A city in the state of Alabama has confirmed it will pay hackers USD $290,000 (AUD $420,000) after a successful ransomware attack encrypted sensitive data, and shut down the city’s official email system.
News of the ransomware attack against the city of Florence, Alabama first emerged last week, with the mayor, Steve Holt saying that he had launched an investigation into the cause and scope of the attack.
“So far, we can’t tell that anything has been breached… there hasn’t been anybody asking for ransom money,” Holt said.
Now, however, city officials have said that they will pay the cybercriminals responsible for encrypting their data.
The original ransom demanded by the hackers was 38 bitcoin, which converts to around USD $378,000. Hackers warned they would begin publishing and selling sensitive data stolen from the city of Florence’s network if they refused to pay.
The ransom figure was revised down to 30 Bitcoin, or around USD $291,000, and this is reportedly what the city of Florence will be paying to the cybercriminals in order to regain access to their data.
Mayor Holt has said publicly that the city will indeed pay, in spite of the risks of the cybercriminals either refusing, or only partially returning data. It’s not yet known exactly what data the hackers were able to gain access to, and encrypt.
What is a ransomware attack?
A ransomware is a malicious form of software (otherwise known as malware) that encrypts data that it finds on a network, and encrypts it until a ransom is paid, usually in the form of cryptocurrencies like Bitcoin or Ethereum. When the data is encrypted, the owner cannot access it until the hackers allow access, meaning that organisations and individuals can be locked out of accessing their own data.
“Do they have our stuff? We don’t know, but that’s the roll of the dice,” Mayor Holt told KrebsOnSecurity, adding that it’s likely the city’s network was compromised via a successful social engineering and phishing campaign.
The mayor told KrebsOnSecurity that the city was hit by a ransomware attack from the DoppelPaymer cyber-gang, whom, within an hour of hitting the city of Florence, was able to hit another four unnamed victims.
Hold Security tipped off Brian Krebs that Florence’s networks appeared to have been compromised by an outsider attack, most likely a ransomware attack.
Hold Security says that it identified Windows 10 system on the city’s IT network had been compromised by a malicious third party on May 6. Ironically, it’s likely that this system belonged to the city’s manager of information systems and security.
The city of Florence said it was quick to isolate the computer from the rest of the network, as well as the hacked Windows account, but ultimately these actions weren’t enough, and the network was compromised.
Fabian Wosar, Emsisoft’s chief technology officer has told KrebsOnSecurity that “there is a misguided belief that if you were compromised you can get away with anything but a complete rebuild of the affected networks and infrastructure.”
In this instance, Wosar says that hackers will often lurk within the network of an organisation, even when they are restoring their system from a backup. “They often even demonstrate that they still ‘own’ the network by publishing screenshots of messages talking about the incident,” he added.
Alex Holden, founder of Hold Security added that “we often get glimpses of the bad guys beginning their assaults against computer networks and we do our best to let the victims know about the attack. Since we can’t see every aspect of the attack, we advise victims to conduct a full investigation of the events, based on the evidence collected.”
“But when we deal with sensitive situations like ransomware, timing and precision are critical. If the victim will listen and seek out expert opinions, they have a great chance of successfully stopping the breach before it turns into ransom,” he said.