The question is the same whether your daughter’s been kidnapped or, in Mecklenburg County’s case, its computer system is being held hostage: Should you pay ransom?
“There’s no way to answer that without knowing the rest of the question: What’s it worth?” said security expert Bruce Schneier, chief technology officer of global cyber-security firm IBM Resilient, which has U.S. headquarters in Cambridge, Mass.
“If it will cost the county $2 million to reconstruct the data and it can pay (ransom of) $1 million, that’s $1 million in savings.”
While paying hackers might seem to only incite more cyber-attacks, Schneier said institutions with poor IT security will be targeted again anyway. Ransomware is a bulk business, he said, normally based in areas outside the U.S. that are largely immune from law enforcement.
Hackers typically set ransom demands low enough that targets are more likely to pay up. Some hacking networks actually have help desks to facilitate ransom payments, he said.
“You’re going to pay anyway, either through increased security or through ransom,” he said. Hackers “are just playing the numbers. It costs them nothing to try.”
The WannaCry cyber-attacks that infected 200,000 computers in 150 countries in May demanded ransoms of only $300 in bitcoins. One digital security company estimated damages, reflecting the downtime for targeted organizations, at $1 billion. But a week later, the hackers had been paid only $116,000 in ransom.
Bill Chu, a professor in software information systems at UNC Charlotte, said Mecklenburg County faced a tough call on the ransom demand.
“Twenty-three thousand dollars is not a lot of money. Whatever you have to do to recover that data can easily run more than that, and the hackers obviously know that,” he said. “But if you give the $23,000, they may string you along to get you to pay more. There’s also the unavailability of services – what would that cost be?”
Chu said the attack on the county isn’t solely about IT security. Statistics show, for instance, that about 10 percent of email users fall for phishing scams as the county employee did. The episode, he said, is really about the county’s ability to recover data after disasters, whether a cyber-attack or a fire.
The journal Cities Today reported in February that the federal Multi-State Information Sharing and Analysis Center saw an 85 percent increase in ransomware total attacks on cities from 2015 to 2016 and a 295 percent increase from 2014 to 2016.
The journal quoted an expert who called municipal governments “soft targets” because many have only recently started spending money on information security, while others have not because of restricted budgets.
The computer security firm Symantec Corp. advises customers not to pay ransom.
“Just like a bully who tires of the keep-away game, you likely will get your files back if you pay. But you may not. Sensing a sucker on the hook, you might get asked to pay again and again.”