Learning from Baltimore's disaster, Florida city will pay criminals $600,000 to get free of ransomware attack

Originally published at: https://boingboing.net/2019/06/21/thanks-nsa-2.html


And that is called paying the Dane-geld;
But we’ve proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.


I object to the broad tarring of computer consultants as grifty. Our business has had people bring in ransom-locked computers, if we don’t unlock it we won’t charge, or at least get a copy of the data off the computer so it can be saved.


Despite the fact that paying the ransom will enrich gangsters at public expense, the city is arguably getting a bargain

Cheaper still: a good sysadmin and daily off-site backups. Maybe a mirrored system if you want to get all fancy. I guess that in 2019 some cities like to live dangerously.

Once you pay off an extortionist, they’re going to come back for more.


But I’ve read that a lot of “consultants” just pay the ransom with your money anyway, even though they say they won’t (because your hope was that you’d at least be paying someone to fix it instead of enriching scammers)

1 Like

Is there already ransomware that increments the cost to remove it as time passes?


Time to return to paper, ya’ll, for the shit that actually matters. It’s amazingly decentralized! For stupid, fun, ridiculous bullshit, the digital sphere is perfectly capable. Witness: Twitter.

Can’t imagine there isn’t. It would be stupid easy to implement. Pseudo-code:

Initial cost = $1000.00
For each day that passes
Initial cost + $50.00 = Today’s cost
Screen message ='s “pay up, motherfukerz, your cost is now” & <Today’s cost>
End Loop

Mirroring or replicating the data isn’t necessarily going to help–they’ve presumably been replicating the encrypted data since they were compromised. Replicating the data to another site protects them from issues at one site (such as catastrophic failure of the storage array), not problems with the data itself. It also allows them to switch quickly over to the second data center in case of disaster.

Depending on what they’re using for storage, local snapshots might have helped (depending on how long they keep them). I’ve known a couple of organizations who got themselves out of trouble that way. If they don’t have snapshots or they don’t go back far enough, then they’re stuck restoring from backups.

The fun part was figuring out how they were compromised so it didn’t happen again immediately afterwards.


Surely it can’t be that difficult to swap out a bunch of hard drives for new ones, right?

What is the current vector for these attacks? Is someone clicking on a phishing email, with a link to a site that installs the malware?

Is there any other way than that, that this is still spreading?

Ransomware is software. There are any number of ways it could have been installed, from a link in a phishing email to a trojan to someone intentionally running an installer.

The size of the ransom suggests the attacker knows what they’re doing–they’re not going to try to extort $600K out of an average individual. They won’t get it. So at a minimum they did something to look at the size of the fish they had on the hook before they asked for ransom.

I wouldn’t be surprised if they were targeted. This could be something as simple as an attacker concentrating on the email accounts of city officials under the assumption that they both had money and were less likely to have competent IT staff. Or it could have involved a former or even current employee who left a back door somewhere inside, or someone who just knew which parking lot to drop a USB key in.

A compromised machine inside their network could explain why they paid. Suppose the attacker let it sit idle for a while before running the ransomware. If it’s there long enough, the city could restore their data from backup yet not remove the compromised machine. After the restore the attacker smirks and runs the ransomware again. At the point they don’t really have any good options.


Except low-level all their machines, then do the backup? Sounds like they just don’t have good enough backup.



The hackers apparently got into the city’s system when an employee clicked on an email link that allowed them to upload malware.


Then you need to fire your entire IT organization and start over. Seriously, what the fuck?




I haven’t seen a malware-infected machine in like years. How did this get through their spam filtering/anti-malware software?

I missed that. Spear phishing is still a possibility, though.


PEBKAC is the most common error.


In that case, any chance he can run a full system restore to, oh I don’t know, early fall, 2016?

1 Like