. California, Connecticut, Michigan, Texas and Wyoming have similar laws on the books.

The U.S. Conference of Mayors, at its annual meeting in July 2019,  agreed that it's important to de-incentivize attackers, so they resolved that the conference "stands united against paying ransoms in the event of an IT security breach."

About the Author

Susan Miller is executive editor at GCN.

Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.

Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.

Connect with Susan at [email protected] or @sjaymiller.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.