Lake City, Florida paid out a bitcoin ransom worth $460,000 to hackers who disabled the city’s computer systems with sophisticated ransomware last month, hot on the heels of a $600,000 ransom paid out in similar circumstances by Riviera Beach, Florida just weeks later. Now, as flagged from local media reports by ZDnet on Monday, the city has fired its director of information technology.
According to WCJB, city manager “Joe Helfenberg confirmed that the director of information technology, Brian Hawkins, was fired” as a result of the attack, which hit servers, email networks, and phone lines. Helfenberg “estimates that the city should make a full recovery from the attack in about two weeks,” WCJB wrote.
Lake City officials described the incident as a “triple threat,” according to ZDnet, and it has since been determined that an employee downloaded an infected document they had received via email. That set off a chain of events involving three separate malware variants sometimes used in concert in cyber attacks. The initial document carried the Emotet trojan, which installed itself and subsequently downloaded another trojan called TrickBot and the Ryuk ransomware. Ryuk then spread throughout city systems, locking them down and demanding a ransom. Only the police and fire department systems were spared as they were on a different server, according to the New York Times.
The Times reported that after several days of working with the FBI and security consultants to resolve the issue, city officials reluctantly determined that it would be cheaper and more effective to simply pay off the hackers. (Security firm Emsisoft estimates that experts have only “successfully unscrambled Ryuk ransomware in 3 to 5 percent of cases,” the paper wrote.) Insurance covered all but $10,000 of the ransom.
The city deemed the employee in question to have left city networks vulnerable to attack, but he was not the individual who downloaded the malicious attachment, the Times added.
“Our city manager did make a
decision to terminate one employee, and he is revamping out whole IT
department to comply with what we need to be able to overcome what
happened this last week or so and that’s so it doesn’t happen again,”
Lake City Mayor Stephen Witt said, according to WCJB. He added that the decryption key provided by the hackers appears to be working.
Paying the hackers is controversial because it almost certainly encourages further attacks, whether or not officials believe they have little choice in the matter. Sometimes, as occurred to a similarly afflicted Kansas hospital in 2016 that chose to pay the ransom, the hackers will simply attempt to extort more payments from the target.
“First of all, that money is then used to proliferate this activity,” FBI cyber crimes supervisory special agent Joel DeCapua told security firm Symantec last year. “You’re paying these bad actors to target other people. Second, organizations that pay a ransom think their problems are over. But a lot of times there’s a lot of nasty malware left on their systems that they don’t know about. You can pay, but there’s still malware on there, re-infecting the system or stealing information.”
Ransomware attacks on municipal systems have recently made big headlines, with estimates of such incidents in the U.S. running into the hundreds. In early June, Baltimore officials recently estimated the cost of an attack using the RobbinHood ransomware that hit around 10,000 city computers at $18 million and counting. (They declined to pay the ransom.) Officials with Georgia’s Judicial Council and Administrative Office of the Courts confirmed their systems had been contaminated with ransomware on Monday in what Ars Technica reported appears to be another Ryuk attack.