New York State wants Government Departments to Prohibit Paying Ransomware

Ransomware

The New York Senate bill will create a cyber security fund that would minimize the use of government money to pay ransoms.

Two lawmakers in New York last week have introduced two measures banning local municipalities and other governmental bodies from using taxpayers ‘ money to pay ransomware demands.

On 14 January, Gop NY Senator Phil Boyle introduced the first measure (S7246). Three days later, on 16 January, Republican New York Senator David Carlucci sponsored the second bill (S7289).

All proposals are under consideration in committee and the decision on the Senate floor remains uncertain.

S7246 and S7289 are both similarly published. The only difference between the two is that S7246 is also recommending a state fund to strengthen the cyber-safety policy in local municipalities.

“The Cyber Security Enhancement Fund that will make available grants and financial assistance to villages, towns, and cities with a population of one million or less for the purpose of upgrading the cyber security of their local government,” the text of the S746 bill reads.

In the USA, this is the first time that state authorities have come up with a legislation which explicitly prohibits the payment of compensation after a ransomware attack.

In July, the United States Conference of Mayors overwhelmingly adopted a resolution not to pay ransom requests to criminals during ransomware attacks, but this was just a non-formal and pointless gesture.

“We are supportive of this legislation as it creates a debate and raises awareness to this problem,” said Bill Siegel, CEO and co-founder of Coverware, a cyber security company helping victims recover from ransomware attacks and sometimes negotiating payments on their behalf.

“I do not think it will staunch attacks on NY based municipal organizations in the short term, it may even increase them as ransomware distributors may try to test the resolve of these organizations,” Siegel told.

“If a state where to pass a bill making payment of ransoms uwful, then two large issues should be heavily considered.

1) What happens if a NY based municipal hospital is attacked, and the downtime causes the loss of life that could have been avoided if they were allowed to pay?

2) Are the state’s municipal organizations adequately staffed and budgeted with DR [disaster recovery] plans, backup systems, and security programs to effectively repel and recover from an attack without creating material interruption to civic operations?,” Siegel added.

The NY Senator Boyle staff was not available for comment. Before the release of this post, the NY Senator Carlucci office did not return a request for comment.

The CEO of Coveware said that he could not reveal that his firm had supported some state government agencies in New York because of confidentiality agreements.

Siegel noted, however, that local entities in the majority of US states benefited from ransomware assaults.

“On a quarterly basis, they are generally about 10% of the cases we handle,” he said.

According to Emsisoft antivirus provider, 113 US municipalities and local entities became ransomware struck in 2019. Although we do not have exact numbers for the state of New York, many large ransomware attacks have been identified in New York last year and by 2020.

In April 2019, ransomware hit the city of Albany network. The city decided to spend $300,000 on upgrading the whole IT network, instead of paying the bill.

In July 2019, libraries throughout Onondaga County had to shut down a malware attack of their computer network. The district of Watertown School hit the same month.

Throughout September 2019, the school district of Monroe-Woodbury postponed the beginning of the academic year due to a malware attack.

During Christmas 2019, ransomware infected Albany County Airport Authority’s network, which opted to pay for a ransom demand, described as “under six figures.” Ransomware also hit the city of Colonie in early 2020, however, authorities were prepared to make a cyber attack.

 

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.