Mar 09 2020

New York May Ban Ransomware Payments from Municipalities

Bills proposed in the state’s legislature would prohibit local governments from complying with hackers’ demands for payments.

Ransomware is not a novel threat, but New York state lawmakers are developing a new approach to combating the cyberattacks: Banning payments by local governments in exchange for their encrypted data. 

On Jan. 14, state Sen. Phil Boyle, a Republican, proposed bill S7246; two days later, state Sen. David Carlucci, a Democrat, proposed bill S7289. The bills have similar texts but is unclear if or when they may become law. 

Under S7246, state and local taxpayer funds would no longer be used to pay ransoms for ransomware attacks after Jan. 1, 2022. That bill would also create the Cyber Security Enhancement Fund, which would distribute grants and financial assistance to upgrade the cybersecurity of villages, towns and cities with a population of 1 million or less. 

“A small investment in local government cyber security now, can help stop cyber-criminals from profiting on the backs of New York State taxpayers and protect important state and local government services from disruption,” reads the bill. “To incentivize these upgrades, the bill will prevent state and local governments from paying ransoms for ransomware attacks after January 1, 2022 by which time they should be able to sufficiently upgrade their cyber-security systems.”

Debate Over Whether to Pay After Ransomware Attacks

The two bills come after some high-profile ransomware attacks in the state over the past two years, including against the Monroe-Woodbury Central School District and libraries across Onondaga County. On Christmas Day 2019, the Albany International Airport was targeted by a cyberattack, rendering the airport inoperable, Carlucci notes in his bill. 

“Those responsible for the attack demanded a ransom in exchange for the return of data and restoration of the airport’s systems,” the bill notes. “In desperation, Albany International Airport complied, paying an undisclosed amount reported to be under $100,000.” 

Carlucci’s bill argues that “when municipal corporations and government agencies comply with these ransoms, they incentivize” cyberattackers who aim to make a quick profit. Prohibiting municipalities from complying with ransom requests “will remove this incentive and safeguard taxpayer dollars,” the bill states. 

As ZDNet reports, “this is the first time that state authorities have proposed a law that explicitly forbids paying the ransom following a ransomware attack.”

According to a December 2019 survey from Panda Security, 86 percent of Americans believe their local government should not pay the ransom on a ransomware attack. The survey, which was conducted using Google Consumer Surveys, had a sample of 1,000 respondents in the United States and ran in November 2019.

MORE FROM STATETECH: Find out how to defeat the latest state and local government cybercrime trends. 

Cybersecurity firm Recorded Future found that while ransomware attacks against governments have been on the rise, the vast majority of governments aren’t paying the ransom. The firm’s analysis showed only 17.1 percent of state and local government entities paid the ransom, and 70.4 percent confirmed that they didn’t pay the ransom. 

Bill Siegel, CEO and co-founder of Coveware, a cybersecurity company that helps victims recover from ransomware attacks and has helped entities negotiate payments, tells ZDNet that he does not think the legislation “will staunch attacks on NY based municipal organizations in the short term, it may even increase them as ransomware distributors may try to test the resolve of these organizations.”

“If a state where to pass a bill making payment of ransoms unlawful, then two large issues should be heavily considered,” Siegel tells ZDNet. 

First, lawmakers should consider what would happen if a municipal hospital were attacked and whether downtime would cause loss of life that could have been prevented if a payment had been made. Secondly, lawmakers need to consider whether municipalities have enough staff and budget for adequate disaster recovery plans, backup systems and security programs “to effectively repel and recover from an attack without creating material interruption to civic operations.”

For many public sector organizations eager to restore services back to citizens and continue mission-critical work, paying the ransom may seem like the best option. For example, Jackson County, Ga., gave in to its attacker’s demands for $400,000 for decryption keys in March 2018. 

Leaders in Lake City, Fla., opted to let an insurer pay a $460,000 ransom on the city’s behalf. The insurance company argued that paying up would save both the city and its insurer hundreds of thousands of dollars, if not millions, in downtime costs. 

However, if New York lawmakers are able to pass the new bills, municipalities will not be able to tap taxpayer funds to bail them out of ransomware attacks.

WhataWin/Getty Images