Many Local Governments Have Paid Ransom To Hackers

Dec 6, 2017

To learn more about ransomware, WFAE's Mark Rumsey spoke to Dan Lorhmann. He’s the chief strategist and security officer at Security Mentor, a Michigan company that specializes in cybersecurity. He’s also a former chief security officer for Michigan’s state government.

Mark Rumsey:  First, how often is this kind of thing happening that we're dealing with in Mecklenburg County government right now?

Dan Lohrmann

Dan Lohrmann: Sadly, it's happening a lot. The FBI estimated in 2016 there was probably about a billion dollars in ransoms that were paid and people are thinking maybe double that this year.

Mark Rumsey: Do the victims of these attacks usually pay up?

Dan Lohrmann: You know, it varies. I think in the U.S. the answer is yes. You know, quite frankly it's like two-thirds of the people pay, and in other parts of the world maybe less than 50 percent. But I think that's one of the reasons why the U.S. gets maybe hit more than other parts of the world. But yeah, oftentimes it's the path of least resistance.

The FBI and police usually say don't pay it because there's no guarantee, (that) you're rewarding the criminals. I will tell you that a lot of other cities and a lot of other counties have paid the ransom. I have a list in front of me, 10 just in the last year and there's a lot more than that: Lincoln County, Ohio, The Texas Police Department. In Montgomery, Ala. - $37,000 they paid. Madison County (Indiana). Bingham County, Idaho. Carroll County, Ark - Counties that have paid ransoms. So there's plenty of precedent for paying. And there's also a lot that don't pay.

Mark Rumsey: And are local governments any more vulnerable to this kind of incident?

Dan Lohrmann: Certainly, I think the numbers show that government is near the top of the list – and  one of the things you have to keep in mind, Mark, is that not everyone reports these things. So governments tend to be … we know about them a lot more (than)  a small company maybe gets hit or a small business, maybe even individuals. They may not report it. They may just pay and move on.

Mark Rumsey: So other than worker education, awareness about links and e-mail attachments and the risk of those, what more can be done (with computer systems)? What needs to happen next to cut down on this?

Dan Lohrmann: The number one thing everyone needs to hear: Backups  - you know, good backups on all the critical data. Many governments fall for a challenge where they back up some servers, but maybe not all of them, maybe not the critical ones, maybe not all the data most recently. Or they do backup maybe six months ago or three months ago, but not the data from the last week or the last month. So regular backups that are tested and building a process where you regularly have business continuity plans so you can quickly recover from if an incident does happen.

Dan Lohrmann: I think another example - there are some really great websites people can go to. One that's supported by a lot of the big security companies is called nomoreransom.org. It walks people through if they do get an infection - a lot of these are easily encrypted on your own without working with the hacker and pay that money.