In the early morning of Friday August 16th 2019, hackers managed to infiltrate the networks of 22 local government organisations in Texas via a third-party services provider, planting ransomware that encrypted data and disrupting business-critical services.
The hackers’ demand? A cool $2.5 million for the decryption keys to unlock the data.
It was the latest in a brutal wave of ransomware attacks that have blighted US cities this year, and have even led some states to declare a state of emergency.
But Texas decided to do something different from the other states hit by ransomware: they didn’t pay up.
As the Texas Department of Information Resources (DIR) has announced on its website, “more than half of the impacted entities are back to operations as usual.”
The DIR statement makes clear that it decided to clean up the infections for itself, and rebuild systems and restore data from secure backups, rather than put any cash into the pockets of the criminals who attacked its systems:
Through the dedication and vision of the Office of the Chief Information Security Officer at the Texas Department of Information Resources, a response plan was in place and ready to be put into action immediately. Within hours of receiving notice of the event, state and federal teams were executing the plan and in the field at the most critically impacted sites to begin eradicating the malware and assessing impact to systems. By day four, response teams had visited all impacted sites and state response work had been completed at more than 25% of those sites. One week after the attack began, all sites were cleared for remediation and recovery.
This is all very impressive, of course, but chances are that the clean-up and recovery – combined with the disruption to normal services – has actually cost more money than it would have cost to pay the cybercriminals who were holding it to ransom. And that cost is likely to be passed on to taxpayers ultimately.
Nonetheless, I applaud the Texas DIR for making the decision it did. Although it may have cost them more to recover from the ransomware attack than paying the ransom, in the long term a refusal to pay extortionists will help to discourage future attacks. After all, if victims won’t pay up – what’s the point?
To learn more about the ransomware attacks hitting US states, be sure to listen to this episode of the “Smashing Security” podcast with special guest Jack Rhysider from “Darknet Diaries”, recorded shortly after the Texas attack.
Smashing Security #142: 'Mercedes secret sensors, smart cities, and ransomware runs riot'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
Even if they paid they have no assurance that the systems are clean and are not infected with a secondary hook. Then addition to paying the ransom the state would still have to pay the cleanup and recovery of all systems. One should not trust a system that has been compromised with malware to be truely clean just because you have run a malware tool. I can not count the number of times I have had come back and help someone after they "cleaned" the malware off their systems over the years. The correct action would is still to reimage the systems and restore the data if at all possible especially when dealing with sensitive systems.
There was value gained that was not considered in this article:
1. Ransomers not being paid minimizes the risk of secondary attacks…by the same group and/or copy-cats.
2. An invaluable exercise of restoration testing that many orgs. fail to do on a regular basis.
3. Valuable communications plan testing and coordination.
4. An opportunity for improvement in areas that did not function as planned, or designed.
5. A true test of the DR/BCP plans for the state's DIR functions.
So, although the 'cost' of recovery and remediation may have exceeded the ransom demanded, the lessons learned from the exercises are much more valuable than the perceived 'cost'.
-cMc>