Here is a rare ransomware case with a happy ending. The city of New Bedford, Mass was hit with a ransomware attack the night of July 4th. The hackers demanded 5.3 million in bitcoin to release the encrypted city-data. The ransomware included in the attack was Ryuk. Ryuk has unique features where it can encrypt network drives, as well as delete shadow copies on the endpoint resulting in the disabling of the Windows System Restore feature.
City officials lucked out that the attack occurred during a holiday and only 4% of systems were deemed comprised. They decided to contact the hackers using a provided email address and negotiate for the decryption key by offering the city’s allocated insurance payment of $400.000. The negotiation tactic worked, it stalled the payment demands by the hackers, and city officials were able to restore a good portion of data using external backups.
The city exercised its business continuity or disaster recovery plan and was able to restore the compromised data and operations quickly.
https://www.npr.org/2019/09/06/758399814/town-avoids-paying-massive-5-million-ransom-in-cyberattack
I heard about a similar result in a ransomware attack on a small town’s local government offices. They basically contacted the attacker and said they couldn’t pay the full amount and essentially counter-offered with way less. The attacker agreed and released their files. I would be curious to know the numbers on how often organizations actually pay up on these kinds of attacks.
It was a great choice that Mitchell didn’t pay for the whole 5.3 million according to hacker demand. It is important to implement and mange incident response plan. For this case, some data could be recovered to save time and Mitchell dicided applying transfer risk by using insurance proceeds. From this cyber attack, city officials should review how ransomeware occured to establish lessso learned get applied to future serious incidents.
Yes, I agree that they made a great choice by not paying the ransom and trusting their system capability to recover from the attack, kudos to the team. Paying Hackers should never be your first, second or third option.
However, on the other hand, let’s say the city failed to recover their data just like the city Baltimore. They never paid the ransom of $100,000 in bit coin as requested by the hackers, hence they suffered a heavy loss of $16m in less than 20 days because city operations like parking booths where paralyzed and they receive payments and collect taxes.
Personally, when i look at the loss vs No pay; I would take the painful decision to pay, then learn from my mistakes and fix the system If the loss is far greater than the ransom.