Nearly every portion of government services in New Mexico’s largest county has been disrupted at one point during the last several weeks, impacting tens of thousands of residents and with no timeline for a full recovery.
On Jan. 5, government workers in Bernalillo County discovered that their offices had suffered a devastating ransomware attack. The computer systems in the government offices as well as the websites of several county departments were taken offline by the attack, but it was not announced whether any ransom was paid.
The attack impacted the 675,000 residents in Bernalillo County, including those living in New Mexico’s most populous city, Albuquerque.
More than two weeks after the attack, the county is still feeling the deep impacts of the system breach. While many of services are up and running again, several key aspects of the local government are still down.
On Monday, Jan. 17, the county announced that the Clerk’s Office would only be offering “limited services” for residents who came in person, despite stating on Jan. 14 that it was fully restored. The county has not specified what exactly the Clerk’s Office is able to fulfill currently but did say that the online services are functioning.
In a statement to SearchSecurity, Bernalillo County Communications Director Tia Bland said “the recovery is ongoing” and that there is currently “no timeline for complete restoration” of the system.
Allan Liska, a ransomware researcher at Recorded Future, discussed the timetable for ransomware attacks like this one, which often require different types of recovery, from the retrieval of data and operations to the restructuring of network systems.
“The full recovery can take months — with Baltimore, it’s taken years,” Liska said. “There is the recovery of getting services back up and running, and that generally happens within a few weeks and a few months for one of these attacks. What also happens with one of these attacks is what we call technical debt that has accumulated in these towns and these counties. Projects that people have been asking for, for years and years that couldn’t get funding but then suddenly, the funding is available for.”
Technical debt is a term that describes an organization’s under-investments in IT and cybersecurity, which is a typical problem for many municipal governments. A cyber attack, especially ransomware, can put the problem under a microscope.
“Part of this reason is because when you’re attacked, you’re going to get a whole lot of attention from your cyber insurance provider, and you might not get your policy renewed if you don’t put these [security] policies and projects in place,” Liska said. “That second part, that shoring up of your defenses, that part can take years.”
Some of the key challenges presented by the closure of the Bernalillo County Clerk’s Office were an inability to register voters, grant marriage licenses or approve the transfer of deeds, the last of which presented a strange challenge to realtors in the area.
The main setback still glaring at the county IT department is the county’s Metropolitan Detention Center, which made headlines for system-wide outages in the initial days following the ransomware attack. According to Bernalillo County press releases, the detention center still seems to be under the same restrictions that it was just after the attack, with the county website saying on Jan. 17 that the detention center is “continuing to work with county IT to restore systems.”
The systems in question are integral to the operation of the facility. Most of the inmates are confined to their cells because of camera and security outages. The issue occurred when the electronic locking mechanisms on the cell doors failed, and the camera system was knocked out by the attack. Due to the electronic locks failing, each cell must be manually opened by a guard. That, combined with the camera outages, prompted authorities to put the jail under a lockdown and restrict the movement of prisoners. Others impacted by this outage include inmates’ friends and families, as visitors have not been allowed to go to the jail since the ransomware attack.
While the current prisoners have limited movement for the time being, the county is still allowing for the release of prisoners and transfer of new ones into the jail. The Metropolitan Court system is still able to operate via remote hearings because of “a court-based IT network, which has been unaffected by the disruptions in the county’s system,” according to a press release from the court system.
While the outages in the jail made headlines, there were other municipal services that impacted the lives of many people in Bernalillo County. Most were felt within and just outside the doors of the county’s brand new “one-stop shop” for county services, Alvarado Square in downtown Albuquerque.
We apologize for any inconvenience you have experienced due to the recent cyber incident at @BernCounty. We are beginning to recover online services but some components are not fully available yet including tax calculations, payments for public documents, and MDC bookings. 1/2 pic.twitter.com/E5Hj1jxNND
— Bernalillo County (@BernCounty)
January 13, 2022
Alvarado Square, which held the services of the county “clerk, assessor, treasurer, probate judge, commission, Planning & Development and more in one building” according to the county’s website, was closed to the public until Jan. 10, when it reopened with limited access.
Although the building was open, only the first floor was operational. As the county noted in its press release, services were limited while most of the building’s systems were down. “County employees will be on-hand to answer customer questions and conduct limited operations,” the press release said.
As KRQE News reported, residents arrived to the county office to fulfill simple tasks like paying their property taxes and applying for permits not knowing of the outages and were turned away.
The property taxes were a major problem facing the county, as the treasurer’s system was down. Many residents were used to going in person to pay their taxes that were due on Jan. 10.
While the county did not announce a delay on the collection of taxes, it offered different ways that residents would be able to pay taxes via the government website. The county highlighted the online portals, drop boxes and mail-in options that were available despite many of the internal systems being down from the ransomware.
These payment options are also available within the probate court, which recently opened and responded to some residents’ requests in person. The Department of Planning and Development Services, like the probate court and treasurer’s office, provided services online, such as permit applications. As of Jan. 14, it was back to accepting both payments and applications at Alvarado Square.
Liska discussed how attackers can impact entire systems through ransomware.
“We have seen this happen in Atlanta and in Baltimore. Often cities and counties maintain very flat networks, which is a very real problem, because say you get in through the accounting office of the city, you then have access to see everything,” he said. “Better segmentation is needed. The court system does not need access to the jail network, for example. There may be certain people that do, but that can be enabled on a case-by-case basis. When you have a wide, flat network and when the ransomware actors gain access to one part of the network, they can shut down the whole county or whole town or the whole city.”
While many administrative requests in Bernalillo County were stalled by this ransomware attack, other county offices and services were left relatively unaffected by the incident because of emergency systems. All public safety sectors remained fully operational, according to a Bernalillo County press release, including the Sherriff’s Office and Fire and Rescue. These departments stayed active and able to assist the community by utilizing “back-up contingencies.”
The only issue within the realm of public safety was the County Sheriff’s Office Advisory and Review Board meeting, which was moved from Jan. 13 to Feb. 11 because of a “computer network issue affecting certain computer systems of Bernalillo County,” according to a press release.
As Bernalillo County goes back online and recovers from this ransomware incident, the county commission announced last week that they would be implementing new emergency response plans in accordance with FEMA regulations. The county decided on Tuesday to update the plans, which now add measures to defend and recover from cyber attacks, looking to avoid long-term shutdowns like this in the future.
Liska noted that while effectively responding to these attacks is important, preventing them should be the real goal.
“We are seeing effective strategies around ways to try and get bodies in and help recover, post-ransomware attack; now we need to figure out how to stop ransomware attacks from happening.”