Nearly a month after advising patrons that a system-wide ransomware attack had hit Contra Costa County’s libraries, officials had restored the vast majority of online services and those available at the 26 branches.
On Jan. 3, administrators alerted patrons via email of the network outage and took the affected servers offline. The Sheriff’s Department and the District Attorney’s Office initiated an investigation, with assistance from state and federal resources. Although the investigation is ongoing, there has been no evidence of personal patron data being compromised. The server that stores patron data related to library card accounts and transactions was not affected.
Officials, who did not respond to the ransom, declined to say if the system’s data had been backed up or if a disaster recovery plan was in place when this attacked occurred.
“We don’t want to broadcast what our vulnerabilities may have been as the investigation is continuing,” said library public information officer Brooke Converse.
Initially, patrons were unable to access their online accounts and couldn’t receive email and text notifications about holds and renewals. By Jan. 22, the county had restored online account access, so patrons could check their accounts and place holds on materials. Likewise, a vast majority of online services were available again. By month’s end, public WiFi and printing services were working at all branches.
As officials continue to pursue the perpetrator, county public information officer Susan Shui said the IT staff is “working to improve our security policy and procedures.”
All about money
Wade Cantrell, owner of Concord-based Cantrell’s Computer Sales & Service, said such hacks are “all about money.”
The goal is to collect a ransom, or mine the data to sell on the dark web. He explained that the bad guys set loose malicious software that infects the data and seeks other computers and data backups that it can infect. It encrypts everything that it attaches itself to, locking out the rightful owners.
Some victims pay the ransom, usually in bitcoins that are nearly untraceable, and then the hacker provides a decryption key. Others, however, decline the demand and recover by using past data backups that were not encrypted. Either way, recovery from a ransomware attack typically takes many days.
“Generally, the hackers are fast to encrypt the data,” said Cantrell. “And even if you have the key, it is very slow to decrypt the data and get it back up and running.”
He recommends not paying the ransom, because this money just funds attacks on other victims. And, there is no guarantee that the decryption key will work after the ransom is paid.
A great defense against an attack is a current backup of critical information that can’t be touched by ransomware.
Cantrell emphasized that this isn’t a bunch of teenagers in hoodies on their computers, but sophisticated people working in teams. Cybercrime is a volume-based business, with the perpetrators casting as wide a web as possible. “Now they have the ability to put out many phishing lines and hooks,” with unsuspecting entities getting caught.
He cited more than $2.7 billion in losses that victims reported to the FBI in 2018, and that doesn’t include crimes that go unreported.
“The threat is real, and the threat is growing,” he said.