ShareThis Page
Pennsylvania

Computer hack cost Pennsylvania's Senate Democrats $700,000; others pay less-costly ransoms

Deb Erdley
| Saturday, Sept. 22, 2018, 11:33 p.m.
A worker is surrounded by computer monitors in the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va., Wednesday, Aug. 22, 2018. The center serves as the hub for the federal government’s cyber situational awareness, incident response, and management center for any malicious cyber activity.
A worker is surrounded by computer monitors in the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va., Wednesday, Aug. 22, 2018. The center serves as the hub for the federal government’s cyber situational awareness, incident response, and management center for any malicious cyber activity.

Pay now, or pay later.

Leaders of the Pennsylvania Senate Democratic Caucus faced those options when hackers infected their computer system in March 2017, holding it hostage with ransomware.

Officials at the West­more­land County Housing Authority faced the same dilemma when hackers held their computers and phones hostage in July. The Housing Authority paid a ransom of $6,500 through a single Bitcoin, a digital currency that allows users to exchange money anonymously over the internet.

Senate Democrats balked at a demand for 28 Bitcoin — valued at just over $30,000 when the lockout began — and adhered to the FBI’s advice against paying ransom.

Instead, state records released to the Tribune-Review through a Right-to-Know request revealed taxpayers underwrote the $703,697 Microsoft charged to rebuild and enhance the system.

Thousands of public sector agencies and businesses face similar dilemmas every day, said Chris Duvall, a senior director with the Chertoff Group, a global security and risk management firm. Quoting the U.S. Department of Homeland Security, Duvall said an average of more than 4,000 ransomware attacks occur every day — or about 1.5 every minute.

Ransomware is software hackers send out to infiltrate computer systems. The software takes control of computers and systems when it finds a vulnerable entry point. Users are left to decide to pay ransom for an encryption key or rebuild a system and attempt to recover records.

Recent victims of ransomware attacks include a Buffalo, N.Y., hospital; the city of Atlanta; and the Professional Golfers’ Association of America, which was attacked last month.

The Erie County Medical Center in Buffalo paid $10 million to recover its 6,000 computers and system instead of paying a $30,000 ransom to hackers. Atlanta officials made a similar decision not to pay and so far have paid $6 million with another $11 million in potential costs.

Even law enforcement agencies have found themselves locked out of their computers and forced to deal with online extortionists. The Allegheny County District Attorney’s Office paid a ransom of $1,400 in bitcoin in late 2016.

Vyas Sekar, a professor of electrical and computer engineering at Carnegie Mellon University’s Cylab, said there are two ways to look at such dilemmas.

“There is a possibility that paying the ransom is the cheaper option, but the FBI says it sets a bad precedent for future incidents and you are more likely to be attacked again. And if you already have a ransomware strategy and recovery mechanism in place, the cost of repair might not be that high,” Sekar said.

Businessman Dan Wukich, who chairs the Westmoreland County Housing Authority, said officials there made the right choice when they agreed to pay ransom.

“It was a bargain,” Wukich said.

But it doesn’t always work out that way.

“When we advise our clients, we recommend seriously considering not paying the ransom, but we also say it is up to key leaders to do cost-benefit analysis,” Duvall said. “If you do get your key back, it may not mean they’re out of the system. That may have just been one prong of the attack. And you can pay and not get your key back. And we’re seeing that happen more and more.”

Although some ransomware attacks are perpetrated by lone hackers, experts say others are launched as attacks by hostile states dabbling in cyber warfare or sophisticated crime syndicates that operate like businesses.

Sen. Jay Costa, leader of the Pennsylvania Senate Democratic Caucus, said officials in Harrisburg still don’t know who hacked their system.

“And we were instructed not to speculate,” he said.

Duvall said Notpetya, a global cyber attack authorities believe Russia launched against Ukraine, eventually knocked out transportation, health care, shipping and public-sector computers in Europe and the United Kingdom.

When system owners paid up, some got their computers back. “But a good portion did not,” Duvall said. “(The hackers) weren’t interested in the money, but in the destructive capacity of the software.”

Sekar said the takeaway from such attacks is the scope of the vulnerabilities out there and the need for constant vigilance.

“You need to want to have best practices and strategies in place to deal with these things. People should not have their machines exposed on the internet. The second is you should probably have recovery systems and backups in place. Make it part of your DNA to say, ‘I’m going to back up things every day.’ And if the backup is not connected (to the internet), your recovery costs will be a lot lower,” Sekar said.

Costa declined to say exactly what Microsoft did to rebuild the caucus computer system and put safeguards in place. Part of the work referenced in the repair contract was planned maintenance, he said.

Nonetheless, the attack was a wake-up call, a lesson learned for the Pennsylvania General Assembly.

“The other caucuses and administration were keenly aware of our situation and took steps to address their own cybersecurity,” Costa said. “Through the process, we shared the details of our experience to assist them in enhancing their own security measures.”

Deb Erdley is a Tribune-Review staff writer. You can contact Deb at 412-320-7996, derdley@tribweb.com or via Twitter @deberdley_trib.

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.

click me