Cyberattack incidents against local governments in the United States keep happening. Officials in LaPorte County, Indiana, have revealed that some of their systems suffered a ransomware attack that would initially have affected the county’s official website, in addition to some computer equipment and the government’s email server. According to system audit experts, two domain controller servers were also affected, so county network services were disabled.
According to a statement issued by the LaPorte County Board of Commissioners, the attackers would have used a variant of the powerful Ryuk ransomware. “The threat actors used this malware to be able to bypass our defenses (firewalls) and penetrate our backup servers,” the county statement says.
After infecting the county systems the ransomware began to encrypt all the files stored on the affected computers, preventing users from accessing the information. As the county officials mentioned, the ransomware also reached the backup servers, which has made the recovery process difficult for system audit experts.
LaPorte County reported the incident to the FBI; however, the decryption keys available at the agency did not prove useful to recover the infected files with this ransomware variant.
Being virtually impossible to remove encryption with known keys, and because backups were also encrypted, the county insurance company suggested officials to comply the demands of hackers and pay the ransom. It has been speculated that the attackers demand a payment of 10.5 Bitcoin (about $132k USD).
After a meeting between officials, LaPorte County decided to pay the ransom; the county has insurance against cybersecurity incidents, so the insurance company will cover most of the cost of the ransom (approximately $100k USD). “Last year our civil liability agent recommended us to hire a cybersecurity insurance policy; County commissioners approved it at the time,” said Dr. Vidya Kora, one of LaPorte officials.
On the other hand, LaPorte system audit team does not yet have sufficient evidence to confirm or deny whether any unauthorized access to the compromised information had occurred or, in the worst case, that a data theft had occurred.
A couple of weeks later all the compromised systems had already been restored and the county IT team restored the information on each of the computers that were victims of the ransomware. LaPorte officials added that they are taking the necessary steps to ensure that such incidents do not happen again.
ºAlthough on this occasion everything had a happy ending, system audit specialists from the International Institute of Cyber Security (IICS) believe that paying a ransom to hackers should always be the last option to consider for ransomware infection victims, as there is nothing to ensure that attackers will comply with their part of the deal, plus that keep paying ransoms provides hackers with the resources necessary to continue their malicious operations.