Forty-seven days after a ransomware attack hit the Delaware County government, officials released the first batch of details about the incident, saying the county’s computers and networking infrastructure were originally compromised by a phishing email.
“The e-mail contained malware that was downloaded, and once in the system captured credentials and infiltrated the network,” the county’s press release said.
The county also acknowledged for the first time it paid a ransom to have gigabytes of files released back to them and restored.
Although the county didn’t realize the networks had been compromised until November 21, the email was sent more than two months earlier.
Officials are unable to pin down the date the ransomware application was activated in the county networks, but problems did not present themselves until that day in November. They then called in a team from the Department of Homeland Security, as well as an outside legal team and cyber forensics team.
“Working with these resources, the County’s [information technology] staff began claiming back the system environment and credentials,” the county’s release continued. “The team installed software to protect each computer and to stop the threat actor from communicating into or out from the environment. The focus at this point [was] to contain the intrusion while evaluating the status of data back-ups.”
The county acknowledged for the first time that the ransom demanded by the cyber attackers was paid, but it did not say how much.
“Although the County was able to restore its capabilities from its back-up systems, the Executive Director [Howard Lazarus] recommended to Council that the ransom payment be made as the County’s exposure was limited to the deductible amount ($25,000) on its insurance policy and that working with the threat actor would accelerate system restoration and prevent information from being published,” the release said.
The insurance policy covered the ransom amount and the costs to get systems restored and running. Any news account saying the county paid a $25,000 ransom is incorrect. The county paid a $25,000 deductible to their insurers, and the insurers paid a ransom of an unknown amount. Numerous media reports have pinned the amount at $500,000, but the county is not confirming that figure.
Ransomware attacks involve cyber attackers usually based in European countries or elsewhere overseas. Once an attacker has gained access to an institution’s IT infrastructure, they will hijack tens of thousands of documents or more to make normal operations impossible.
The attackers will also threaten to release documents that would expose the entity to further liability should the documents be in the public domain, such as documents that might compromise an individual’s personal information. Additionally, the attackers are in a position to create further damage within the IT system if the ransom isn’t paid.
Such attacks are not limited to governments, as companies are oftentimes targets as well.
Ransom costs have soared in the last several years.
For example, Baltimore was hit with an attack in 2019, and the ransom was only $76,000.
However, the city refused to pay the attackers, but then had to pay millions in data recovery costs, upgrading the city’s network security and threat detection monitoring.
Baltimore’s Mayor Bernard C. “Jack” Young later sponsored a resolution with the U.S. Conference of Mayors urging cities not to pay ransoms, given that it would likely embolden and grow the criminal industry.
That point was not lost on County Chairman Brian Zidek.
“I, for one, don’t welcome the idea of paying a ransom to anybody. But we also have to balance that with the costs to the county if we didn’t pay the ransom, and those costs were going to be significant both in terms of manpower and womenpower and downtime for all departments,” Zidek said Wednesday. “It’s tough to measure the economic consequence of that, but I know that it would have been a profoundly – even more profoundly – disturbing incident had we not taken the action that we had taken.”
The county approved roughly $400,000 in IT contracts to begin new upgrades to network security.