Because I live in the state and Balto is influential for many reasons I've been following this rather closely. The most recent report details the cost for remediation so far, $17M, and that the hackers originally requested, $76K.
I would suspect that the REAL cost to Balto is much higher then that. If you add in all of the residual interest Balto will have to pay on late payments, missing revenue because it can't be billed/processed/etc I think the costs would be much higher.
Do you think their new CIO (and if the current/former one is still there-WHY?) is ferociously working to put better practices in place?
I know there are those that adamantly oppose giving in to the demands of the hackers. Would you have paid the ransom?
The city's information security manager requested funds last year for an insurance policy that would cover this type of attack. The budget did not allocate funds for that or other investments that were part of the strategic plan to revamp the city's IT. Their current CIO has been there since 2017 and was the fifth one in five years when he was hired. He was trying to get the city to increase spending on IT, which was about half of what other similar cities spent, and he was trying to centralize IT because most of the IT budget was decentralized into other departments' budgets.
I think it's hard to blame the CIO here, it's the politicians that control the money that need to shoulder the blame. They have been warned repeatedly about the city's precarious IT position and advised on how to improve it but they didn't bother to do so. They literally just had the 911 system shutdown by a ransomware attack in 2018, so having this happen again in such a short time span without taking any real steps to mitigate the risk is especially egregious.
If you pay a ransom or bribe others will just ask for every increasing amounts. You just can't justify that financially, ethically or in this case politically.
Been there in the public sector with ransomware. We isolated it to a set of VMs, shut them down, created a jump box in the relevant section of the network and kicked off the scripts to rebuild them from clean off line images. Checked our AV coverage and patching, restored some data and blocked internet access to the source of infection. Took about 8 hours. But the response only worked because we'd eschewed outsourcing and big players, grown the IT team in house from raw recruits and invested in modern IT and had very little legacy. If you have poor IT hygiene you're so much more likely to face this dilemma. Consequence are foreseeable. IT isn't plant and machinery that can be neglected, but still function, because it's a constant target of attack. If the politicians provide no money for essential maintenance then it's pretty obvious they shoulder the lions share of the blame.
Great points about not paying the ransom. The other thing about paying is, based on the conversations I've had with people who have paid, you probably only have about 50/50 chance of getting anything back when you pay. Some people pay and they can decrypt everything, others they pay and never actually get a tool to decrypt or they get something that doesn't work, and some fall in the middle of the two extremes where they are able to decrypt some things but it doesn't work on others.