Delaware County is keeping all information about a recent ransomware attack close to the vest and is still refusing to confirm whether the ransom was paid in full despite media reports saying it was.
“Sources said the county is in the process of paying the $500,000 ransom as it’s insured for such attacks,” an early report from ABC 6 said.
Over the weekend, the technology website bleepingcomputer.com, also cited anonymous sources in confirming that the county paid the ransom.
Delaware Valley Journal presented the latest confirmation to the county, which responded: “The link to the information you are citing is not 100 percent factual.” They did not, however, contradict any specific detail.
Public relations director Adrienne Marofsky said the county would not be providing further comment because the matter was an ongoing criminal investigation.
“The County will provide more information when it is ready to be released,” said.
Marofsky did not answer questions about details regarding its insurance policy referenced in other reports, such as whether the policy would cover the full $500,000, and what the county’s deductible, if any, might be.
Hackers seized control of numerous computer networks in the county on Saturday, November 21. The following day, the county issued a press release that only generically described the extent of the attack.
“The County of Delaware recently discovered a disruption to portions of its computer network,” officials said in a release last Monday. “We commenced an immediate investigation that included taking certain systems offline and working with computer forensic specialists to determine the nature and scope of the event. We are working diligently to restore the functionality of our systems.”
Media reports have indicated portions of the county’s networks were taken offline, while documents like police reports and payroll databases might have been encrypted so employees were no longer able to access them.
Even if the county is insured, it has not come out of this unscathed, according to Sean Gallagher, a senior threat investigator for the cybersecurity firm Sophos.
“The way [ransomware] insurance works is the insurers will want the insured, the organization that is the victim, to pay the ransom because it is cheaper than the other alternative, which is to pay for complete remediation of their networks,” Gallagher told Delaware Valley Journal.
He said the insurance market for ransomware in particular is difficult to navigate because of so many unknowns.
“They’ll come in and look at it at a potential [customer] and look at the infrastructure, like what they have for security,” Gallagher said. “In some cases, they will require certain things to be put in place, but depending upon how good your defenses are, they may charge you less, but still, they’re making money off of this, even with [the customers] having to pay out large amounts of money.”
Gallagher also said organizations that are targeted by a ransomware attack are eager to pay the fee because the attacker will threaten to elevate the attacks and spread the damage if cooperation doesn’t come quickly.
He also said if the county paid a $500,000 ransom, that figure was almost certainly negotiated downwards by as much as a 50 percent.
Adding insult to injury, the county’s premiums for such insurance will likely go up soon, Gallagher said.
He pointed to a recent episode in his home city of Baltimore to show just how expensive a ransomware ordeal can be, with or without insurance.
In early 2019, Baltimore was hit with a massive ransomware attack, which the city refused to pay.
Although the requested ransom was only $76,000, the city spent millions in recovering old files as well as upgrading networks and threat detection monitoring. It later purchased $20 million in ransomware insurance. When it reupped the coverage in October of this year, the estimated combined premiums for another year’s worth of coverage was just shy of $1 million.
Baltimore’s episode is also instructive compared to Delaware County because it shows ransoms are continuing to rise, Gallagher noted.
Baltimore’s Mayor Bernard C. “Jack” Young later sponsored a resolution that was adopted by the U.S. Conference of Mayors which encourages cities to refuse to bow to the hacker’s demands.
“Paying ransoms only gives incentive for more people to engage in this type of illegal behavior,” Young said at the time of the resolution’s adoption in July of 2019.