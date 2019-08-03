In the space of about a month recently, three Florida cities were targeted in “ransomware” attacks in which their networks were taken over by hackers demanding to be paid to release them.
Riviera Beach ($600,000) and Lake City ($460,000) elected to pay the hackers in order to regain control of their records and systems. Key Biscayne approved spending up to $30,000 to try to restore its network rather than pay the ransom.
Christophe St. Luce, Venice’s director of Information Technology, is the person in charge of trying to keep the city from becoming the next municipal cyber-”kidnapping” victim.
So far, so good.
He said the city hasn’t been targeted in the year that he’s been here. He has been through an attack, however. It happened in Hollywood, Florida, on his first day as manager of the city’s help desk in 2012.
Someone in the Parks & Recreation Department called in complaining about not being able to access some records. Then more calls came in.
Help desk personnel were dispatched and they quickly identified and isolated two computers as the source of the “malware” behind a ransom demand that would go unpaid.
The city was able to use backed-up files to restore the ones that were hacked and the hard drives of the affected computers were destroyed.
“We were able to stop it before it spread too far,” St. Luce said.
Cybercrime evolves
Not long ago, he said, hacking mostly involved attempts to access computers to spread viruses, acquire personal information or just steal. The city of Naples on Thursday confirmed the theft of $700,000 from a road construction account.
Then at some point it occurred to hackers that if they could hold a system hostage, the owner might be willing to pay to get it released, balancing the ransom amount demanded against the time and money involved in finding a different solution.
The FBI advises against paying ransom, St. Luce said, and the U.S. Conference of Mayors just adopted a resolution opposing it, to “deincentivize” such attacks. But sometimes it’s the practical answer.
Atlanta was hit with a ransomware attack in 2018 in which the demand was about $50,000 in bitcoin, whose value fluctuates constantly but which is untraceable.
Officials rejected the demand and muddled through a recovery process, ultimately spending as much as $17 million, according to reports.
Riviera Beach spent an additional $900,000 to bring in a consultant and upgrade its network after paying the ransom demand, according to news reports.
And there’s always the risk that the hackers won’t be “honorable” and follow through on their promise to provide the decryption key after getting paid. Hacking can occur from almost anywhere in the world, with the prospect of huge profits and little risk of getting caught.
The hackers behind the GandCrab ransomware program enabled their “clients” to extort about $2 billion from victims, taking a commission estimated at $2.5 million per week, ZDNet.com reported.
Eighteen months into the enterprise they retired.
Even if the hackers hold up their end of the bargain, damage may already have been done. The malware in Lake City, St. Luce said, had been in the system for about a year “wiping” — deleting — files before taking over the system.
Many ways in
Ransomware hackers get into a system in a variety of ways, often with unwitting assistance.
Often it’s by an email with an attachment that will launch a program that encodes the system and leaves a ransom “note” demanding payment to provide the “decryption” key to unlock it. Fail to pay by the deadline and the key will be destroyed.
NoMoreRansom.org shares known decryption keys but it’s basically impossible to crack a new one. St. Luce said a key is typically 256 bits long and each bit could have up to 256 characters in it.
But the system might be attacked in another way, such as by leaving a flash drive in a public place. Someone picks it up, plugs it in to identify the owner and it launches.
Or there could be a breach resulting from “vishing” — a call to IT from someone claiming to have lost or forgotten their log-in information. Old-fashioned “phishing” — an email blast trying to get a response from which entry can be gained — is still employed too.
Send enough people an email and “somebody’s going to bite on it,” he said.
Lines of defense
Florida’s public records law is so broad, St. Luce said, that it’s easy to obtain contact information for a city’s entire staff, from which to start an attack.
Therefore, making employees aware of the risks is a major part of protecting the city’s system, he said.
They’re trained to be on the alert for signs that an email might not be legit, such as extremely long links or spelling and grammar errors. If they have any questions about one, he tells them, “send it to me.”
All employees have “strong” passwords, of from eight to 12 characters mixing upper and lower case letters, numbers and symbols, and they’re changed frequently. Sharing them or using a city computer for personal business is prohibited and there are penalties for doing it.
Software is constantly updated and antivirus and anti-malware programs are in place. The system is regularly backed up and files stored in several secure locations.
St. Luce is working on a cyber incident response plan, one of the recommendations of the federal government and information technology associations.
None of that, however, is a guarantee that Venice will never be in the crosshairs of a cyber criminal.
“I don’t see this ever stopping,” he said. “It’s an unfortunate fact of life now.”
