Associate Director Michael Mullins comments on the recent news that the City of Lafayette, Colorado was hit by ransomware and chose to pay the attackers. As an experienced incident responder, Michael has seen his fair share of municipalities being targeted, as the type of data they hold in combination with often outdated IT systems makes them all the more vulnerable to attacks.

In recent news, the town of Lafayette, Colorado was the victim of a ransomware attack and was faced with a tough decision to pay or not to pay the ransom. As the public backlash is building, “Why would you use taxpayer money!?” one commentator questioned in a social media post, let us look into this a little deeper.

It turns out most municipalities in these circumstances do not have much of a choice. As is so often is the case, things are quite a lot more complicated than they may seem from the outside. As a responder who has worked on ransom cases for several municipalities, including a few in Colorado (though not this incident) I can honestly say it is never an easy choice. To begin we should look to understand how Lafayette may have gotten into this situation.

Based on my experience, I do not think that this attack can be categorized as “random”. At Kivu, we have noticed a major uptick in 2020 of attacks against critical infrastructure and municipalities in general. This incident may not be part of that trend, but as the investigation appears to be in early stages and the responding firm has not been identified, data on this case remains limited for now. Regardless, a common thread between these attacks are weak IT security and infrastructure, which attackers know and exploit to meet their ends.

Municipalities are famously run on thin budgets. Cost cutting exercises often affect IT security, and, unfortunately, it is the citizens that ultimately pay for it – in both the figurative and fiscal sense. Municipalities often shy away from costly security measures, expensive software updates, adequate IT staffing, or system auditing – measures that many larger companies would take knowing the risk to their precious intellectual properties. In this scenario, what is at stake is the citizen’s data – that is your SSN, street address, legal name, tax filings, criminal records, financial aid programs, and city development plans. This has a profound impact on the citizens affiliated now, or at any point in the past, with the county, as their information could have been viewed or stolen. However, the cyber security firm handling this incident states that data was not taken, so we can all likely breathe a little easier.

That said, I would not breathe easier just yet if I were living in Layfette. Attackers are becoming extraordinarily sophisticated and they are working in teams. One will steal the credentials, another will infiltrate the network for reconnaissance, and then the ransom actors join the party. By the time the machines are encrypted, the network has often had uninvited guests on it for weeks up to several years. Groups working together to divide and concur, and playing to each other’s strengths, has ushered in advanced TTPs (Tactics, Techniques and Procedures). Attackers use tools that exfiltrate data in a method known as low and slow, which is very hard to detect in progress, before erasing their tracks afterwards, leaving analysts with nothing more than a record of deleted logs. As an incident responder I am always a little dubious when I hear someone state with certainty that no data was exfiltrated – especially considering the above trend of hackers deleting all traces of the breach. With no threat actor named in this case and such a – comparatively – small ransom amount of $45,000 demanded for the data, it leaves so many questions left unanswered.

The big names such as Maze, Revil and Ryuk rarely make demands of less than six digits and are just about guaranteed to take your data. However smaller groups like those employing Mamba and Snatch ransomware variants are known to make lower demands – but they often cause damage to the operating system with their less refined methods. Because Layfette has systems that remain down (possibly due to lengthy decryption times, depending on the attacker, or due to damaged operating systems being restored), I currently lean towards the assumption of the attack coming from a smaller group.

All this, however, is speculation for now as there is a lot more to be learned about this case, and perhaps the coming weeks will see the release of more details. Making a payment to a criminal organization may have a moral hazard, however, in some circumstances like when a municipality does not have a viable backup, it may be the quickest way of ensuring a municipality like Lafayette can swiftly return to operational status. And during times such as these, when unemployment and disability claims are on the rise and vulnerable people are more in need of support than ever, it may well seem like a no-brainer to some cyber-attack victims. In the grand scheme of ransom incidents, The City of Lafayette appears to have gotten off easy. The hope is that the authorities learn from the incident and implement stronger security measures for the future.