Does your municipality plan to pay a Ransomware ransom? States are starting to say “No”
By KEVIN HOWARTH
VC3 Communications Manager
When municipalities get caught off guard by a ransomware attack, they sometimes see paying the ransom as a way out. It’s not a pretty option, but it’s (supposedly) a way to get your data back in a worst-case situation.
However, cybersecurity experts and law enforcement officials have warned for years that paying a ransom is not the right decision for many reasons:
- 92% of impacted organizations don’t get all their data back.
- 29% of impacted organizations cannot get more than half their data back. Of those organizations that pay a ransom, 80% get hit again.
- Cybercriminals may still be inside your systems after you pay.
- You are keeping cybercriminals in business and validating their business model.
- You may be funding terrorism, sex trafficking, drug trading, and other illicit activities.
- You are saying “Target me again!”
For those and many other reasons, municipalities should not pay a ransom. Yet, they do.
To stop these payments from happening, states are seeking to deter municipalities.
- North Carolina: On April 5, 2022, North Carolina passed a law prohibiting municipalities from paying a ransom related to a ransomware attack and even communicating with any cybercriminals instigating the ransomware attack.
- Florida: HB 7055 (passed by the House and Senate and likely to be signed into law by Gov. Ron DeSantis) also prohibits municipalities from paying a ransom.
- Pennsylvania: SB 726 passed the Senate but stalled in the House. This bill prohibits using taxpayer money to pay a ransom but makes an exception if the Governor declares a disaster emergency and deems paying a ransom to be necessary in that situation.
- New York: Senate Bill S6806A made it to committee in the Senate. Like the other bills, it prevents governmental entities (including municipalities) from paying a ransom related to a ransomware attack.
These are just a few examples of states that are aggressively pursuing laws, with bipartisan support, that prevent municipalities from paying ransoms. Similar to data breach notification legislation or data privacy laws, it just takes a few states to set the example before other states follow suit.
This is a good time to ask yourself, “Am I prepared for a ransomware attack without the option of paying a ransom?”
If you’re concerned about this trend and don’t like the idea of a ransom payment removed from your arsenal, consider once again the above facts and statistics while also taking the opportunity (especially with ARPA funds) to put a foundation in place that helps you deal effectively with a ransomware attack.
- Regularly patch your software.
- Update your operating system.
- Modernize your technology and get rid of legacy systems.
- Build a highly available data backup and disaster recovery solution.
- Monitor systems to proactively detect issues and contain damage.
- Separate critical systems from less critical systems.
- Never pay the ransomware ransom!
Visit www.vc3.com to learn more.