City of Tulsa won’t pay ransomware demand

G.T. Bynum, Mayor of Tulsa, Oklahoma, says the city has not paid a ransomware demand and is focused on restoring systems following the cyber-attack which was discovered earlier this month.

He revealed that the city knows who is responsible for the attack and they are under federal investigation.

Michael Dellinger, Chief Information Officer, City of Tulsa, said his team received notice on May 6 that some servers were actively communicating with a known threat site and a ransomware attack was launched on several city systems. A cybersecurity incident response team began isolating the affected systems but the attack moved quickly through the network, prompting the team to shut down all services to halt it.

Business recovery teams have prioritised restoration, starting with critical resources and essential functions, including public-facing systems such as electronic billing, and internal communications and network access functions. They are checking “every system, every server, every computer, every endpoint” for damage to ensure the network is clean before it is relaunched.

Some systems are expected to be restored over the coming days and weeks, but others will likely take longer and manual systems are being used. The mayor said this is the “trade-off” for refusing to pay ransom and “not rewarding victimisation”.

Dellinger explained: “We have 64 priority systems with multiple servers that are components of each of those systems. The city has a vast network spanning multiple locations and this process has been slow-moving. It is essential for this to be done right before we bring the systems back online.”

Atlanta attack

The cyber-attackers sent a ransom note asking the city to make contact and threatening to announce the hack publicly unless payment was made.

“We made no contact with them whatsoever and did their job for them by announcing it on our own. And we’re not going to pay any ransom,” Bynum said.

He said the city took action to bolster its cybersecurity systems after Atlanta suffered a ransomware attack in 2018. This included investing in expertise, outside support, and infrastructure.

Layered security is key, Dellinger said, noting that the city has several layers of security in place for detecting and preventing threats and that additional layers have been added over time.

“Every threat you get exposure to you learn, you’re able to adjust your defences,” he commented.

According to the Mayor: “The citizens of Tulsa invested in the cybersecurity infrastructure that allowed us to detect this, isolate it and shut our networks down in a way where we don’t have to pay ransom. Most cities that this happens to, they find out when their network gets locked down and the ransom note arrives.”

However, he added: “Those investments were good enough to save us this time but they might not be in the future. You always have to be thinking about how to stay ahead of the cyber terrorists, and make sure that you’re making the necessary investments to protect your digital infrastructure and data.”

Exactly how the attacker infiltrated the city’s system is still being investigated. Dellinger said the attack was similar in type to that which shut down the Colonial Pipeline for days earlier this month. Colonial Pipeline paid a US$4.4 million ransom, saying this was a difficult decision but: “Tens of millions of Americans rely on Colonial: hospitals, emergency medical services, law enforcement agencies, fire departments, airports, truck drivers and the travelling public.”

Municipalities have also paid ransomware hackers, including Riviera Beach in Florida which stumped up US$600,000 in 2019.

This highlights the dilemma organisations face as ransomware attacks proliferate. Hackers often purposely keep the ransom demands lower than the costs of recovering systems. The City of Baltimore, for instance, refused a US$76,000 ransom demand, only to suffer over US$18 million in recovery costs and lost revenues.

Still, many law enforcement agencies urge victims not to give in to ransom demands and some states could ban local and state governments from paying hackers.

Dellinger said that in time, Tulsa will share the lessons learned from the attack with CIOs across the US.