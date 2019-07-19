La PORTE — With only a handful of servers still offline, La Porte County is well on its way to a full recovery from the ransomware attack on its computer network earlier this month.
Information Technology Director Darlene Hale updated the public on the status of the county's computer systems during Wednesday's meeting of the La Porte County Board of Commissioners. She also discussed the ongoing investigation into who was responsible for the attack and how the malware – known as "RYUK" – breached the county's network.
Since paying the hackers responsible for the virus more than $130,000 for the proper decryption key late last week, the IT Department has worked to recover data stored on the affected computers and servers.
As of Wednesday, Hale and her team had reactivated all but four servers. The department has also restored the county's network and email services, which it had shut down in the immediate aftermath of the attack, she said.
"We have been told by third-party experts that recovery efforts are ahead of schedule as compared to the recovery timelines of entities impacted by similar events," Hale said. "Normally, it takes up to a month or two."
Hale credits the speedy recovery to the quick actions her department took after discovering the attack on the network two on July 6. IT employees discovered the attack after someone with the county Emergency Medical Service told them they could not access the network.
Workers quickly disconnected portions of the network, including the email server, after learning malware caused the problem. As a result, the IT Department was able to contain the spread of the virus to just 12 computers and about 20 servers, a small fraction of the county's total, Hale said.
The machines the virus did infect had their data locked, preventing users from retrieving files without the decryption key. The malware also encrypted, deleted or disabled the county's backup system, preventing the data from being restored, Hale said.
"Not all backups were encrypted – we do back up a lot to the cloud," she told commissioners Thursday. "[There are] some very large backups that we don't back up to the cloud; they're backed up here locally."
To retrieve the locked data, the IT Department reached out to the FBI and asked for its list of decryption keys, which the agency compiled from various malware attacks across the country, Hale said. The county was unsuccessful in its attempts to decrypt the computers using those keys, however.
With no other options on the table, representatives with Mullen Coughlin, a cybersecurity firm working with the county on the attack response, negotiated a price with the hackers for the correct decryption key. The county agreed to pay 10.5 bitcoins, worth $132,300, on July 11, and quickly set out to decrypt the systems once the attackers handed over the information.
A cyber forensics team is currently investigating the attack, seeking information on how it was carried out and why it disabled the backup system, Hale said. The attack may have been due to a brute force attack by hackers or because a county employee accidentally activated it through a spam email.
The director intends to share whatever information the investigation uncovers with the FBI, she said.
"If they find them, they can prosecute them if they're in the United States," Hale said.
In the meantime, the IT Department will continue to reactivate remaining servers. Hale hopes to have the system back to full functionality by the end of the week.
Board of Commissioners President Vidya Kora thanked Hale and her team for the many hours they poured into responding to the malware attack over the past two weeks. He said he was grateful for the quick recovery, given the amount of damage similar ransomware incidents have inflicted on other communities,
Commissioner Sheila Brillson Matias was impressed by the level of teamwork between different departments in the aftermath of the attack.
"This was a crime," Matias said. "That's something that can't be lost in this. It's not someone's mistake. This was a crime against the people of La Porte County.
"When you think about the [money] that someone tried to steal from our taxpayers, it really makes me mad and I'm sure it makes a lot of people in the audience who are here listening mad."
The incident came with several silver linings, however, including highlighting the importance of cybersecurity training for employees, and the need for upgraded anti-malware software, Matias said.
And she also enjoyed the chance for the county to conduct government business "the old-fashioned way" during the email outage. Rather than rely on technology, leaders communicated via phone calls and face-to-face conversation.
"I think it was a benefit and connected a lot of people who might not actually have a lot of face time," she said.
Commissioner Richard Mrozinski kept his remarks on the cyberattack short and to the point.
"I hope the FBI can identify [the attacker], shut him down, prosecute him – or have the Air Force call in an airstrike on him," he joked.
