Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Technology

US Mayors Group Adopts Resolution Not To Pay Any More Ransoms To Hackers (zdnet.com) 72

The US Conference of Mayors unanimously adopted a resolution this week to not pay any more ransom demands to hackers following ransomware infections. From a report: "Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit," the adopted resolution reads. "The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm," it said. "NOW, THEREFORE, BE IT RESOLVED, that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach." The resolution adopted this week at the 87th annual meeting of the US Conference of Mayors doesn't have any legal binding, but can be used as an official position to justify administrative actions, for both federal authorities and taxpayers alike. The Conference of Mayors includes over 1,400 mayors from across the US, representing cities with a population of over 30,000. The organization said that "at least 170 county, city, or state government systems have experienced a ransomware attack since 2013," and "22 of those attacks have occurred in 2019 alone."
This discussion has been archived. No new comments can be posted.

US Mayors Group Adopts Resolution Not To Pay Any More Ransoms To Hackers

Comments Filter:
  • And the backups? (Score:5, Insightful)

    by guruevi ( 827432 ) on Thursday July 11, 2019 @01:52PM (#58909096)

    Have they also resolved to pay for a backup system?

    • lol.

      Anyway, it's not that they need to pay for a backup system, it's that they need to pay for decent staff to identify what they need and maintain it.

      • by mysidia ( 191772 ) on Thursday July 11, 2019 @02:33PM (#58909422)

        Its one thing to have a backup system... you need a RESTORE system as well.

        And at that, a restore system provides not just the basic capability to restore and avoid losing data, but also the capability to do a "mass restore and immunize" within a short enough timeframe to prevent justifying paying a ransom.

        If the restore process requires a certain amount of downtime, then the losses due to downtime may make it more effective to actually pay the ransom rather than to even utilize that restore process.

        So, uhm, this is not all just about backups but also about IT security and system management practices (besides the restore plan)

        • A pedantic read of the comment, but I'll allow it.

          My intent with "backup system" was the whole shebang; backup, restoration and all the various functionalities therein, but I appreciate how few folks seem to look beyond throwing the data on to some medium and calling it "done" with no regards to the follow through.

          • There are apparently 1,400 mayors there. And 22 paid randsom of say $100K. Now 22 / 1400*$100K = $1500 per city. A back up system is far more more expensive than that.

            Any MBA with a calculator can figure that out.

            You do not buy a $10,000 security system in order to prevent a 1:1000 risk of a $100,000 loss.

            Now, if the mayors actually refuse to pay ransoms, the damage will be much worse. For a while. Until it eventually stops.

            This is why MBAs need to run companies and not engineers.

            • You do not buy a $10,000 security system in order to prevent a 1:1000 risk of a $100,000 loss.

              [snip]

              This is why MBAs need to run companies and not engineers.

              Found the MBA...primarily based on an answer who's definitive answer does not reflect the lack of perspective it betrays.

              A good backup system is not purchased for the express purpose of mitigating the losses from a ransomware attack. That's what Cryptoprevent, MBAM AntiRansom, and a few other products are for.

              A good backup system mitigates the fallout from one too many hard disk failures.
              A good backup system mitigates the fallout from a RAID controller gone awry.
              A good backup system mitigates the fallout fr

    • Indeed. Even just a monthly archive would be adequate for most small cities, and a weekly archive would result in less data loss than the time it takes to decrypt things even after paying the ransom.

      A weekly backup, each department on a different day, especially with most departments completely closed every night for twelve hours, really shouldn't be impossible.

      Alas, I'll say it again; none of this matters. Backups just make this attack easier to recover. There are countless other attacks.

      There has only

    • Comment removed based on user account deletion
      • by deKernel ( 65640 )

        Just how in the hell can you say that the actions of the perpetrators are "... not actually all that evil". I bet if I were to tie up all of our information regarding your life so you could never get to it, you would sing a different song. Even if those cities were negligent, that still does not give someone the right to abuse and take advantage of them like that...sheesh.

        • by geekoid ( 135745 )

          in the scope of 'evil' it' snot really that evil. It just isn't.

          Not that evil in no way means or implies good. Just on a scale of evil form 1 to 100, it's about a 15.

  • by ranton ( 36917 ) on Thursday July 11, 2019 @01:53PM (#58909102)

    Just having proper backups is just as good as refusing to pay ransom, since as long as you have proper backups you don't have to pay them.

  • They are basically forming a cartel to protect their collective interests. Like OPEC, which got together to decide how much oil each one could sell, in order to keep the price of oil high for everyone.

    The problem is that cartels like this rarely work. Every oil producer had an incentive to sell extra oil behind the others' backs. (It's a classic prisoners' dilemma or Nash equilibrium.) Similarly every mayor, if they actually have a breach, will still have an incentive to pay the hackers, even if it is bad f

    • by geekoid ( 135745 )

      No they aren't, and its nothing like that, and OIL prices aren't high.

      You're basically deluded about everything

    • They are basically forming a cartel to protect their collective interests.....

      Usergroup, club, nation, herd, flock, pack, cartel, gang, company, posse, pride, swarm, syndicate, association, team, clique, horde, shoal, community, group, conference, lynch mob, search party, school. People, and in fact all animals, come together and cooperate in groups. Those that fail to do so end up as weaker losers and are out-evolved. Cartels,in the form of companies coming together illegally often fail because they are against the law, but imperfect as they are, even those that only work part

  • by thevirtualcat ( 1071504 ) on Thursday July 11, 2019 @01:56PM (#58909132)

    "Not only have we encrypted all the data you need to do your work, we've siphoned off all the data you have on your citizens to our own servers. Pay the ransom or we'll (release|sell) it."

    Maybe instead, they can resolve to fix up their IT security.

  • Lets See If It Pays Off For Em

    They will just pay third party/insurance to pay the ransom.

    If they said something about improving security and establishing guidelines for backups (and of course restores)
    I'd probably think they were more serious.

    When the data is available and everything is working correctly, it's easy to say stuff like that.

  • by phantomfive ( 622387 ) on Thursday July 11, 2019 @01:59PM (#58909158) Journal
    LOL I came here to say, "Where is the resolution to make good backups?" And there were already three comments saying the same thing. Great minds think alike, or nerds all know how to fight ransomware.

    The answer is they don't have a resolution for backups. Instead, they have a resolution calling on the US government to create a data center they can all use that will be secure, reliable, not too expensive, and solve all their problems.
    • The answer is they don't have a resolution for backups. Instead, they have

      But that's what government DOES -- outsourcing the problem. Being meta-managers, *we* actually _DID_ something about it: gave it to someone else.

      So we've already solved it and are now looking at more IMPORTANT things - if it breaks or goes all wrong, we'll it's all THEIR fault and problem. We're busy.

  • Well, since we know that a "resolution" doesn't actually do jack shit to deter or prevent a ransomware attack, bold statements will do nothing more than paint a target on their backs.

    I predict it will only take another dozen attacks before they realize it takes more than some bullshit public declaration to secure digital assets.

    Then they might start thinking about hiring competent staff and investing in those old fashioned concepts. You know, like backups.

    • Then they might start thinking about hiring competent staff...

      And the first thing that competent staff would do is ban Microsoft software (including its operating systems) from the network in favor of Linux. That alone, doing nothing else, would reduce these incidences by at LEAST 75% (yes, I made up that number to make a point).

      • Then they might start thinking about hiring competent staff...

        And the first thing that competent staff would do is ban Microsoft software (including its operating systems) from the network in favor of Linux. That alone, doing nothing else, would reduce these incidences by at LEAST 75% (yes, I made up that number to make a point).

        Ironically enough, if we ever actually saw the Year of the Linux Desktop, we would also see the Rise of Linux Malware.

        Market share is all it takes to create highly profitable targets.

        • Ironically enough, if we ever actually saw the Year of the Linux Desktop, we would also see the Rise of Linux Malware.

          That's a common misconception. Linux has had malware almost since Linux has existed. Getting it to spread, though, has been damn near impossible. Linux thoroughly dominates in nearly all areas except the desktop, yet successful Linux exploits have been very few and far between. They have almost always been caused by weak passwords, with only a small handful of notable software flaws.

          What makes highly profitable targets is when those targets are running Windows. Its security has had more and larger hole

      • sounds great, let me know when all their proprietary software needed to run their municipality are ported to Linux....

        Maybe they could just take their internal servers off the public internet?

        • let me know when all their proprietary software needed to run their municipality are ported to Linux....

          If a large portion of government municipalities resolved to remove Windows from their networks, companies used by those municipalities would port their software to Linux in short order. Meanwhile, Windows could at least be quarantined within virtual machines running on a Linux/AMD host (don't use Intel chips for this).

  • 1. Companies don't actively think about security/backups until there is a problem. Your home/business could get robbed at any time, but how many people install and actively test the limits of their system? Your electrical power could go out at any time, but how many people have backup generators at their business or home? It's expensive to install a security/backup system and when the power is working people take it for granted and forget about it. Add this to the fact that either programmers don't know how
    • by geekoid ( 135745 )

      1. Are you posting from 2005? security is near the top, if not at the top, almost every companines IT plan.

      2) That makes no sense.

  • for an actual data storage and redundancy plan?

  • I'm starting a pool for how many days it takes for another story to break where a city government pays a malware ransom. Put me down for say 7...
  • by Anonymous Coward

    Baltimore opted to spend $18,000,000+ of taxpayer money to recover their systems instead of paying a $100,000 ransom. Why not pay the ransom and then spend 17 million on improving security and backing things up?

    De-incentivizing these attacks isn't going to work because the potential profit is so high relative to the cost. Government employees aren't smarter than anyone else, getting them to open malicious attachments is probably trivially easy.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...