Colorado City Forced To Pay $45,000 Ransom To Decrypt Files

Colorado City Forced To Pay $45,000 Ransom To Decrypt Files

A city in Colorado, USA, has been forced to pay $45,000 after the City’s devices were encrypted in July, and they were unable to restore necessary files from backup.

On July 27th, the City of Lafayette suffered a ransomware attack that impacted their phone services, email, and online payment reservation systems.

At the time, the City had not explained what was causing the outage but stated that residents should use 911 or an alternate number for emergency services.

Over a week later, the City announced that they were victims of a ransomware attack that encrypted their devices and data, and took down their systems.

While financial data was recoverable from backups, after weighing the costs, the City decided to pay a $45,000 ransom to  an unknown ransomware operation to receive a decryption tool to recover other encrypted files.

“After a thorough examination of the situation and cost scenarios, and considering the potential for lengthy inconvenient service outages for residents, we determined that obtaining the decryption tool far outweighed the cost and time to rebuild data and systems,” City of Lafayette Mayor Jamie Harkins stated in a video.https://www.youtube.com/embed/dcFujPYMJF4

The City does not believe any data was stolen and that credit card info was not stored on their servers. To be safe, they advise residents and employees to monitor their accounts for suspicious activity.

“Financial data appears to be recoverable from unaffected backups. Personal credit card information was not compromised, as the City uses external PCI-certified payment gateways. There is no evidence to suggest personal data was compromised, but out of an abundance of caution, residents and employees are advised to be vigilant to monitor accounts for suspicious activity. The City will be sending a security breach notification to individuals who have personal information residing on the City’s network,” the City stated in an announcement.

Harkins explains in the video that the City did not disclose the attacker sooner out of concern it would affect their negotiations with the ransomware operators.

Also read: Privacy policy template important tips for your business

The City of Lafayette got lucky

While it is unknown which ransomware operation attacked the city, one thing is for sure, they got lucky with such a low ransom demand.

BleepingComputer monitors ransomware activity, and most of the active enterprise-targeting operations demand hundreds of thousands, if not millions, of dollars for a decryptor.

If they were affected by an attack by some of the larger operations such as Maze, REvil, LockBit, Doppel, or Clop, it might not have been possible to pay for the ransom without significant financial loss.

Furthermore, these larger operations tend to steal unencrypted files before performing attacks and then publish them on data leak sites if not paid.

This public posting would have led to severe consequences for the City, its residents, and employees, as data published by ransomware operators is commonly monitored by other threat actors who then use it in phishing campaigns or other attacks.

Also read: 4 easy guides to data breach assessment