City of Atlanta Ransomware Attack Showcases Ethical Problem in Whether to Pay a Ransom or Not

(Kevin Townsend – SecurityWeek) Over the course of the last week, it has become apparent that the City of Atlanta, Georgia, has paid out nearly $3 million dollars in contracts to help its recovery from a ransomware attack on March 22, 2018 — which (at the time of writing) is still without resolution.

Precise details on the Atlanta contracts are confused and confusing — but two consistent elements are that SecureWorks is being paid $650,000 for emergency incident response services, and Ernst & Young is being paid $600,000 for advisory services for cyber incident response. The total for all the contracts appears to total roughly $2.7 million. The eventual cost will likely be more, since it doesn’t include lost staff productivity nor the billings of a law firm reportedly charging Atlanta $485 per hour for partners, and $300 per hour for associates. The ransom demand was for around $51,000.

The ransomware used in the attack was SamSam. In February this year, SecureWorks published a report on SamSam and attributes it to a group it knows as Gold Lowell. Gold Lowell is unusual in its ransomware attacks since it typically compromises its victim networks in advance of encrypting any files.

SecureWorks makes two specific points about Gold Lowell that might be pertinent to the Atlanta incident. Firstly, “In some cases where the victim paid the initial ransom, GOLD LOWELL revised the demand, significantly increasing the cost to decrypt the organization’s files in an apparent attempt to capitalize on a victim’s willingness to pay a ransom.” Atlanta officials have always declined to comment on whether they paid, or attempted to pay, the ransom

Secondly, “GOLD LOWELL is motivated by financial gain, and there is no evidence of the threat actors using network access for espionage or data theft.” Atlanta officials were quick to claim that no personal data was lost in the attack.

Also worth considering is the SamSam attack on Hancock Health reported in January this year. Hancock chose to pay a ransom of around $55,000, and recovered its systems within a few days. It later admitted that it would not have been able to recover from backups since the attackers — which sound like the Gold Lowell group — had previously compromised them.

The extended dwell time by the Gold Lowell group prior to encrypting files and making a ransom demand would explain the extreme difficulty that Atlanta is experiencing in trying to recover from the attack. The Hancock incident suggests that rapid payment might have resulted in file recovery, but SecureWorks also suggests it might have led to a further demand.

There are also indications that Gold Lowell’s dwell time could have been extensive and effective. According to WSB-TV, Atlanta officials had been warned months in advance that at least one server was infected with malware, and that in February it contacted a blacklisted IP address associated with known ransomware attacks. Whether the incidents are directly connected will only come out with forensic analysis.

However, the few facts that are known raises a very complex ethical issue. Atlanta seems to have chosen to pay nearly $3 million of taxpayer money rather than just $51,000, possibly on a point of principle. That principle is supported by law enforcement agencies around the world who advise that ransoms should not be paid. In this case, the sheer disparity between the cost of the ransom and the ransomware restitution (more than 50-to-1 and growing), all of which must be paid with someone else’s money, makes it reasonable to question the decision.

There is no simple answer. Atlanta does, however, get almost unequivocal support from the CISO of another U.S. city, who spoke to SecurityWeek requesting anonymity. “Unless paying the ransom provided details of how they were breached, what would it really get them?” he asked. “Firstly, they don’t know if they would actually get the decrypt keys; secondly, they don’t know if they would simply get hit again; and thirdly, it would only encourage more of the same kind of action.

“By bringing in emergency support,” he continued, “they probably now have a much better picture of their security posture, most likely have cleaned up a number of issues, and are now on track to pay more attention to this business risk.” His only criticism is that the money should have been spent to prevent ransomware rather than to recover from it. “The real lesson,” he said, “is for probably 10-20% of the cost of the emergency support they could have brought in the same people to help with the same issues prior to the incident. Would that guarantee it would not happen? No — but it would improve the odds greatly, would limit the damage done, and improve recovery efforts if it happened.”

Ilia Kolochenko, CEO of web security company High-Tech Bridge, has a different view. “The ethical dilemma whether to pay or not to pay a ransom becomes very complicated today. This incident is a very colorful, albeit sad, example that refusing to pay a ransom may be economically impractical and detrimental for the victims.”

He agrees that Atlanta should have been better prepared. “Taking into consideration the scope and the disastrous consequences of this incident, one may reasonably suggest that Atlanta has a lot of space for improvement in cybersecurity and incident response. Spending 50 times more money to remediate the consequences of the attack, instead of investing the same money into prevention of further incidents, is at least questionable.”

But he disagrees with one of the primary arguments of those who advocate not paying. “Refusing to pay a ransom is unlikely to demotivate cybercriminals from conducting further attacks, as they will always find someone else to pay.”

In the final analysis, he believes that each case needs to be decided on its own merits, but adds, “In some cases, paying a ransom is the best scenario for a company and its economic interests. Otherwise, you risk spending a lot of valuable resources with no substantial outcome.”