Fraud Management & Cybercrime
No Evidence of Data Being Stolen From Affected Systems
The City of Quincy, Illinois’ administrative systems were hit by a ransomware attack on May 7, confirms Mayor Mike Troup in a press conference held on Tuesday.
See Also: Ransomware Demystified: What Security Analysts Need to Know
In response, the city council passed a resolution authorizing emergency payment of more than $145,000 for cybersecurity consulting services and an unspecified amount, which is less than $500,000 for paying the ransom.
“The entire package which includes the fees of the three cybersecurity consulting firms and the payment towards getting a specific decryption key is $650,000,” Troup stated in the press conference.
The ransomware attack affected the administrative office emails and phones, the communication systems of the police and fire departments along with the Quincy Public Library as the library services are hosted on the City Hall servers, Troup says.
Troup says that it doesn’t appear that any data was exfiltrated. He says: “It’s remarkable how we are still able to function our critical services with the city like water, recycling, thrash [sewage plants], police and fire departments, through the entire [cyber incident] situation.”
Timeline of Events
In Tuesday’s press conference, Troup discussed the exact timeline of how the cyber incident unfolded, starting with the initial disruption on May 7.
According to Troup, the entry point of the attackers is yet to be determined with the cybersecurity consultants along with law enforcement agencies including the FBI are still investigating.
The first signs of the attack emerged early morning of May 7, when the police and fire department officials started facing issues on their systems. “The police officials have laptops in their cars and something similar to that is what the fire department has. This was affected which caused issues in their daily communications,” Troup says.
They raised a flag with the city’s IT department which “rushed in” to check the issue and eventually spotted the ransomware attack, Troup adds. The following Monday – May 9 – when the city’s administrative employees resumed work, emails and office telephone lines were found to be disrupted and inaccessible for some of the city employees, including the Mayor himself.
Citing this as an “emergency situation,” Troup says, the city immediately contacted its IT partners including their cyber insurance provider. Troup adds that the consultants immediately started working even before payment for their services was sanctioned.
Authorization of payment for cybersecurity consulting services, Troup says, was agreed Monday by the city council; the three firms were not named in the press conference. The city’s meeting agenda published on the website of the City of Quincy did note two of the three names as Mullen Coughlin, LLC – a law firm dedicated exclusively to representing organizations facing data privacy and information security incidents – and Kroll Associates, Inc., a cyber risk and governance solutions provider.
Decryption Key Obtained
Although the City of Quincy had to pay more than half a million dollars to get the decryption key for the ransomware, plus the fee for cybersecurity consultancy services, Troup says that so far there is no evidence of data being stolen from the affected systems, which he says, gives “a sense of relief.”
“There are two different systems [in the City of Illinois]: first is the public interface with a variety of servers, and the second is the financial system, which includes payroll and ledgers. This [the financial system] was never compromised. Any employee, customer, or any kind of personally identifiable information was thus, never compromised,” Troup explains. “And as per the U.S. federal guidelines we need to notify the affected parties immediately, so, we are watching that very closely,” he adds.
Earlier in the week, emails of most employees were functional although historical email data was not guaranteed to be restored, Troup says. But he adds that restoration of operations of all email accounts is expected to be complete by Memorial Day, next Monday.
Troup did not state which variant of ransomware had affected the systems, but did say, “it is clearly not a domestic player, not from Illinois or from any domestic region.”
Ransomware Also Strikes a New Jersey County
On Tuesday, around the same time as Troup held his press conference, Somerset County in New Jersey also revealed that it was targeted with a ransomware attack that took down its email services. “Somerset County experienced a cybersecurity breach this morning involving ransomware. As a result, the county email system is down, and Tuesday night’s Board of Commissioners meeting is postponed. All county offices and phone lines are open and working, but emails to county personnel cannot be received or responded to for the time being,” it noted in the announcement.
“With the exception of email, the county is performing most normal functions. That said, we have activated our Emergency Operations Center and our Continuity of Operations of Government Plan,” says county administrator Colleen Mahr. She added, “It is our assumption that this situation will remain in effect at least for the rest of the week.”
In an update on Wednesday, the county stated that it was evaluating the severity of the ransomware attack and that all “network-linked computers remain turned off, and county emails cannot be received or responded to by county personnel.”
Apart from the emails, the notifications says that Somerset County Clerk and Surrogate services, that depend on access to county databases, are also temporarily unavailable, which includes land records, vital statistics, and probate records. “Title searches are possible only on paper records dated before 1977,” the updated notification says.
Somerset County is reportedly holding its 2022 Primary Election on June 7, however, a statement was issued clarifying that, “Digital records and voting machines for the upcoming Primary Election are never connected to the county system and are unaffected. The Board of Elections and County Clerk continue to perform election-related functions as normal, with the exception that replacement mail ballots can only be obtained by telephone or visiting the County Clerk’s office. The calendar for mail-in, early, and in-person voting is not affected.”