An Alabama city is paying over a quarter of a million dollars to cyber-criminals to recover data encrypted in a ransomware attack.
Florence became a victim of the DoppelPaymer ransomware gang on June 5 in an attack that shut down the city's email system. The gang demanded 38 bitcoin, equivalent to USD $378,000, and threatened to publish or sell data stolen from Florence if the city didn't pay up.
A security firm hired by Florence in the wake of the attack was able to negotiate the ransom down to 30 bitcoin, worth around $291,000.
City mayor Steve Holt said that Florence had elected to pay the ransom despite not knowing for certain what data the cyber-criminals had stolen and encrypted.
“Do they have our stuff? We don’t know, but that’s the roll of the dice,” Holt said.
The mayor theorized that attackers gained access to the city's computer system via a phishing attack.
Holt told KrebsOnSecurity that the DoppelPaymer gang appeared to have compromised the networks of four further victims within an hour of striking Florence, including another municipality that he declined to name.
Krebs contacted Holt's office in late May after receiving a tip from Hold Security that Florence's information technology systems had been infiltrated by hackers who specialize in deploying ransomware.
The Wisconsin cybersecurity firm had discovered that a Windows 10 system in the city's IT infrastructure, seemingly linked to the city's manager of information systems, had been taken over by malicious actors on May 6.
Following the tip-off, the city took swift action to isolate the computer and hacked Windows network account. Nevertheless, Florence was unable to fend off the ensuing cyber-attack.
Ransomware is a major problem in the United States. According to Mimecast’s 2020 State of Email Security report that was released today, 32% of respondents in the public sector said that ransomware has impacted their operations in the last 12 months.
On average, public-sector victims reported experiencing 2 to 3 days of downtime as a result of being attacked with ransomware. For 9% of these victims, attack-induced downtime ended up lasting over a week.