[BreachExchange] City contracts show how expensive it is to counter a ransomware attack

[Destry Winant]

https://www.wbir.com/article/news/local/city-contracts-show-how-expensive-it-is-to-fight-off-a-ransomware-attack/51-b47be57c-0a33-4671-9637-4b6b13e2462f

KNOXVILLE, Tennessee — Countering the underworld hackers who hijacked
Knoxville's computer network won't be cheap for the city -- and
perhaps Knoxville taxpayers.

Contracts for professional services obtained by 10News show two firms
hired by the city charge hundreds of dollars an hour for consultation
and expertise. Just how high the bills will go remains to be seen.

Attackers broke into the city system early June 11. Since then the
city slowly has been trying to recover. The police department
announced this week it finally had gone back to normal protocols when
responding to non-injury accidents after previously being unable to
prepare computer reports from the field.

The city has been guarded and canned in its public reports about
progress. It said early on that it appeared employees files hadn't
been compromised in the ransomware hit, but the invaders have posted
internal city records on the dark web that include worker names,
addresses, contacts and pay rates.

Within hours of the attack, the city hired a law firm -- Mullen
Coughlin of Wayne, Pa. -- and cyber specialists CrowdStrike Services
Inc. of California, records show.

CrowdStrike's agreement specifies costs; Mullen Coughlin's agreement
specifies rates.

The city has not yet received any billings, according to assistant
communications director Eric Vreeland.

Mullen Coughlin will "investigate, provide legal advice and otherwise
assist with response to a potential data security incident," the city
contract states. It's been assisting with matters that include public
response to the attack.

It's hourly rates include $380 for a partner, $320 for an associate
and $140 for a paralegal's services. They bill in 6-minute increments.

Under the terms of the agreement, CrowdStrike will charge for 40 hours
at a minimum.

It'll charge $450 an hour for each consultant's work. Its estimated
"level of effort" at the time of the contract was a required 250 hours
for triage, resulting in an estimated total of $112,500.

CrowdStrike will "assist (the city) with responding to a suspected
computer security incident," its agreement states.

Its work will include using its in-house technical tools to analyze
what happened, what was affected, how to combat the attack, and what
steps to take going forward.

Time spent on travel will be charged at $225 per person per hour.

The attackers have demanded an undisclosed ransom. The city has said
it doesn't plan to pay.

Brett Callow, a threat analyst for the online security firm Emsisoft,
told 10News the attacker appears to be a group using what's known as
DoppelPaymer ransomware.

Last July, CrowdStrike discussed DoppelPaymer in a blog post and said
in fact it had dubbed it that.

"We have dubbed this new ransomware DoppelPaymer because it shares
most of its code with the BitPaymer ransomware operated by INDRIK
SPIDER. However, there are a number of differences between
DoppelPaymer and BitPaymer, which may signify that one or more members
of INDRIK SPIDER have split from the group and forked the source code
of both Dridex and BitPaymer to start their own Big Game Hunting
ransomware operation."

Cities hit by malware end up paying thousands and sometimes millions
of dollars to recover.

According to Callow, Knoxville is at least the fourth U.S. city to
have its data stolen via DoppelPaymer. Others are Pensacola, Fla.,
Torrance, Calif., and Florence, Ala.