
US mayors adopt resolution to not pay hackers over ransomware attacks - PatrolX
https://www.cnet.com/news/us-mayors-adopt-resolution-to-not-pay-hackers-over-ransomware-attacks/
======
Someone1234
Their assumption is that they're being targeted and that this "united front"
will give attackers less reason to target them, when the harsh reality is that
these CrytoMalware emails/IM Spam are being send to every business/government
internationally looking for the softest targets.

They should have passed a resolution to implement a 1-2-3 Backup Strategy with
mandatory offline & offsite backups and testing protocols. But that would cost
money and require competent management/oversight, instead they'd prefer to
pass a meaningless fiat that won't do jack.

Honestly until there are consequences for government officials/management
nothing will change. This is 95% about poor resource management and 5% about
CrytoMalware. Nobody should be paying, because they should ALREADY have
multiple tiers of backups, that are audited, tested, and reviewed.

PS - "It also encrypted our backups" is also pure incompetence. They just
didn't want to manage rotated backups or pay the storage fee/costs of high
density tape.

~~~
klodolph
The problem with 1-2-3 backup is 95% user education, policies, desktop
administration, etc., and 5% making the copies of data. In my experience, at
least. You need IT staff who are good at finding solutions that work for
everyone. It would be nice if we could just stay “store it on the network
drive” and then make backups, but users in the org don’t listen, and this is a
fact of reality that you have to spend time & money to adapt to.

So backup is a fairly big management & IT challenge that goes way beyond
guidelines like 1-2-3. That, and due to legal restrictions, local governments
are rarely empowered to hire the right IT staff capable of making it happen.

~~~
jammygit
Speaking of backups, what do you all do for yours? I’m embarrassed to admit I
only do a weekly backup to a portable drive for my personal data, and mostly
use automated snapshots on aws for database contents.

~~~
Waterluvian
All my stuff is in Google so my backup is for "what if Google decides to ban
me without recourse?" For that I download the hundreds of gigs of Google
takeout and upload it to backblaze. I ought to automate it.

I'm mostly saying this out loud for the chance someone will point out an issue
or optimization for my strategy.

~~~
ulucs
Have you tried running rclone on a VPS? Not exactly Takeout data, but you can
sync across cloud services

[https://rclone.org/](https://rclone.org/)

------
fsagx
Mayors will pay "cyber-security" consulting firm. The firm will pay the
hackers.

[https://www.zdnet.com/article/georgia-county-pays-a-
whopping...](https://www.zdnet.com/article/georgia-county-pays-a-
whopping-400000-to-get-rid-of-a-ransomware-infection/)

------
saurik
I am on a local city commission. As part of this, they gave me an email
address (made me unhappy, but whatever). They sent me an email to my personal
email address telling me how to log in to my city email address, explaining
that my password was a trivial algorithm based on my name, followed by a
number an exclamation point. This was a form email: every single address in
the entire city has the same password format (with the same number, to be
explicitly clear). They disabled the feature to let people change their
password. So... anyone can log in to the email account of any official in this
city and do stuff like delete mail before they see it (as even if they have
audit trails turned on for administrators, the official can still delete mail
from their own perspective, and would never know if someone helpfully deleted
it "for them").

------
shakyshakyshaky
This type of acausal deal only works for single-target attacks. If a bad actor
is searching for a victim and sees two potential targets, one of which has
resolved to never cede to their demands and one who wasn't commented, they
will attack the ambivalent party.

Malware is not a single target attack. Whether or not it's probably beneficial
to attack one of these cities is not considered. Instead of making gestures,
these mayors should be investing in better cybersecurity.

------
flowersjeff
Honestly, I can't add much more than what has already been said here... If
your data/biz/org/etc is crippled because of these types of attacks, then you
really need to have a frank discussion around IT/resource allocations/goals.
These are 100% manageable (worst case).

~~~
Johnny555
Is it 100% manageable?

If the malware author manages to infiltrate your network and quietly starts
infecting files and devices on your network over 6 months, even if you restore
from a 7 month old backup, what about all of the files that were created
between then and now -- are they all going to be recoverable even if you can
find and remove the malware? Can you reliably detect all of the malware or
will the attack sprout again from your printer in a few months?

------
mikece
Is it just me or will hackers use this as a guide of whom to hack?

~~~
hammock
I imagine that's the idea.

------
ourmandave
Is it cheaper to pay the ransom to unencrypt your data or just buy a copy off
the dark web?

I assume the malware fucks stole a copy to auction off.

~~~
rolltiide
the decryption keys are generated by entropy from the controller

just having the software won't do you any good

------
qwerty456127
Fascinating. The page manages to bypass uBlock Origin and pop up an ad window
in the right bottom corner to start paying heavy (which my computer and
connection can barely handle) video with sound (!) automatically.

------
techslave
this is beyond stupid. municipal IT systems are vulnerable because of poor
resource availability and lack of budgets to properly secure them.

paying the ransom ware folks should be considered the cost of doing business.
it’s cheaper than actually securing the data.

anyway it’s expected. the same mayors that underfund IT would be the same ones
to make this ridiculous “red line”.

good opportunity here for a cookie cutter IT consultancy to come in to all of
these cities and offer cookie cutter service.

------
lanrh1836
I’m curious where the cities that have paid ransomware attackers acquired
bitcoin. Did they literally just open a Coinbase account and send funds
through there?

~~~
Mountain_Skies
They probably had a consultant do it for them.

------
smileysteve
Alternatively, they could move to secured cloud services; what with encryption
at rest, nightly backups, and inactive file storage.

------
grendelt
Ok, but how are they gonna get their data back? Just sacrifice it and lose all
digital public records?

~~~
tw04
Yes, and this is exactly why they should be keeping both digital (online and
offline) as well as paper copies of their records.

If they can't afford to have good backups of their data, they can't afford to
have digital records in the first place. This is the equivalent of a community
saying they can't afford filing cabinets so they just stack paper on the floor
in the boiler room. Nobody would find that acceptable, and they shouldn't find
this acceptable either.

~~~
mc32
I think one issue is that they can’t know for certain when they became
compromised. So they may be able to get data back but can’t know that that
data has integrity, unless they’ve hashed it since the beginning of time.

