Atlanta city officials are not saying whether they were strong-armed into paying the $51,000 ransom to hackers holding many of the municipality's online services hostage, but they did announce progress in restoring networks on Thursday.
Police officers are once again able to file reports electronically and some investigative databases thought to have been corrupted by the ransomware attack have turned out to be unscathed, the city says. The city's 311 system — which deals with things such as trash pickup and reporting of potholes — is also back in operation.
As a precaution, however, law enforcement is still not using some of its databases and the city's water department can't take any form of payment. Plus, the municipal court continues to push off its caseload, indefinitely.
Atlanta is just the latest target in a long list of victims whose vulnerable cybersecurity has fallen prey to online predators.
The FBI says ransomware attacks have been on the rise for the past three years, particularly against organizations that serve the public. That includes hospitals, school districts, state and local governments and even law enforcement.
Spike in ransomware attacks
In 2016, the agency received 2,673 complaints of extortion through the malware with losses of over $2.4 million. Last year, the number of reports increased to about 3,000, with losses remaining at about the same level.
Data compiled by BitSight, a cybersecurity ratings company, is even more staggering. A 2016 report analyzing government, health care, finance, retail, education and utilities concluded that education institutions are most likely to be on the receiving end of a ransomware attack. They are three times as likely to get hit as are the health care sector and more than 10 times as likely as financial institutions.
Also according to the study, government entities, from local to federal agencies, have the second-lowest security rating and the second-highest rate of ransomware attacks.
If Atlanta has not capitulated to the hijackers' demands, then it's following the FBI's don't-pay-the-blackmailers policy.
"Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity," FBI Cyber Division Assistant Director James Trainor wrote in a 2016 report on rising ransomware attacks.
Additionally, "[It] doesn't guarantee an organization that it will get its data back— we've seen cases where organizations never got a decryption key after having paid the ransom," Trainor said.
It's also a bad idea to fork over any amount of cash, he said, because it could "inadvertently be funding other illicit activity associated with criminals.
BitSight Chief Technology Officer Stephen Boyer tells NPR that there is no one way to handle these types of extortion efforts.
"It really depends on the intent," he explains.
Some hacks can be cloaked to look like a straightforward ransomware attack, but in reality they are what are called "wiperware," meaning they are purely destructive in nature.
"Last year we saw some attacks where it was cloaked to look like a ransomware attack but when researchers finally understood what the script was doing, it wasn't ever possible to recover the files," he says.
But if the attacker is truly intent on extorting money, "There's actually some honor amongst thieves," he says, laughing.
The reason: "They need to show and demonstrate a track record of decrypting files, otherwise no one will pay."
In Boyer's experience, most of these criminal entrepreneurs go as far as establishing customer support groups to help their victims pay on time. They provide technical help in transferring funds into bitcoin and in some cases, even testing out sample decryption keys.
In the long run, it is in the hackers' best interest to establish a good reputation with the public at large. "Because if word gets out that they never decrypt files, no one will ever pay and they'll never make money," Boyer says.
Despite the FBI's advice, there is no consistency in the way cities, schools and hospitals have responded to hackers' demands. Outcomes are equally variable.
A school district refuses to pay
Big Fork Schools, a Montana district with about 900 students, has been under siege twice since 2016.
The first time it was hit with a ransomware attack that disabled the administration's computer system. The district was given 48 hours to respond or risk having its data wiped clean.
Superintendent Matt Jensen remembers it as a terrifying day.
Still, he tells NPR, "We didn't even entertain the notion of negotiating with them."
It was a matter of principle, economics and luck.
IT administrators had backed up the entire system just two weeks prior to the strike, so even in a worst-case scenario it wouldn't be losing very much data.
Perhaps factoring the size and budget of the school district or maybe owing to sheer ignorance, the hackers only demanded $2,000 to $4,000, Jensen recalls. Therefore, if the district decided to ignore the blackmailers and go back to the 2-week-old version of the systems, Jensen calculated that would cost about $8,000. It was worth it.
"We just decided we would pay more to not support a terrorist organization," he says.
In the end, the district's primary data remained inaccessible for over a week and it took about two months to backfill what was lost. But on the bright side, the recovery operation came in under budget.
The second attack happened last fall. Jensen was glad to report that none of the district's systems were comprised.
"The 2016 attack was a blessing in disguise," he says, because in the interim between attacks, the district had invested lots of time and money in beefing up online security.
The school district was lucky. "Unfortunately, lots of schools do not have the budget to support IT defenses and it makes us pretty vulnerable," he says.
A hospital gives in
The assault on Hollywood Presbyterian Medical Center in Los Angeles was a different kind of nightmare.
All but three of the hospital's computer systems were brought down by a ransomware attack in February 2016.
"It was just awful," Steve Giles, the hospital's chief information officer tells NPR, explaining that hospitals are extremely susceptible to these threats because patient data can have life-or-death implications. As a result, hospitals are much more willing to meet the payment demands of hackers.
Yet, at the time of the attack Giles had never heard of a ransomware attack on a hospital.
"We were not even cognizant of the kind of level of cyberattack we incurred," he says.
Hackers initially demanded 22 bitcoin, a value of about $9,000 at the time. But when the hospital paid, the hostage-takers came back for more. "They said they had given us the wrong software so we had to pay another 18 bitcoin," which added up to nearly $7,000 more, Giles says.
Then a new problem: After paying the ransom, the hackers sent over the encryption code. Actually, more than 900 separate sets of code "that had to be uniquely applied to all servers and PCs."
When asked how they could trust that the hackers wouldn't come back a third time, Giles says, "We didn't know."
But, Giles says, "It was a worthwhile bet and we took a chance because we felt that the decryption codes would be a quicker way to bring the system back up."
Despite getting duped, and the frenzy the payoff created, Giles maintains it was the right call. He's also immensely proud that for the duration of the outage no patients were adversely affected.
It's tough to contradict Giles in light of the May 2017 ordeal at Erie County Medical Center in Buffalo, N.Y. When it became a target of a $30,000 extortion plot, authorities there decided not to pay.
Hackers wiped about 6,000 of the hospitals computers and it took the staff about six weeks to get up and running again. In the meantime, employees kept handwritten records.
Officials said it cost them $10 million to recover from the attack. That figure includes money spent on hardware and software to rebuild the hospital's computer system, as well as overtime pay and lost revenue.
DAVID GREENE, HOST:
The city of Atlanta is under siege. Many of its online systems were crippled by hackers who were trying to extort tens of thousands of dollars from the city. Cybersecurity experts are warning that the threat to public services may not be over. Here's NPR's Vanessa Romo.
VANESSA ROMO, BYLINE: It's been nine days since Atlanta was attacked, and officials there aren't divulging exactly how they're dealing with the ransomware threat. What we do know are two things. One, the deadline to pay the $51,000 ransom was Wednesday. And, two, this is becoming an increasingly common problem for schools, hospitals, public utilities and law enforcement, which are all prone to having weak online security. Much to his dismay, Steve Giles knows a lot about this.
STEVE GILES: It was awful. Yeah. Everything was blocked, whether it was patient information, whether it was accounts payable information, everything was blocked.
ROMO: Giles is the chief information officer at Hollywood Presbyterian Medical Center in Los Angeles. And one day in February 2016, he found himself having to decide whether to make a deal with hackers who had encrypted nearly all of the hospital's records.
GILES: They hit us twice. They first asked for 22 bitcoin. And at the time, it was, like, $9,000. And then then we paid it, they came back again, said they had sent us the wrong software so we had to pay another 18 bitcoin.
ROMO: That brought the total up to $17,000. And it still wasn't over.
GILES: By paying that, we got an excess of 900 decryption codes that had to be uniquely applied to all servers and PCs.
ROMO: But despite getting duped, Giles maintains it was the right call.
Can I ask why did you pay the second ransom? How did you know that they wouldn't come back with a third?
GILES: Well, I guessed it was a worthwhile bet.
ROMO: It's hard to argue with his logic, especially when you look at Erie County Medical Center in Buffalo, N.Y. Last year, hackers demanded $30,000. Authorities decided not to pay. Their systems went down for six weeks, and it cost them $10 million to recover. Stephen Boyer of BitSight, a cybersecurity rating company, says despite their criminal behavior, hackers have an incentive to hold up their end of the bargain.
STEPHEN BOYER: Because if word gets out that they never decrypt a file, no one will ever pay and they'll never make money.
ROMO: They even set up customer support lines for their victims.
BOYER: If you want to pay and you have a problem, they'll help you make sure that you get transferred into bitcoin and that everything works properly.
ROMO: But meeting the hackers' demands is the opposite of the FBI's advice. The agency says ransomware extortion costs victims more than $2.4 million a year, and paying a ransom just makes matters worse and can inadvertently fund other illicit activities. That's what Matt Jensen believes, and why, as superintendent of Bigfork School in Montana, he and his colleagues refused to, quote, "give in to terrorists" after their computers were paralyzed in a 2016 strike.
MATT JENSEN: We just weren't going to entertain contacting the ransomware folks.
ROMO: It took more than a week to restore the data that had been wiped and cost about double what the hackers were asking. Still, he insists it was a blessing in disguise.
JENSEN: We remedied everything that we could afford to do.
ROMO: And because of that, their system was not compromised when they were attacked for a second time last fall. Vanessa Romo, NPR News. Transcript provided by NPR, Copyright NPR.