As the ransomware lockdown in Suffolk approaches its fifth month, the recent revelation that the proposed ransom was $2.5 million may have some wondering whether paying the ransom would save the county time, money and… would have saved far-reaching effects.
Reports of the cost of the event range from $5.4 million for investigation and recovery to over $17 million for things like new software and security licenses and hardware needed to replace older or damaged systems. Suffolk has excluded some of these costs from its estimates, saying the equipment will be needed anyway.
Experts surveyed by Newsday generally advise against paying ransom to untrustworthy cyber thugs, especially if the victim has a good recovery plan, protected backups, and robust equipment and security. But they also point to Suffolk’s lengthy recovery by questioning how well prepared Suffolk was.
“For customers who have good backups, it typically doesn’t take four to five months to restore a network,” said George Pavel, vice president of SalvageData, a Nyack data recovery and security company. Suffolk’s vast computer networks span multiple departments and branches of government and are much larger and more complex than corporate networks.
Not everyone is absolutely against paying the ransom. Suffolk’s main security contractor, Palo Alto Networks, boasts a record of negotiations and ransom payments. In promotional material, Unit 42, a Palo Alto cybersecurity division, says it has been “involved in more than 650 ransomware cases in the past two years. Of those cases, Unit 42 has coordinated negotiations and payments in more than 300 of those cases.
A Palo Alto spokeswoman declined to discuss any advice she may have given Suffolk. “Due to policy and confidentiality reasons, we are unable to disclose details of the cybersecurity event that the county has experienced,” spokeswoman Andria Leaf said.
Unit 42 is conducting the ongoing forensic investigation of the ransomware attack, a move that some keen government and cybersecurity experts have questioned since their parent company, Palo Alto, supplied the firewalls and other security systems prior to the attack.
A Unit 42 report cites a Canadian study that found that around 58% of ransomware-hit companies paid the ransom, with 14% reporting having paid a ransom “more than once”. Unit 42 said that in addition to the ransom, the costs can include costs related to downtime, the impact on an individual’s brand reputation, legal fees and recovery costs.
Just under two-thirds of businesses took more than a month to recover, 29% said it took more than three months to recover, and 9% said it took more than five to six months to get back to normal said Unit 42, citing the study.
The report doesn’t mention communities affected by ransomware, but Newsday has reported that Tulsa, Oklahoma was among the communities that took the longest to recover. Tulsa was offline for eight months and spent $2 million recovering from the 2021 attack, news reports said.
At a press conference on Christmas week, County Commissioner Steven Bellone announced the $2.5 million ransom for the first time, saying he decided not to pay it because there were “no guarantees that the criminal actors would.” fulfill their obligation” by providing keys to unlock encrypted data. There were also no guarantees that thieves wouldn’t come back and demand more money or, worse, use the ransom for illegal purposes.
“Are they terrorists? Are they involved in the sex trade?” Bellone said. “By paying that ransom, we would be using Suffolk County taxpayer money to fund operations that could harm lives?” He said he was “not willing to take that risk.”
Experts largely agree that paying cyber thieves can be unsuccessful, saying even ransomware actors who have a reputation for unlocking data once the ransom is paid are unreliable. And even if they provide keys to unlock data after paying a ransom, hackers can still sell valuable data they stole.
“Personally, I never advocate paying ransoms,” said Adam Meyers, senior vice president of intelligence at security firm CrowdStrike. Whatever Suffolk is spending to restore and strengthen networks compromised in the breach is money that should be spent anyway, he said.
“Every time that happens, you have to treat it [impacted network] as basically an untrusted network and build a backup bit by bit so you have a trusted space,” he said. “You want to avoid that happening again because if you pay the ransom and don’t fix anything, someone else will come and buy you out because they know you’re willing to pay and you have poor security.”
Pavel said his company only advises paying the ransom, which is often negotiated down, about 30% of the time. But the firm adheres to a strict set of protocols for customers who may decide to make a payment, including ensuring threat actors are not on the US sanctions list that could make the payments illegal.
“Every situation is different,” Pavel said of ransomware attacks and the preparedness of affected companies. “If it’s critical medical data that has been encrypted, that could change the calculation.”
Suffolk has acknowledged that around 26,000 county employees’ social security numbers may have been disclosed and that up to 470,000 people’s personal information was “tapped or acquired” from the county’s traffic and parking violations server.
Data on the Department of Health’s servers was also encrypted, but Suffolk said this week forensic analysis revealed “no personal data was exfiltrated from the Department of Health’s servers”.
Michael Nizich, director of the Entrepreneurship and Technology Innovation Center at the New York Institute of Technology, said he opposes paying cyber ransoms in general. Those who do are generally the ones who are “unprepared”.
“I don’t recommend it, but I also know that there are situations where you have no other choice,” he said.
Preparation includes a business continuity plan for restoring operations, a hardened security concept and many backups.
As for Suffolk, all he can say is that “there were some weaknesses, some gaps, and they didn’t or couldn’t [address them] with their budget,” said Nizich. Still, he said, the length of time Suffolk has been out points to a more complex restoration.
“It doesn’t make sense to me why they’ve been out for so long,” Nizich said, adding he has no hope of a full recovery anytime soon. “If that’s what I think it could be another four months.”
Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.
Comments are closed.