When the city of New Bedford, Mass., was hit by a ransomware attack in July, with hackers demanding $5.3 million in bitcoin to release the city's data, town officials tried an old law enforcement tactic to deal with hostage-takers: open dialogue and stall for time.
New Bedford's computer network was attacked with Ryuk ransomware on the night of July 4, Mayor John Mitchell told reporters on Wednesday. Because the attack occurred over a holiday and most computers were shut off, the malware spread to just 4% of the city's more than 3,500 computers.
That was the first lucky break.
After IT personnel discovered the attack the next day, city officials contacted the anonymous hacker through an email address provided and were told to pay the ransom — one of the largest-ever known demands for such an attack — in exchange for a decryption key to unlock the city's data.
Mitchell said he was initially opposed to talking with the attacker, a position most cybersecurity experts recommend. Experts say paying the ransom can encourage hackers to launch other attacks or repeated strikes against a city that paid up.
But Mitchell changed his mind, offering the perpetrator $400,000, using insurance proceeds, because that was about how much other cities had paid in similar circumstances to get their files back. The city's insurance policy covers ransom payments, and Mitchell insisted it would not have come out of taxpayers' pockets.
"I concluded it would be irresponsible to simply dismiss, out of hand, the possibility of obtaining the decryption key," he said.
Even if negotiations were unsuccessful, it would "buy the city time" to strengthen security ahead of another attack and to figure out whether engineers could restore the data without a decryption key, Mitchell said.
The plan worked. While officials were talking to the attacker, the city's IT personnel were able to restore a large portion of the data via backup systems.
Since then, city officials have made "tremendous progress" in using backup servers to recover or reconstruct the rest of the data, the mayor said. The city is also implementing new security software and new protocols.
"Cybersecurity experts were able to remind us that every computer network, however hardened, is always just one keyboard click away from allowing malicious code to slip past its defenses," Mitchell said at the news conference.
New Bedford is just the latest municipality to be hit in a string of recent ransomware attacks this year. More than 40 cities and towns have fallen victim to ransomware, including 22 in Texas alone, The New York Times reported. While the government computer systems of Atlanta and Baltimore were infected with these viruses, most of this year's attacks have targeted smaller cities, according to the IT security firm Barracuda.
Ransomware often spreads through phishing emails that contain harmful attachments or through drive-by downloading, which is when a user visits a malicious website by accident and software is downloaded without the user's knowledge.
The question of whether to pay or not to pay has overwhelmed cities hit by ransom viruses, especially towns with smaller budgets. When a similar attack hit Lake City, Fla. — a town of only 12,000 residents — officials paid up because their backup servers were compromised. In that case, the ransom was $460,000 and only $10,000 came out of taxpayer funds.
"I really had no other choice," Lake City, Fla., City Manager Joe Helfenberger told Here & Now. "We were told by the vendors that with this type of attack, nobody had ever successfully decoded this military-level encryption."
As NPR previously reported, a study by the research firm Recorded Future found that only 17% of municipalities affected by ransomware attacks actually paid the perpetrators.