• The City of Johannesburg's electricity company says it is restoring its systems after an attack that encrypted critical data.
  • Such ransomware attacks are on the rise – and some victims end up paying their attackers to get critical systems up and running again.
  • Cities seem to be particular targets for ransomware right now.
  • For more stories, go to www.businessinsider.co.za.

As of Thursday morning CityPower, the City of Johannesburg's electricity company, was partially paralysed by what it described as a ransomware attack, and also referred to as a virus.

The organisation said it was recovering its systems, and hoped to be offering critical services such as pre-paid electricity recharges again soon.

But that appeared to be an optimistic timeframe for a type of attack that, depending on type and severity, could take weeks or months to undo – with costs so high that some victims prefer to pay the ransom instead.

See also: Johannesburg ‘hopes’ its prepaid electricity system will be available again soon – after a payday ransomware attack

Ransomware depends on gaining sufficiently high level access to systems, often the databases that underpin software and services, to encrypt them. That effectively turns the information into gibberish intelligible only to those with the right encryption key.

Attackers then offer to sell that key to the victim, allowing for the swift reversal of the damage.

The alternative is a painstaking recovery of data from backups, assuming those are current and unaffected, often using emergency systems built to ensure business continuity in the event of a disaster such as a major fire.

Recently cities in particular have had to test those recovery systems.

In the United States at least 22 public-sector institutions, often at city level, have seen ransomware attacks so far in 2019, including a number of police forces.

Some of those did not pay their attackers – but that was not necessarily good news for residents.

In March 2018 attackers demanded a ransom worth about $51,000 from the city of Atlanta to restore its data. The city refused to pay. Its subsequent costs could have been as much as $17 million, the equivalent of more than R220 million, all of it if funded by residents, although some of that total was in preparation of warding off future attacks.

In May this year the city of Baltimore was hit by a demand for around $76,000 to be paid in bitcoin. It refused to pay. The city later estimated it would cost more than $18 million, or well over a quarter of a billion rand, to recover.

Others just pay up.

In June Lake City in Florida indirectly paid 42 bitcoin, then worth around R6 million, to its attackers. The payment, and decision to pay, actually came from the city's insurers after a cost analysis. City taxpayers were on the hook for only $10,000 under the terms of its insurance.

Another Florida city, Riviera Beach, agreed to pay the equivalent of around R8 million in a similar attack. It expected to recover much of that payment via insurance.

In some cases even law-enforcement agencies advise victims to pay up, the FBI revealed in 2015 – despite officially not being in support of paying.

"The amount of money made by these criminals is enormous and that's because the overwhelming majority of institutions just pay the ransom," said FBI agent Joseph Bonavolonta of that agency's cyber and counterintelligence unit at the time. 

Technology security providers, on the other hand, are typically opposed to paying ransoms, sometimes militantly so. Security company Kaspersky, for instance, points out that there is no guarantee that criminals will honour their promises once payment is made – while payment also funds future crimes. 

Just weeks ago a group of 225 American mayors signed a pledge not to pay ransomware demands in future, saying they had to stand firm collectively to guard against future attacks.

But that is far from a universal approach, with the likes of analysis company Forrester recommending at least recognising "paying the ransom as a valid recovery path that should be explored in parallel with other recovery efforts to ensure that you’re making the best decision for your organisation".

Receive a single WhatsApp every morning with all our latest news: click here.

Also from Business Insider South Africa: