Watch CBS News

FBI Says Ransomware Victims Shouldn't Pay, Instead Protect Their Systems

BALTIMORE (WJZ) -- The computer systems at more than a half dozen cities and public services across the country have been hit by ransomware this year. Baltimore is one of them.

That attack could end up costing the city more than $18 million.

WJZ wanted to learn more about who these attackers are and what can be done to stop them.

It was May 7 when city workers computer screens suddenly locked.

A message appeared: "We've been watching you for days. We won't talk more. All we know is money! Hurry up!"

Cybercriminals demand $100,000 in bitcoin, a cryptocurrency that is difficult to trace.

"This is something that has never happened to the city of Baltimore before," Baltimore Mayor Jack Young said at a press conference in May.

The city decided not to pay the ransom.

"Why pay them? Don't pay for them. Maybe they go away," Young told WJZ's Denise Koch on Wednesday. "If we paid there was no guarantee that we were gonna get the keys to all of our system."

But by not paying-- the city's credit card payment system was knocked offline --  speeding, parking tickets, property taxes, water bills all affected.

People had to wait in lines for hours to make simple transactions.


Denise Koch: Is it your experience that people are paying these ransoms?

"We certainly encourage people not to pay. I think if victims are paying then it simply adds fuel to the fire. It encourages further victimization," said Asst. Special Agent Nickolas Savage with the FBI's Cyber and Counterterrorism division.

Savage said Baltimore city did exactly what the FBI advises.

"There are no guarantees that say that if you do pay that the individual -- that has control over your files -- will, in fact, give you the keys to get them back," he said.

Denise: Who is being targeted in your experience?

"Everyone. Everyone is being targeted. Cities, states, again various businesses, government agencies. Everyone is a target," Savage said.

In fact, one study shows at least 170 counties, city or state government systems have been attacked since 2013 including Atlanta, Dallas, Albany, Newark and, just this past month at least three more cities in Florida.

"These guys are more sophisticated and more advanced than we ever can imagine," Mayor Young said.

They're everywhere. The 10 most wanted cybercriminals are located all over the world and the FBI reports several hundred thousand probes or malware attempts every single day -- almost all through phishing.

"They can send, they can send a message like it's coming from me and someone can open up that message and it's spyware," Young said.

Catching the cybercriminals is the FBI's job. The focus for cities like Baltimore has to be on backing up their systems and patching -- or installing patches -- that protect against the malware.

"I kinda look at it, if you're not patching your system it's like leaving your house every day," Savage said. "It's like not leaving your door unlocked. It's like leaving your door wide open."

"As we move forward we're gonna put stuff up in the cloud and we're also gonna figure out how we can strengthen our infrastructure because it's outdated and old," Young said.

"I think if you are backing your systems up, storing them off-line I think it gives you a much easier ability to reconstitute a network," Savage added.

The city and, really, every institution needs to educate its workforce. Preventative measures in a world where it's clear. This problem is not going away.

Denise: This the challenge of the future for your bureau?

"It's the challenge of today. Not even the future. It's here today." Savage said.

Some cities are purchasing insurance in case of a ransomware attack. Mayor Young said he's seriously considering insurance.

As WJZ reported, he recently got a resolution passed at the conference of mayors that no city will pay in a ransomware attack.

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.