This Year in Ransomware Payouts (2019 Edition)
What Were the Biggest Ransomware Payments? Which Organizations Paid the Ransom?
Even though 2017 still remains the year when we saw the ransomware pandemic at its peak, cybercriminals will not stop these attacks on individuals and businesses anytime soon. Unfortunately, ransomware attacks continued to make headlines this year as well. So, in this article, I’m going to look at the highest ransomware payouts of 2019, what organizations paid the ransom, and explain why it’s never a good idea to pay.
But first of all, let’s start with some mind-blowing 2019 ransomware statistics from 2019.
Ransomware statistics in 2019
Here are the most shocking ransomware facts coming from 2019 alone:
- Two-thirds of ransomware attacks targeted state and local governments.
- 55% of SMBs from the US would pay hackers to recover their stolen data in ransomware attacks.
- Over 500 US schools were affected by ransomware attacks in 2019.
- Almost 70 US government organizations were infected with ransomware since January 2019.
- A total of 140 US local governments, police stations, and hospitals have been infected with ransomware.
- In the third quarter of 2019, the average ransomware payout increased to $41,000.
The most significant ransomware payouts of 2019
In the best-case scenario, victims of ransomware could simply wipe their systems and recover their data from offline backups. However, some organizations don’t keep any backups at all. Or worse, even if they do have copies of their data, sometimes they also end up being locked up by cybercriminals.
There are times when ransomware victims can decrypt their files with free ransomware decryption tools but sadly, there isn’t a decryptor available for all the ransomware strains out there. This sometimes leads to companies paying the ransom, being desperate to get their business back up and running.
Without further ado, below you will find the most significant ransomware payouts of 2019.
#6. Park DuValle Community Health Center, Kentucky, USA
Amount paid: $70,000
In June 2019, Park DuValle Community Health Center had the medical records of almost 20,000 patients encrypted by ransomware and ended up paying the $70,000 ransom. The attack had left them locked out of their system for almost two months, impacting the health center’s medical records system and appointment scheduling tool.
For seven weeks, they had to record the patients’ information on pen and paper and ask them to speak from memory about their past treatments. The health care center basically had to operate on a walk-in basis since they were not able to schedule appointments or view any data.
“This is everything. This is medical records, contact information, insurance information, anything about a patient…everything is gone,” said Elizabeth Ann Hagan-Grigsby, CEO of Park DuValle. “The records involved are for past and present patients,” she continued.
This was the second time during the same year that Park Duvalle was impacted by a ransomware attack. Back in April 2019, their systems had been locked down for about three weeks. This time, they had their data backed up, so they did not pay the ransom. However, the second time, they were unable to recover their data from the backups, so they decided to pay the ransom to restore it.
The amount was paid in 6 bitcoins (the equivalent of $70,000). Cybercriminals provided the encryption keys and Park DuValle was able to recover its data.
#5. Stratford City, Ontario, Canada
Amount paid: $71,000
In April of this year, the City of Stratford also became a victim of a ransomware attack that chose to pay the ransom. According to the story published on Cybersecurity Insiders, the malware was installed on six of their servers on a physical note, that encrypted two virtual servers as well, leaving their sensitive data locked down.
Even though they received warnings from officials, they paid 10 bitcoins, which at the time of attack meant roughly $71,000. The security company they contacted was not able to recover their data and was only involved in forensics. Consequently, the city negotiated the price that needed to be paid for their information to become available again. Their cyber insurance covered $15,000 of the ransom.
It seems that no personally identifiable information data was compromised and revealed in this ransomware incident.
#4. La Porte County, Indiana, USA
Amount paid: $130,000
Another victim of the Ryuk ransomware, La Porte County, Indiana, paid $130,000 to recover their data.
The attack happened on July 6 and was noticed right before it managed to spread to all of the network’s computers. The IT staff confined it to less than 7% of machines, however, two domain controllers were impacted and thus, network services became unavailable.
According to the source, the FBI and a forensic investigation firm attempted to recover the data without paying the ransom, but their efforts proved to be unsuccessful. $100,000 out of the $130,000 payment demand was covered by insurance.
Apparently, the county did have back up servers in place, however, they became infected by ransomware as well.
The ransomware that affected La Porte County’s systems is allegedly Ryuk, the same strain that affected Lake City. It was called a “triple threat” because it originated from an Emotet infection that delivered the Trickbot trojan, which then launched Ryuk.
#3. Jackson County, Georgia, USA
Amount paid: $400,000
Back in March, Jackson County had its network shut down by a ransomware attack, leaving only its website and 911 emergency system untouched. This meant they had to do their reports and bookings in pen and paper, just like they did before using computers became the norm.
Their officials contacted the FBI and hired a cybersecurity consultant. The security specialist negotiated with the cyber attackers and it was decided that Jackson County had to transfer $400,000 to receive the decryption key and gain access to their data once again.
“We had to make a determination on whether to pay. We could have literally been down months and months and spent as much or more money trying to get our system rebuilt”, said Kevin Poe, Jackson County Manager.
Apparently, the county’s network had been infected with the Ryuk ransomware strain, which as of now, does not have a free decryption tool available. According to experts, this type of ransomware had one of the most active campaigns in 2019, also affecting over 500 schools in the US.
Researchers are saying the Ryuk ransomware only launches after it completely spreads on the target’s network.
Here is what the Ryuk ransomware note would look like:
#2. Lake City, Florida, USA
Amount paid: $500,000
A second city in Florida paralyzed by ransomware agreed to pay the ransom: 42 bitcoins ($500,000).
Even though their IT staff disconnected the systems within ten minutes of the attack’s detection, the ransomware managed to infect their network almost entirely. The police and fire departments were not affected, as they were running on a separate network. The people who needed to pay their bills could only do it in cash or money orders and they received handwritten receipts.
Cybercriminals reached out to the city’s insurance provider a week after the infection took place and the ransom payment of 42 bitcoins was negotiated. The money was paid from the city’s insurance.
Over 100 years’ worth of records (ordinances, meeting minutes, resolutions, and City Council agendas) were encrypted for almost a month. A few weeks after the ransom was paid, they did not even recover all of their data. What’s more, Lake City’s information technology director was accused of failing to secure the network and not recovering the data quickly enough and eventually lost his job.
Lake City was another victim of the Ryuk ransomware strain.
#1. Riviera Beach City, Florida, USA
Amount paid: $600,000
This brings us to the biggest ransomware payout of 2019, which was made by Riviera Beach City in Florida.
Allegedly, right after an employee clicked on a phishing email link received on May 29, hackers managed to infiltrate into the city’s network and locked it up. All of the city’s online systems went down, including email and even some phones, and on top of that, water utility pump stations were affected as well. As a result, payments could only be accepted in person or by mail (only in cash or by check) and communication was conducted by phone.
The City Council unanimously agreed to pay the ransom. The requested amount was 65 bitcoins, the equivalent of nearly $600,000. More than $300,000 from the city’s insurance policy was used to pay the ransom. The payment was officially made merely a few weeks after Riviera Beach agreed to spend around $1 million to replace the infected computer equipment.
Riviera Beach’s attack looked similar to what Jackson County experienced in March, so it seems they were yet another victim of the Ryuk ransomware strain.
The biggest ransom ever paid
Even though we’ve witnessed several major ransomware payouts this year, none of them was the all-time biggest.
In 2017, the Korean web hosting firm Internet Nayana received the largest ransom demand ever (a whopping $1.14 million), which they also ended up paying. During their negotiations, some of their data was permanently deleted. To make up for the incident, Nayana offered free hosting for life and refunds to its affected customers. So, of course, besides the actual payment, the ransomware attack involved additional costs and reputational damage.
Others refused to pay
Paying the ransom is not something that every ransomware victim considers. And sadly, data recovery costs for some organizations that decline the payment end up being much higher than the actual ransom. For instance, back in March 2018, the City of Atlanta was infected with the SamSam ransomware variant. Cybercriminals demanded a $52,000 ransom payment, however, Atlanta refused to pay and they had to spend $2.6 million to recover from the attack. So, since it has been proven that paying the ransom can be a lot cheaper than dealing with an attack’s aftermath, local governments are increasingly choosing to pay.
But here is an example of an organization that declined the ransomware payment.
Baltimore City’s ransomware resistance story
On May 7, 2019, cybercriminals froze around 10,000 Baltimore government computers and asked for a $100,000 payment in bitcoins. The city’s employees were locked out of their email accounts and citizens were unable to pay their bills. This wasn’t the first time the city became a victim of ransomware – in 2018, their 911 system was shut down for about a day by another similar attack and in both cases, they did not transfer money into the attackers’ Bitcoin wallet.
The second time, their computer systems were infected with the RobbinHood ransomware strain.
Bernard C. Jack Young, Mayor of Baltimore City, explained why they chose not to pay the ransom:
— Mayor Bernard C. Jack Young (@mayorbcyoung) June 5, 2019
The city representative acknowledges that by paying the ransom there is no guarantee their systems will be unlocked and also emphasizes the fact that they are choosing not to encourage criminal behavior.
“Why don’t we just pay the ransom? I know a lot of residents have been saying we should’ve just paid the ransom or why don’t we pay the ransom?
Well, first, we’ve been advised by both the Secret Service and the FBI not to pay the ransom. Second, that’s just not the way we operate. We won’t reward criminal behavior.
If we paid the ransom, there is no guarantee they can or will unlock our system.
There’s no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there’s no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future.
Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I’m confident we have taken the best course of action.” – Bernard C. Jack Young, Mayor of Baltimore City
US mayors have adopted a resolution against paying the ransom
A proposal to ban ransom payments was put forward by Bernard Young, the abovementioned mayor of Baltimore City, which has also been adopted. The resolution reads:
“Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit.”
“The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm.”
“The United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.”
Although the adopted resolution doesn’t have any legal binding, it can be used to justify not paying the ransom in front of federal authorities and taxpayers.
Paying the ransom is a short-term solution
Ransomware payouts have become a highly controversial topic and for a good reason. Several questions arise when it comes to paying the ransom: Are you really going to recover your data? Where is your money actually going? Are you funding terrorist groups?
The FBI has explicitly stated that they do not support the practice and they urge organizations to report any ransomware incidents to law enforcement, no matter if they paid or not.
I strongly believe no one, be them consumers or organizations, should ever pay the ransom.
Here is why:
#1. There is no guarantee you will ever recover your files
In some cases, people still lost their data even if they paid the ransom. For instance, the GermanWiper ransomware deletes your files even though you did pay.
Also, malicious hackers actually like to be taken seriously, so if you think that by paying only a fraction of the requested amount you will get your data back (or at least some part of it), you are wrong. For example, the City of New Bedfords, Massachusetts, was yet another government institution infected with the Ryuk ransomware. They tried to negotiate for $400,000 instead of $5.3 million, aiming to align the payment with the ones that were paid by cities hit by the same type of malware. However, their offer was declined.
#2. You are funding criminal organizations
Yes, it may be cheaper and faster to get your data back (if you are “lucky” enough) by paying the ransom. But are you really okay with transferring your money to shady hacking groups who may be using it for more malicious purposes?
#3. You are only encouraging this behavior
If organizations continue to pay the ransom, cybercriminals will not stop this practice anytime soon. In fact, it has already become a highly profitable underground business, also known as Ransomware as a Service (RaaS).
So, do you actually want to incentivize more and more attacks and contribute to the further propagation of the ransomware illegal industry?
Think about it this way. In the long run, if you’ve chosen to pay the ransom, you will definitely not save any money. Why not use the amount that you would have given to those ransomware attackers to improve your defenses instead?
How to Prevent Ransomware in Your Organization
Ransomware disasters can, fortunately, be avoided. As you’ve probably noticed from the ransomware incidents that I’ve listed, the best targets seem to be government entities that have outdated IT systems in place and that don’t always follow cybersecurity best practices.
Here is how you can stop ransomware from infecting your organization:
#1. Back up your data
I can’t stress this enough. The first and most important thing you can do is have copies of your data stored somewhere safe, that won’t get infected as well. What’s more, make sure that your back up system actually works and test it frequently.
#2. Watch out for excessive admin rights inside your organization
Sometimes, ransomware can prove to be a result of abused privileged accounts (malware propagation is often linked to compromised credentials that belong to admin accounts).
So, be certain that your organization runs on the principle of least privilege and the Zero Trust model. In short, be careful whom you grant admin rights to within your organization. A tool such as Thor AdminPrivilege™ can help you easily escalate and de-escalate privileges and when used in tandem with our other security solutions, you will get notified when threats are discovered and more than that, admin rights will be automatically de-escalated on your compromised accounts.
#3. Use security tools specifically designed to stop ransomware
For instance, a product like Thor Foresight Enterprise is properly equipped to protect your organization against ransomware. First of all, it instantly blocks any incoming attacks (for example, associated with malicious URLs) and secondly, it contains a patch management tool, created to help you close all vulnerabilities related to outdated systems and software.
#4. Train your users
Last, but not least, your users should be able to recognize the signs of cyberattacks. I often hear IT admin struggling with compromised accounts and malware infections that happen due to users that seem to keep clicking on phishing links and following the instructions (for example, submitting their login credentials).
All in all, 2019 has shown us that ransomware is still a lucrative business for cybercriminals. The organizations that are choosing to pay the ransom only worsen the situation, setting high expectations for future ransomware attackers. So, the bottom line is this: if you are ever faced with this tough decision – to pay or not to pay – think about what paying actually means.
Are you in favor of paying the ransom? Let me know your thoughts in the comments section below.