In the latest in the Texas ransomware attack that has seen over 20 different local government entities targeted, hackers are now demanding an eye-watering $2.5m.
This ransom covers the attacks on all the impacted government agencies, which the Department of Information Resources (DIR) has now confirmed total 22, a revision from its previous number of 23.
However, even with so many affected, this amount represents a significant step up from previous ransomware attacks on local governments. In May, for example, the US city of Baltimore was asked to pay $100,000 to restore its local government servers, while Lake City, Florida, paid $500,000 in a similar attack in June.
The reason for this escalation is, according to cybersecurity experts, because many governments are opting to pay. And their advice to the Texas government is not to do so.
“As long as we as a society continue paying ransoms, these attacks will continue,” warned Cody Brocious, head of hacker education at HackerOne.
“Giving in to these criminals is acting against the public good, which just ends up protecting organisations from the consequences of not taking their data seriously.”
Why the ransomware demand is so high
Over the past year, ransomware attacks on local governments, particularly in the US, have increased in frequency significantly. This is because hackers are increasingly seeing them as a financially sound choice: relatively easy to target, and with the potential for a significant payout.
“US government bodies have recently been a major target for ransomware attackers as they have been seeing huge pay outs from their attacks, with numerous governments giving into attacker demands and reportedly paying ransoms,” explained Robert Ramsden Board, VP EMEA at Securonix.
“It is therefore not surprising the attackers in this incidence are demanding such a huge amount of money – if it worked with previous government agencies, why should it work again?”
Texas ransomware latest: Will the government pay?
The DIR has not indicated whether or not the ransom will ultimately be paid, and has warned that it cannot provide additional details about the attack due to an ongoing federal investigation into the attacker – who is thought to be working alone.
However, it has said that over a quarter of the departments impacted have now moved to the recovery stage of dealing with the attack, indicating that in some cases it may not be necessary to pay the ransom in order to resume normal operations.
That said, not all of the local government organisations impacted have been affected to the same extent. The City of Borger, one of just two departments that have opted to make their own public statement on the Texas ransomware attack, has confirmed that normal city business and financial operations have been impacted. The city cannot take utility or other payments, and birth and death certificates are currently inaccessible.
The cost of restoring such services can be high. The 2018 Atlanta attack ultimately cost the city over $10m to recover from, after its government opted not to pay the $51,000 ransom.
While recovery from the Texas ransomware attack is unlikely to be quite so expensive, this could still prove to be a key concern in deciding whether to pay the latest demand.
Protecting against ransomware attacks
With so many attacks on local governments, the advice for other local governments is to beef up security now – before a ransomware incident happens.
“Maintain regular (offline!) backups, keep your systems up to date and don’t pay ransoms if you do happen to get hit,” said Brocious.
“At this point, it’s akin to choosing not to get the flu shot; sure, if you’re healthy then you’re not likely to die from the flu, but you may transmit it to someone who will.”
“It generally is never recommended to pay ransom demands as this only fuels the industry. Instead the best defence against ransomware is a comprehensive security program that protects against known threats and malicious intent or behaviour,” added Ramsden Board.
“Companies and governments have an obligation to protect themselves and their citizens or customers from ransomware attackers. Protecting data assets should now be considered a key component of national defence.”