[BreachExchange] Colorado city forced to pay $45, 000 ransom to decrypt files

Fri Aug 14 08:37:46 EDT 2020

https://www.bleepingcomputer.com/news/security/colorado-city-forced-to-pay-45-000-ransom-to-decrypt-files/

A city in Colorado, USA, has been forced to pay $45,000 after the
City's devices were encrypted in July, and they were unable to restore
necessary files from backup.

On July 27th, the City of Lafayette suffered a ransomware attack that
impacted their phone services, email, and online payment reservation
systems.

At the time, the City had not explained what was causing the outage
but stated that residents should use 911 or an alternate number for
emergency services.

Over a week later, the City announced that they were victims of a
ransomware attack that encrypted their devices and data, and took down
their systems.

While financial data was recoverable from backups, after weighing the
costs, the City decided to pay a $45,000 ransom to  an unknown
ransomware operation to receive a decryption tool to recover other
encrypted files.

"After a thorough examination of the situation and cost scenarios, and
considering the potential for lengthy inconvenient service outages for
residents, we determined that obtaining the decryption tool far
outweighed the cost and time to rebuild data and systems," City of
Lafayette Mayor Jamie Harkins stated in a video.

The City does not believe any data was stolen and that credit card
info was not stored on their servers. To be safe, they advise
residents and employees to monitor their accounts for suspicious
activity.

"Financial data appears to be recoverable from unaffected backups.
Personal credit card information was not compromised, as the City uses
external PCI-certified payment gateways. There is no evidence to
suggest personal data was compromised, but out of an abundance of
caution, residents and employees are advised to be vigilant to monitor
accounts for suspicious activity. The City will be sending a security
breach notification to individuals who have personal information
residing on the City’s network," the City stated in an announcement.

Harkins explains in the video that the City did not disclose the
attacker sooner out of concern it would affect their negotiations with
the ransomware operators.

The City of Lafayette got lucky

While it is unknown which ransomware operation attacked the city, one
thing is for sure, they got lucky with such a low ransom demand.

BleepingComputer monitors ransomware activity, and most of the active
enterprise-targeting operations demand hundreds of thousands, if not
millions, of dollars for a decryptor.

If they were affected by an attack by some of the larger operations
such as Maze, REvil, LockBit, Doppel, or Clop, it might not have been
possible to pay for the ransom without significant financial loss.

Furthermore, these larger operations tend to steal unencrypted files
before performing attacks and then publish them on data leak sites if
not paid.

This public posting would have led to severe consequences for the
City, its residents, and employees, as data published by ransomware
operators is commonly monitored by other threat actors who then use it
in phishing campaigns or other attacks.