A tale of two cities: Why ransomware will just get worse

Enlarge / Baltimore, Maryland; Riviera Beach, Florida. Both got ransomware, and the outcomes were… the worst of times, and the worst of times.

Earlier this week, the city of Riviera Beach, Florida, faced a $600,000 demand from ransomware operators in order to regain access to the city’s data. The ransom was an order of magnitude larger than the ransom demanded by the attackers that struck Baltimore’s city government in May. Against the advice of the Federal Bureau of Investigation, however, the Riviera Beach city council voted to pay the ransom—more than $300,000 of it covered by the city’s insurance policy.

Baltimore had refused to pay $76,000 worth of Bitcoin despite facing an estimated ransomware cost of more than $18 million, of which $8 million was from lost or deferred revenue. Baltimore lacked cyber insurance to cover those costs.

Riviera Beach is much smaller than Baltimore—with an IT department of 10 people, according to the city’s most recent budget, and an annual budget of $2.5 million to support a total city government of 550 employees. (Baltimore has about 50 IT staffers supporting more than 13,000 employees by comparison.) It’s not a surprise that Riviera Beach’s leadership decided to pay, given that a full incident response and recovery would have likely cost two to three times what they’ve agreed to pay the ransomware operators, and half of that price tag is covered by insurance. So, Riviera Beach’s decision to pay looks like the easiest way out. It’s a decision that has been made by many local governmental organizations and businesses alike over the past few years.