To pay or not to pay – that is the question regarding ransomware attacks against municipal services. But if some states have their way, victims may no longer have a choice.
Two states – North Carolina and Florida – have passed legislation prohibiting public ransomware payments, and other states are considering similar measures. But it’s too early to tell yet whether such laws have had an impact. In the less than three years since the North Carolina bill passed, attacks have dipped slightly and still number in the hundreds.
A Choice Is Not a Solution
Taking that option off the table limits the likelihood of all stolen data being recovered, and risks delaying the restoration of essential services, such as 911 responses. With luck, as much as 60% of compromised content can still be restored, but when hackers don’t get their ransom, they release private data on personnel, on patients in healthcare breaches, on police officers in municipal attacks. The accessibility of this content on the web and the dark web can result in serious consequences, from doxing to identity theft.
Government agencies will also then face class action lawsuits for failing to protect stolen data, while also spending millions on reparations that could include credit monitoring or online privacy protection. The financial fallout of a ransomware attack both now and for years to come can be astronomical if the data is never retrieved.
If the ransom is paid and the thieves are “honest,” personnel and patient data may stay confidential, but entities will still have to deal with the cost of rebuilding compromised systems. A payment also perpetuates the risk of more breaches later – the more ransomware attacks achieve the hackers’ desired result, the more they will continue to happen.
“A ban sounds good, until it happens to you,” said Mark Weatherford, a senior fellow with the Center for Digital Government. “Now, you’re staring down the barrel of a gun and have to make that decision.”
Money Isn’t Always the Motivation
Should more states adopt ransomware payment restrictions, it is hoped that the number of breaches will decrease. But sometimes money isn’t what triggers an attack. Artificial intelligence and an active black market in ransomware infiltration procedures have put the means to target a government agency within the reach of anyone with a grudge. These actors don’t care about getting paid – they just want vengeance.
The Best Defense – Proactive Protection
The decision to pay or not pay a ransom is important, but either way, the damage is done. With ransomware and phishing attacks on the rise, and becoming more effective through the use of AI, more public and private sector organizations are focusing less on mitigating the fallout, and more on proactive steps to prevent an attack from occurring in the first place.
One of the most effective safeguards is online privacy protection. When hackers cannot gain access to the personally identifiable information of those employed at a targeted organization, it makes it far more difficult for them to customize a phishing email with a link that delivers a ransomware payload. With that information unavailable, they will turn their attention elsewhere.
Take the first step toward safeguarding your organization.
