author photo
By Clare O’Gara
Tue | Aug 11, 2020 | 8:04 AM PDT

One Colorado city's response to a ransomware attack caused us to ask a serious question: how much taxpayer money is being handed over to cybercriminals in the form of ransom?

Let's explore this topic further.

Ransomware attack on Colorado city

In late July 2020, staff members for Lafayette, Colorado, detected a ransomware infection that disabled network services and affected city emails, phones, online payments, and reservation systems.

The city's mayor explains how the attack was uncovered:

"In the early morning hours of July 27, a ransomware cyberattack on the City's computer system disabled network services resulting in disruptions to phone service, email, and online payment and reservation systems... staff detected the infection and ransom notification at approximately 6:50 am and disabled all network connections to contain the malware spread."

The story garnered local coverage and offered insights on possible attack vectors:

"According to the city, a preliminary investigation shows the ransomware entered the city's network through a phishing scam or brute force, and looks like a random attack."

City decides to use taxpayer money to pay hacker's demand

The ransomware operators demanded $45,000 in ransom, and the city decided to pay it. Mayor Jamie Harkins explains why:

"The City was coerced into paying a $45,000 ransom to retrieve a 'key' to unlock encrypted data. Ransom payment was not the direction the City wanted to go, and pursued all avenues to find alternative solutions. 

In a cost/benefit scenario of rebuilding the City's data versus paying the ransom, the ransom option far outweighed attempting to rebuild. The inconvenience of a lengthy service outage for residents was also taken into consideration."

Harkins also described the incident, and the decision to use taxpayer money for the ransom, in this video:

When taxpayer money goes to hackers

In a world where a $45,000 ransomware payment seems small compared to what local governments and agencies face in ransomware attacks, the situation in Lafayette begs a serious question: how much taxpayer money, across the U.S. and Canada, is going to hackers?

We don't know for sure, but it's clearly adding up.

Just look at Florida. The state has faced multiple city ransomware attacks recently, and the payments are staggering. SecureWorld covered two attacks worth about $1 million in ransom payments:

"Lake City just revealed that its email and telephone systems have been out of commission due to a malware attack—for the last two weeks.

It is the victim of a 'triple threat' cyber attack, and the hackers requested a 42 Bitcoin ransom. Lake City paid a pretty digital penny to unlock its systems, but some Florida cities have paid even more.

Take Riviera Beach City. When it was targeted by cybercriminals, the hackers demanded 65 Bitcoins, which was about $592,000 at the time."

In these Florida cases, most of each ransom demand was paid by cyber insurance. But in the end, six-figures of taxpayer money was handed over to cybercriminals between just these two incidents.

And it seems we hear about attacks weekly where taxpayers are footing the bill, in a sizable transfer of wealth from state or local coffers to criminals.

The hackers that attacked the City of Lafayette have surely moved on to their next municipal target, leaving the city to continue restoring its services with $45,000 less to spend on other priorities.