The city leaders never mentioned the actual dollar amount of the ransom, which probably would have shocked local residents.
City approves massive ransom payment to cybercriminals
Instead, the officials in the Florida beach town talked about the hacker's ransom in cryptocurrency numbers, which sounded much less dramatic.
Riviera Beach City Manager Deirdre Jacobs put it like this:
"The City Council is being asked to discuss and decide whether to authorize the city's insurance carrier to pay a ransom amount of approximately 65 bitcoins, a cryptocurrency whose value changes daily. To recover the city's data which has been encrypted. Payment of the ransom would provide a mechanism to the city to retrieve all of the city's files and data which have been encrypted. And hopefully return the city's computer network to being fully operational."
There was no discussion, only a unanimous 5-0 vote to pay hackers for a set of digital decryption keys to "hopefully" unlock the city's data.
Insurer negotiates, pays most of ransom
Those 65 Bitcoin were worth about $592,000 at the time the ransom was authorized by the city.
According to the Palm Beach Post, the city's insurer actually negotiated the payment with hackers. And insurance will pick up that entire amount except for a $25,000 deductible the city will pay from its budget.
This reminds me of a ransomware panel I moderated at a SecureWorld cybersecurity conference this year. One of the panelists predicted the next big ransomware "boom" would be fueled by insurers who view paying the ransom as the cheapest way to remediate a ransomware attack.
It's easy to see why when you look at the millions spent by Baltimore, Atlanta, and other municipalities and organizations after refusing to pay the ransom.
It's kind of like settling a case out of court, instead of taking a chance on a jury trial. The first option is both faster and cheaper.
Florida ransomware attack details
The ransomware attack hit Riviera Beach City systems during the last few days of May 2019, after an employee clicked on a link in a phishing email.
The attack encrypted city data and took most of the city systems offline. Cops started writing paper tickets, 9-1-1 was impacted, the city's email, check payment, direct deposit services, and even SCADA (industrial control) systems related to the city's water pump systems were impacted.
At the City Council meeting where the ransomware payment was authorized, the City's Interim IT Manager reported that most of these systems are at least partially back online.
But the data remained locked up.
The City Manager also introduced a new "Interim Chief Information Officer" to the Council.
Amazingly, there was no public comment and no questions about sending a ransom to hackers.
After all, 65 Bitcoin doesn't sound too dramatic unless you know what each one is actually worth. And besides, we're insured.
What do you think: has your view on paying a hacker's ransom shifted? Has the time come to view this as the cost of doing business?