The Pennsylvania Senate Democratic Caucus paid $703,697 to Microsoft to rebuild its IT infrastructure after suffering a ransomware infection in March 2017.
The incident took place on March 3, 2017, when the organization’s entire IT systems, including its web servers, went down at the hands of a yet-to-be-revealed ransomware strain.
The ransomware encrypted files and requested payment of 28 bitcoins for the decryption key to unlock the ransomed data.
The ransom demand was worth nearly $30,000, based on the Bitcoin-to-US dollar exchange rate at the time, but officials declined to pay, opting to restore some of the data from backups and rebuilding its entire IT systems from scratch.
That decision resulted in a $700,000 invoice from Microsoft, according to information obtained via a Right-to-Know request by local reporters from TribLive.
But this has been a trend among ransomware victims in the past year. Pennsylvania Senate Democrats aren’t the only ones who opted to rebuild their entire IT systems rather than pay a ransom demand.
The city of Atlanta was the victim of a similar attack earlier this year, in March, when the SamSam ransomware infected a large number of the city government’s computers. While initial IT rebuilding costs were estimated at $2.6 million, that sum quickly rose to $9.5 million, and the final bill is now expected to reach a whopping $17 million.
Similarly, after getting hit by the SamSam ransomware twice in February and March, this year, the Colorado Department of Transportation also chose to rebuild its IT systems, which ended up costing the agency $1.5 million, so far.
But the biggest confirmed post-ransomware IT rebuilding bill was reported by the Erie County Medical Center in Buffalo. The healthcare org told local press that after falling victim to a ransomware infection in the summer of 2017, they chose to pay $10 million for a brand new IT infrastructure instead of paying the smaller $30,000 ransom demand.
The reasons why all these organizations choose to rebuild their IT systems are because they’d have to do it anyway, regardless if they pay the ransom to recover data or not.
Some of these ransomware infections were the work of organized cybercrime groups that don’t rely on spam email to infect organizations via careless employees, but on weak points in the IT infrastructure, such as insufficiently protected RDP endpoints, Java-based web apps, and more. These are targeted attacks that can be exploited repeatedly until system administrators deploy proper fixes.
Some organizations simply choose to rebuild and avoid future headaches, which in hindsight, is a much better idea, albeit costly in the short term.