Hacking has paid off for the criminals who held the computer systems of a small Florida town hostage. Riviera Beach, a Palm Beach suburb, has paid $600,000 in ransom to hackers who breached its system and encrypted the city's records.
After being successfully installed on the town's network after a member of staff opened a rogue email attachment, town officials claim they have been hit hard, with key functions and services severely disrupted.
Blame is being pinned on an elderly and out of date security system, which had recently been scheduled for replacement.
Wait, what Happened?
The hack was the result of a successful phishing incident. A city employee clicked an email link while logged into the city's computer system, which triggered an upload of the hackers' malware.
According to Riviera Beach’s Interim Information Technology Manager, Justin Williams, the city's security system was so outdated that the company that had originally made it didn't even service it anymore.
Following a unanimous vote from the Riviera Beach City Council, the city of 35,000 residents has agreed to the hackers' demands, and will pay $600,000 in bitcoin in order to retrieve their essential data.
What Effect Has the Ransomware Had?
The malware encrypted data on the system, locking it away from the city's access for the past three weeks and counting. The result: a crippled infrastructure. The city's employees have resorted to manual solutions to certain tasks in the meantime.
Riviera Beach had actually unanimously voted in February 2019 to install a new security system at a cost of $798,419, but it hadn't yet been installed by “a City Hall filled with interim department heads, including the interim IT manager, the city’s second in a row, and an interim city manager, third in a row,” according to a researched story by the Palm Beach Post.
In other words, the real story here might be that a debilitating hack is most likely under deeply outdated security and shaky upper management.
Will Paying the Ransom Resolve the Issue?
Does paying off hackers work? The short answer is that it depends on the hacker.
Michigan State University criminal justice professor Tom Holt told the AP that most victims “might not pay the initial ransom that was suggested, but they may work with a third-party provider to negotiate the ransom down,” and that in almost all cases, the victims' data is successfully decrypted after they pay.
It doesn't always work though. The infamous WannaCry ransomware attack, which infected about 300,000 computers in May 2017, was one example.
In the case of Riviera Beach’s hack, the jury is still out, as no data has yet been recovered.
Should You Pay a Ransomware Hacker?
Does paying a ransomware hacker solve the problem? You'll hear a different answer depending on whether you listen to the official FBI line (a firm ‘no') or whether you pay attention to the incidents on record, in which many victims paid up.
The FBI recently told the AP that 2018 saw a total of 1,493 ransomware attacks reported, and that these victims paid a combined $3.6 million to hackers, which works out to around $2,400 per incident. However, it's worth noting that these numbers are likely low, as many believe the majority of cases go unreported due to embarrassment and privacy concerns.
That's not to say that refusing to pay isn't an option as well: When 22,000 computers were recently hacked across 170 sites internationally, Norwegian aluminum producer Norsk Hydro refused to pay up, instead investing $57 million into recovering from the attack. Baltimore also refused to pay $76,000 to hackers last month.
City officials should start considering their options (and upgrading their security systems) now, as more than 50 U.S. cities have been victims of attacks across the past two years alone.
Read more about security news on Tech.co: