Meeting in Hawaii at the end of June, 1400 mayors, representing just about every US municipality with a population of 30,000 or more, voted unanimously to refuse to pay to unlock their IT systems encrypted by a ransomware attack.
The resolution clearly reflects a number of truths. Firstly that payment does not guarantee the encrypted files will eventually be made accessible. Secondly that paying simply encourages and emboldens the 'bad dudes' and thirdly that the FBI strongly recommends against paying.
WHEREAS, targeted ransomware attacks on local US government entities are on the rise; and
WHEREAS, at least 170 county, city, or state government systems have experienced a ransomware attack since 2013; and
WHEREAS, 22 of those attacks have occurred in 2019 alone, including the cities of Baltimore and Albany and the counties of Fisher, Texas and Genesee, Michigan; and
WHEREAS, ransomware attacks can cost localities millions of dollars and lead to months of work to repair disrupted technology systems and files; and
WHEREAS, paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit; and
WHEREAS, the United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm,
NOW, THEREFORE, BE IT RESOLVED, that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.
In recent months Florida's Riviera Beach, Key Biscayne and Lake City, along with the City of Baltimore and many others have been attacked. Riviera Beach and Lake City have paid – 65 bitcoins (approximately US$600,000) by Riviera and 43 bitcoins (US$460,000) by Lake City.
Lake City has received decryption keys, but has made very slow progress, and their IT team seems very uncertain as to whether they will be eventually successful. In the aftermath of this, the technology director was blamed for both failure to properly secure the city's IT systems and also the slowness of the recovery effort. He has lost his job.
Baltimore refused to pay 13 bitcoins (US$76,300 at the time) and the attack has thus far cost the city around US$18 million in recovery efforts and new equipment.
"Paying ransoms only gives incentive for more people to engage in this type of illegal behaviour," said Bernard Young, the Baltimore mayor who proposed the conference resolution. Las Vegas mayor Carolyn Goodman was the co-sponsor.
The resolution is non-binding – every city has the right to conduct their affairs as they see fit.