Three weeks ago the City of Riviera Beach agreed to pay hackers a $600,000 ransom to free the records they had encrypted when they took over the city's computer system. The incident is just coming to light outside the county, "probably because it's still part of a federal investigation," a city employee told Sunshine State News.
The Riviera Beach City Council voted unanimously to give in to the cyber-criminals’ demands. After the incident the council voted to spend almost $1 million on new computers and hardware. That was on top of paying the $600,000 ransom. Not a painless decision for a city with a budget deficit and a residents’ per capita income of $23,685 in 2016.
The incident is a reminder that smaller municipalities without the means to invest heavily in new technology and the expertise to stay on top of it are a growing problem Florida must tackle, perhaps as a priority during the next legislative session.
It gets worse: The email system had been disabled, employees and vendors were being paid by check and 911 dispatchers weren’t able to enter calls into the computer, reports Forbes magazine in a story Thursday.
A local information technology expert told TV station WPBF that the city really had no choice but to pay up after an employee clicked on a malware infected email that allowed the cyberattack to cripple the city’s computer system.
"Not just for the city of Riviera Beach (population 34,093), that is a case study locally of an international pandemic," said Joseph Russo. Russo is the executive director of the Palm Beach Tech Association, WPBF reports. "Coming up with a virus to do that is very difficult. Coming up with a tactic to get it in that person’s email is very simple."
The hackers demanded the ransom be paid in bitcoin currency, which Russo said is almost impossible to track. "There's no financial regulated system to track that," he said. "That's why these hackers use these crypto technologies because they can make millions of dollars and nobody would be able to track them."
Forbes claims the $600,000 is one of the largest known payouts, "but it’s not the biggest." The biggest would have been a South Korean web host who in 2017 agreed to pay the equivalent of $1 million when ransomware attacked more than 153 Linux servers the provider hosted. The hackers locked more than 3,400 websites.
The FBI would not provide a comment on the Riviera Beach attack, but agents confirmed last year some 1,493 ransomware attacks were reported. Adding it all up, hackers pulled in a total of $3.6 million, or about $2,400 per attack. This latest Riviera Beach ransom will add considerably to the total.
Sen. Marco Rubio, R-Fla., admitted Thursday he was none too happy with the city's decision to pay the cyber-criminals. Paying the ransom only encourages criminals to perform more attacks, he said.
“My office is in contact with the local government, the FBI, and Department of Homeland Security ...” Rubio said. “That taxpayers had to pay nearly $600,000 in ransom to cyber-criminals is unacceptable. These attacks will only become more common unless we take action. Federal, state, and local governments must protect their networks, educate their workforces, and ensure best cyber practices to help prevent these types of cyber-attacks by criminals and potentially hostile foreign governments. I urge state and local governments to utilize the services provided by the Department of Homeland Security to help protect their networks.”
The council nevertheless said it had been working with outside security consultants, who recommended the ransom be paid. The payment will be covered by insurance.
The FBI in the U.S. and the National Cyber Security Center in the United Kingdom advise against paying out to ransom hackers. In fact, Baltimore refused to pay hackers $76,000 after an attack last month.
The May 7 ransomware attack spurred the mid-Atlantic city of nearly 700,000 to spend $10 million on technology upgrades, the Baltimore Sun reported. It also cost the city $8.2 million in lost revenue.
Though Baltimore refused to pay, many firms and organizations have given in to cyber-criminals’ demands. They see it as the only way to release valuable data, especially if they don’t have backups of the relevant information.
The Palm Beach Post reminds us that the Palm Beach Supervisor of Elections Office was victimized during the last election, not by cyber-criminals but by its grossly outdated technology when elections workers were unable to promptly recount ballots after close races in the 2018 gubernatorial election. The timeliness failure cost just-re-elected Supervisor of Elections Susan Bucher her job.
In February the Palm Beach County Commission agreed to invest nearly $16 million in new voting equipment.
Reach Nancy Smith at email@example.com or at 228-282-2423. Twitter: @NancyLBSmith