Should Suffolk have paid the $2.5M ransom for cyberattack?
With Suffolk’s ransomware lockdown approaching its fifth month, the recent revelation that the proposed ransom was $2.5 million might lead some to wonder whether paying it would have saved the county time, money and rippling impacts.
Reports of the cost of the event range anywhere from $5.4 million for the investigation and restoration to more than $17 million for things such as new software and security licenses and hardware needed to replace older or damaged systems. Suffolk has excluded some of those costs from its estimates, saying the equipment was needed anyway.
Experts interviewed by Newsday generally advise against paying ransom to cybercriminals, particularly if the victim has a good recovery plan, protected backups and robust equipment and security. But they also point to the lengthy recovery at Suffolk in questioning just how well prepared the county was.
"For clients that have good backups in place, it usually doesn't take four to five months to restore" a network, said George Pavel, vice president of SalvageData, a Nyack data recovery and security firm, speaking generally. Suffolk’s vast computer networks cover multiple departments and arms of government, far larger and more complex than business networks.
WHAT TO KNOW
- With the impacts of Suffolk’s ransomware lockdown lingering into a fifth month, should the county have paid the proposed ransom of $2.5 million?
- Experts generally advise against paying ransom to cybercriminals, particularly if the victim has a good recovery plan, protected backups and robust security.
- But they also point to the lengthy recovery at Suffolk in questioning just how well prepared the county was.
The issue of paying ransoms is part of an industry-wide debate and not everyone is dead set against paying. Suffolk's primary security contractor, Palo Alto Networks, boasts of a record of negotiating and paying ransoms. In promotional material, Unit 42, a cybersecurity division of Palo Alto, says that over the past two years it has “been involved in more than 650 cases involving ransomware. Of those cases, Unit 42 has coordinated negotiation and payment in more than 300 of those cases."
A Palo Alto spokeswoman declined to discuss any advice it may have given Suffolk. "As a matter of policy and confidentiality, we cannot disclose details about the cybersecurity event experienced by the county," said the spokeswoman, Andria Leaf.
Unit 42 is conducting the forensic investigation of the ransomware attack, a move some good-government and cybersecurity experts have questioned given that its parent, Palo Alto, supplied the firewalls and other security systems before the attack.
While Suffolk has gradually restored internal email and phones and other vital work functions hobbled by the ransomware event, most services that were formerly offered online now require constituents to visit county offices in person, including for title searches, and mortgage tax filings, health department tests, and permits and other services. Some agencies are doing workarounds, including for residency paperwork needed for remote community college students.
Asked if the county had an end date for the full restoration of ransomware-impacted services, Deputy County Executive Vanessa Baird-Streeter said, “There really isn’t because forensics and analysis is ongoing,” including work begun at the county clerk’s office in December.
A report by Unit 42 cites a Canadian study that found around 58% of businesses hit by ransomware paid the ransom, with 14% saying they paid a ransom “more than once.” Unit 42 said costs, in addition to the ransom, can include expenses tied to down time, the impact on a subject’s brand reputation, legal expenses and restoration costs.
Just under two-thirds of businesses took more than a month to recover, 29% said recovery took more than three months, and 9% said more than five to six months to return to normal, Unit 42 said, citing the study.
The report doesn’t mention municipalities hit by ransomware, but Newsday has reported that Tulsa, Oklahoma, was among the longest it’s taken a municipality to recover. Tulsa was offline for eight months and spent $2 million to recover from the 2021 attack, according to news reports.
At a Christmas week news conference, County Executive Steve Bellone disclosed the $2.5 million ransom for the first time, explaining he decided not to pay it because there were “no guarantees that the criminal actors will honor their commitment” by providing keys to unlock encrypted data. Nor were there guarantees that thieves wouldn’t come back asking for more money, or worse, use the ransom for illegal purposes.
“Are they terrorists? Are they engaged in sex trafficking?” Bellone said. “By paying this ransom, would we be using Suffolk County taxpayer dollars to fund operations that could do harm to human life?” He said he “wasn’t prepared to take that chance.”
Experts largely agree that paying cyber thieves can be fruitless, saying even ransomware actors that have a reputation for unlocking data once the ransom is paid can’t be relied on. And even if they do provide keys to unlock data once a ransom is paid, hackers may still sell valuable data they’ve stolen.
“I never personally advocate paying ransoms,” said Adam Meyers, senior vice president of intelligence at security firm CrowdStrike. Whatever Suffolk is spending to recreate and fortify networks compromised in the breach is money that would have to be spent anyway, he said.
“Anytime that happens, you have to treat that [impacted network] as basically an untrusted network and build back up piece by piece so that you have a trusted space,” he said. “You want to avoid that happening again, because if you pay the ransom and don’t fix anything, somebody else is going to come and ransom you because they know you’re willing to pay and have poor security.”
Pavel said his company only advises paying the ransom, which it often negotiates downward, in about 30% of the cases. But the firm adheres to a strict set of protocols for clients who may choose to pay, including making sure the threat actors aren’t on a U.S. sanctions list that could make the payments illegal.
“Every situation is different,” Pavel said of ransomware attacks and the preparedness of entities that are impacted. “If it’s critical medical data that’s been encrypted, that could change the calculation.”
Suffolk has acknowledged that the Social Security numbers of some 26,000 county employees may have been exposed and that personal information of up to 470,000 people was “accessed or acquired” from the county’s Traffic and Parking Violations Agency server.
Data on its Department of Health Services servers also was encrypted, but Suffolk this week said forensic analysis found that "no personal identifying information from Health Department servers was exfiltrated."
Michael Nizich, director of the Entrepreneurship and Technology Innovation Center at New York Institute of Technology, said he generally opposes the notion of paying cyber ransoms. Those who do generally are those who “aren’t prepared.”
“I do not recommend it, but I also know there are situations where you have no other choice,” he said.
Being prepared includes having a business continuity plan for restoring operations, a hardened security blueprint and lots of backups.
As for Suffolk, the best he can assess is that there “were some vulnerabilities, some holes, and they didn’t or couldn’t [address them] with their budget,” Nizich said. Still, he said, the length of time Suffolk has been down suggests a more complex restoration.
“It does not make sense to me why they are down for so long,” Nizich said, adding he wasn’t hopeful of a full restoration anytime soon. “If it’s what I’m thinking, it could be another four months."