IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Small Town Nearly Done Recovering from Ransomware Attack

Weeks after an employee clicked on a malicious link in an email, causing a cybersecurity breach, the city of Galt in California's Central Valley is nearly done getting its phones and computers back in working order.

A lock formed from lines of red code on top of a silver file folder icon. The background is lines of black code against a white backdrop.
Shutterstock
The City of Galt, Calif., was hit by a ransomware attack that knocked out several city phone lines and blocked computer access for employees in December. Since the attack, most of its systems have been restored.

The city first alerted authorities and city staff immediately after the attack, to be transparent and upfront with the city’s residents, Interim City Manager Thomas Haglund said.

“I put out a press release the first day we noticed the incident, to set the expectation that we would be transparent about what had transpired. It was a big deal. It affected our telephones and our citizens got stuck in an endless loop of recorded messages when they called,” he said.

Haglund said the city’s servers were breached by hackers, who barred employees from accessing crucial city files and refused to release the city’s data unless a ransom was paid.

Ransomware — a malicious software or “malware” attack designed to block access to a computer or computer system’s files — was sent to a city employee, that spoofed itself to look like an internal email sent from a Galt employee email address, Haglund said.

After a staff member opened the email the malware spread through the city’s network of computers. It encrypted critical files that knocked several key phone lines out of service, including the nonemergency number for the Galt Police Department, the emergency outage line for Public Works and the main numbers for City Hall and the finance division.

Following the attack, the city hired security experts and a legal team to conduct a series of forensic audits. Technicians who investigated the city’s computer systems were able to trace information included in the malware’s code and concluded that public information was not compromised as a result of the ransomware attack.

“All of our phone lines are back up and we conducted a series of forensic audits to ensure the city’s computer data and our residents’ private information has not been compromised as a result of the attack,” Haglund said.

When the city’s system was first attacked, a dialog box popped up on the screen with a message demanding a ransom. However city staff did not open the dialog box, so a ransom amount remains unknown, Haglund said.

It is common for hackers to demand cities pay a Bitcoin ransom in exchange for the encryption keys — similar to passwords — that would release the servers.

Bitcoin, an unregulated form of virtual currency, has become the most popular method for demanding ransom because transactions are anonymous. That prevents extortionists from being tracked.

When the City of Lodi was hit by ransomware, hackers demanded 75 Bitcoins (approximately $400,000 at the time of the inquiry) be paid to restore the city’s systems.

Lodi did not pay the ransom and rebuilt all its systems from back-up software systems.

“We never had any intention of paying the ransom. We consulted with the FBI and the Department of Homeland Security who told us that even if (we) pay a ransom, hackers could have blatantly planted malware in a system to steal data,” Haglund said.

DHS agents informed Haglund that many cases of ransomware in the United States are foreign-based.

While ransomware attacks have been occurring around the world since 2005, innovations in the past several years have allowed hackers to become more deliberate and sophisticated in their attacks.

An investigative report by the New York Times in 2016 found that hackers were selling lines of code for ransomware to hackers on the Dark Web — a part of the Internet that isn’t indexed by search engines, requires specific software to gain entry and is regarded as a hub for criminal activity.

In recent years, malware distributors have targeted cities, police departments, school districts and hospitals. In their attempts to ransom large databases of personal and financial information, they have been known to incapacitate fax machines, phone lines and electrical grids.

“It is obviously very frustrating. When you work in public service, you want to do the most good for the public. To know people are profiting off of (virus software) that tampers with municipalities and public information is enraging,” Haglund said.

Approximately 85% of Galt’s systems have been rebuilt and restored. The remaining 15% of systems are in the process of being built and did not affect the day-to-day work of Galt employees. Haglund said the remaining servers belong to specialty programs used by a small group of the city’s employees.

“The total incurred cost to restore our systems is an estimate of $758,000, that cost includes IT experts, risk management providers, legal counsel and forensic audits,” he said.

The City of Galt does have insurance that includes cybersecurity coverage.

The Governor’s Office of Emergency Services and Assemblyman Jim Cooper’s office have lent their support to Galt staff as they correct the issues caused by ransomware.

“City staff has handled this extremely well given the circumstances. Since the initial attack, we have remained open for business and handled the needs of our residents,” Haglund said.

He suggested both the state legislature and federal government should consider issuing emergency funding for ransomware, the same way it does for natural disasters.

“When ransomware hits, it is like a disaster striking, it disrupts a community (that) could face very significant expenses that could drain (the) city’s funding resources,” Haglund said.

———

©2020 the Lodi News-Sentinel (Lodi, Calif.). Distributed by Tribune Content Agency, LLC.