The small Florida city of Riviera Beach quietly agreed this week to pay hackers more than half a million dollars in ransom in the hopes of regaining access to an enormous amount of data blocked since May.
The ransomware attack, which began May 29, paralyzed the city’s computer systems. City officials and members of staff were left without access to email and, in some cases, phone service. Water utility pump stations went offline and the city was only able to accept utility payments in person or via snail mail.
“Paychecks that were supposed to be direct-deposited to employee bank accounts instead had to be hand-printed by finance department staffers working overtime,” the Palm Beach Post reported of the attack’s effects. “Police searched their closets to find paper tickets for issuing traffic citations.”
The Riviera Beach City Council voted unanimously Monday to authorize its insurance carrier to pay 65 Bitcoin, worth about $590,000, to the hackers responsible for the cyberattack. The city hopes the hackers will now unlock the data that’s been encrypted — but as The New York Times noted, there’s no guarantee that the ransom payment will ensure a complete return.
“It’s a risk,” city council chairwoman KaShamba Miller-Anderson conceded to the Post.
The chairwoman added that she was flabbergasted at how debilitating the attack was.
“This whole thing is so new to me and so foreign and it’s almost where I can’t even believe that this happens but I’m learning that it’s not as uncommon as we would think it is,” she said. “Every day I’m learning how this even operates, because it just sounds so far-fetched to me.”
The city of 35,000 said Wednesday that it had managed to get some of their systems partially back online.
“We are well on our way to restoring the city system,” a Riviera Beach spokeswoman told the New York Times.
Ransomware attacks have become not just increasingly common but more sophisticated too.
As the Post noted, more than 50 cities in states across the U.S. have been crippled by ransomware attacks over the past two years.
“The complexity and severity of these ransomware attacks just continues to increase,” Jason Rebholz, a cyber security expert, told the Times. “The sophistication of these threat actors is increasing faster than many organizations and cities are able to keep pace with.”
Paying ransoms to hackers can be embarrassing for cities, as well as ethically and legally questionable (the FBI explicitly says it “doesn’t support” the practice), but cities like Atlanta, Georgia, and Baltimore, Maryland, have learned the hard way that paying off ransoms can be far cheaper than dealing with the fallout of cyberattacks.
Atlanta spent almost $3 million recovering from a ransomware attack last year. The ransom amount? $52,000.
Baltimore refused to pay the $100,000 ransom demanded by hackers in May. It’s expected to cost the city some $18 million to bounce back.
The FBI, Secret Service and Department of Homeland Security are reportedly investigating the ransomware attack on Riviera Beach.
Officials say they believe the attack began after someone in the police department opened an infected email.