Soon after, the county supervisors declared a local emergency, per Alabama Media Group’s AL.com. That declaration let them bypass traditional bidding processes and contract immediately with IT professionals.
The entire county system reportedly went down for more than two days. But the county managed to have one of the three servers fully restored by July 19 and another partially restored by the following day.
County officials reportedly discovered the attack in the early morning of July 15. At the time, the county only had one IT person. But during a July 17 board meeting, the county upped the IT workforce to four people, all of whom began dedicating 12 to 16 hours each day to restoring systems. That meeting also saw county leaders approve budgets for emergency cyber services.
Attackers had gained access to county systems via a phishing email designed to look like a routine system update reminder. When an employee clicked on a link in the email, cyber extortionists were able to gain initial access. The perpetrators then moved laterally among computers until they obtained an administrative account that let them reach the wider network.
“From there, they systematically went through and locked out everybody’s personal office computer,” George County Communications Director Ken Flanagan told Recorded Future News. “It was a highly coordinated attack, and it also appears that after they encrypted all three servers, they went through each department looking at each individual computer to see what was the best data in there.”
The extortionists demanded a steep ransom for a jurisdiction of fewer than 25,000 people, leading investigators to think the perpetrators didn’t realize how small George County is, Flanagan told AL.com.
IT workers discovered the ransomware note while working on restoration July 18. The note was saved on one of the servers, and in it, attackers demanded payment to be sent to a specified bitcoin wallet within five days, per Recorded Future News.
The county decided not to pay. That kind of extortion was unaffordable, plus the county knew it couldn’t trust paying up would solve the problem, Flanagan reportedly said.
The county contacted the FBI on Monday and the local sheriff’s department and several state agencies have collaborated on incident response.
The county had backed up its computer system and database the day before the attackers struck, enabling it to work to rebuild using that backup, per WKRG.
“We are starting with our primary server, and then we’re going to go office to office, computer to computer. Update the security, clean out the system and rebuild them,” Flanagan told the outlet.
Restoration efforts have been hard work; IT staff spent about 16 hours restoring one server. They were able to restore a payroll system, averting a need to pay employees with handwritten checks, per Recorded Future News. The 911 dispatch system uses phone lines that run on a separate, analog system and so this spared it from being impacted by the attack. Operators did have to revert to handwriting notes about incidents, however.
One spot of luck: the pandemic had prompted the county to get laptops to let employees work from home and these laptops were unconnected from the server during the attack, leaving them unimpacted. Employees have been able to use the laptops to keep working even while restoration efforts were underway.
Flanagan reportedly said the county believes employees’ financial information was unimpacted, because it is stored on a separate internal computer system that’s unconnected to the Internet. Nonetheless, the county advises employees to play it safe by changing passwords to their financial accounts.
