La PORTE — La Porte County officials have agreed to pay to more than $130,000 to the hackers responsible for infecting several county computers and servers with ransomware. And things could have been much worse, and more expensive.
On Friday, after a meeting of elected officials and department heads, officials decided to pay 10.5 bitcoins – worth $132,300 – for the decryption key needed to retrieve important files on the infected computers and servers. according to Dr. Vidya Kora, president of the La Porte County Board of Commissioners.
The county information technology department immediately began to decrypt the systems and was able to restore functionality to several affected machines on Monday, he said.
The county's Information Technology Department has worked to restore functionality to infected computer systems since discovering the malware attack on Saturday, July 6. Though it shut down the system, preventing the malware from spreading to a vast majority of the county's machines, the virus still managed to infect 12 computers and nearly 20 servers, IT Director Darlene Hale on Tuesday.
"This particular virus – RYUK – that was used by the bad actors in this attack was particularly insidious in that it jumped all our firewalls and was able to penetrate backup servers," Kora said.
The virus encrypted files on the affected computers preventing users from accessing the data. The malware also targeted servers that contained backup files for several infected machines, Hale said.
The attack infected the county's two domain controller servers, which handles security authentication for the county's network, as well as the archives for its Laserfiche document scanner. While the machine itself was unaffected, the IT department also shut down the county's email server to prevent the virus from attacking it as well, Hale said.
There is no evidence that the attackers accessed or acquired any La Porte County employee's personal information through the ransomware attack, Kora said.
Representatives with Pennsylvania-based cybersecurity firm Mullen Coughlin helped the IT Department with the attack response, according to Kora. But the team was unable to decrypt the system, even using codes from a FBI cybersecurity unit which was consulted, forcing the county to pay the hackers for the decryption key.
A firm that represented the county convinced the attackers to lower their initial demand from $221,000 to $132,300 worth of bitcoins. Travelers Insurance, the company that provides cybersecurity insurance to La Porte County, will cover $100,000 of the payment.
On Monday, the IT Department restored functionality to the domain controllers, bringing the county's network back online. Officials will attempt to reactivate the county email system by Tuesday afternoon as well, Hale said.
IT workers have decrypted the files on every infected machine, Hale said. They will return the PCs to service once they have reinstalled Windows on the computers and will slowly begin to reactivate the remaining servers.
The county has also taken several steps to make sure such an attack doesn't happen again.
These include a new anti-malware program, SentinelOne; providing more malware-prevention training to employees; and having a third party perform an annual cybersecurity audit.
"Unfortunately, in a day and age where cybercrime has become so lucrative, and many private and governmental entities across the country are being 'extorted' for their data, an ounce of additional prevention will be worth a pound of cure," Kora said.
The county still doesn't know who is responsible for the attack or how the virus got into the system. A team is investigating the matter and is hoping to have some answers in several weeks, Hale said.
La Porte County is the latest governmental agency that hackers have attacked with ransomware over the past several years. A study by internet technology company Record Future found that nearly 170 state and local governments have reported ransomware attacks since 2013.
One of the largest attacks occurred in Atlanta, Georgia, in 2018, when the city's computer system was infected with the SamSam virus. While the city refused to pay ransom, and two Iranian men were later indicted for the attack, the cost to taxpayers of recovering data, improving security and replacing infected hardware is estimated at between $10 million and $17 million.
—From staff reports