A ransomware gang tried to extract a ransom payment of an unheard-of sum of $5.3 million from the city of New Bedford, Massachusetts, but the city chose to restore from backups after hackers rejected a smaller counter-offer of only $400,000.
The incident happened in early July, but details were kept under wraps until today when New Bedford Mayor Jon Mitchell held a press conference detailing the city's efforts in handling the fallout from the ransomware infection.
Only 4% of the city's IT network impacted
According to Mayor Mitchell, the ransomware hit the city's IT network on the night between July 4 and July 5.
During that night, a group of hackers breached the city's IT network and installed Ryuk, a type of ransomware used in targeted attacks and today's most prevalent ransomware strain, according to a report published last week by Fidelis Security.
Mayor Mitchell said the ransomware spread through the city's network and proceeded to encrypt files on 158 workstations, which accounted for 4% of the city's total PC fleet.
Things could have been much worse, the official said, but attackers hit during the night, when most of the city systems were turned off, preventing the ransomware from spreading through the entirety of its network.
Hackers asked for an absurd ransom demand
The city's IT staff discovered the ransomware the next day when they came to work, and they moved quickly to disconnect the infected computers from the city's network and contain the infection before it could cause even more harm.
"While the attack was still underway, the city, through its consultants, reached out to the attacker, which had provided an email address," Mayor Mitchell said today in a press conference.
"The attacker responded with a ransom demand specifically that it would provide a decryption key to unlock the encrypted files in return for a Bitcoin payment equal to $5.3 million," he added.
The city didn't pay, primarily because it didn't have the funds. If it did, this would have been the largest ransomware payment ever made, dwarfing the previous record of $1 million, held by a South Korean web hosting firm.
But even knowing they couldn't pay, Mayor Mitchell said the city decided to engage in a conversation with the hackers, so IT staff would have more time to bolster the city's defenses and protect their network in the case the attackers would take other actions, besides just running ransomware.
"In light of these considerations, I decided to make a counter-offer using insurance proceeds in the amount of $400,000, which I determined to be consistent with ransoms recently paid by other municipalities," Mayor Mitchell said.
"The attacker declined to make a counter-offer, rejecting the city's position outright."
At that point, realizing that the hackers wouldn't negotiate, the New Bedford mayor said they decided to restore from backups.
The city's decision to restore from backups was an easy one, due to the low number of infected systems, and the fact that no critical systems had been impacted by the ransomware. This made managing the public's pressure easier than in other municipalities where ransomware infections effectively crippled almost all city services.
Mayor Mitchell's full press conference is available below, courtesy of The Standard-Times, whose reporters also broke the story earlier today.
In recent months, US cities have been a prime target for ransomware gangs. Below are just some of the most high-profile cases that impacted US municipalities:
- Over 20 Texas local governments hit in 'coordinated ransomware attack'
- Louisiana governor declares state emergency after local ransomware outbreak
- Florida city pays $600,000 to ransomware gang to have its data back
- Second Florida city pays giant ransom to ransomware gang in a week
- Georgia county pays a whopping $400,000 to get rid of a ransomware infection
A recent ProPublica investigation found that insurance firms are inadvertently fueling the ransomware economy by advising cities to pay ransom demands, rather than rebuild IT networks -- as ransom payments are always cheaper for the insurance firm to cover.
This rise in the number of successful ransom payments has, in turn, attracted more ransomware gangs, breathing new life into the ransomware landscape that appeared to had died off and slowed down last year.