In brief: It’s starting to look as if Florida cities have become the favorite target for ransomware attacks after a third local government was struck by the malware within the last few weeks.
Key Biscayne joins Riviera Beach and Lake City in having its systems infected by a form of ransomware after it identified a data security “event” early last week. In all three cases, the malware made its way onto local government computers when an employee clicked on an email link that allowed it to be uploaded.
“Key Biscayne is working with outside counsel and third-party forensic experts to ensure that its systems are secure, and to determine the scope of the event,” said city manager Andrea Agha, in an email to CBS Miami.
Last month, it was reported that Riveria Beach had agreed to pay hackers $600,000 to restore its encrypted systems. A week later, Lake City’s insurance provider negotiated a payment of 42 bitcoins, or around $500,000 at the time, to unlock its computers. In the latter case, $10,000 of the money came from taxpayers.
Both Key Biscayne and Lake City were hit with Ryuk, the final piece of what is known as the “Triple threat attack,” the other two being Emotet and Trickbot malware. It’s uncertain whether the Riviera Beach attack was also based on Ryuk, which was originally linked to the notorious North Korean “Lazarus” hacking group.
While paying hackers to unlock ransomware usually isn’t advised as there’s no guarantee they’ll hand over the decryption key, city officials agreed this was the best, easiest, and cheapest—as the bulk is paid by insurers—way to address the situation.
The wealthy island town of Key Biscayne has just 3,000 residents, making it much smaller than Lake City (12,000) and Riviera Beach (35,000). A special council meeting to discuss the issue was held on Thursday, where it was decided to spend $30,000 on hiring a data recover firm, though it appears the city isn’t ruling out paying the hackers.
“The Village Manager may (in her judgement) incur additional expenses necessary to expeditiously and fully resolve the current data security event,” states the council resolution.