Incident Of The Week: Alabama Hit By 2nd Ransomware Attack In As Many Months

User Awareness Potentially Thwarts Threat

Seth Adler

[Records Exposed: TBD   | Industry: Government     | Type of Attack: Ransomware]

On the morning July 7, Alabama’s Chilton County employees notified the local IT team that their computers were running sluggish and some of the applications looked different. In an effort to shut down a suspected ransomware data breach, the county closed its doors to the public last Wednesday, July 8.

The Facts:

The county’s Tag Division is still closed and the online system is still deactivated because of the breach. The State of Alabama is issuing no penalties on tag renewals and purchases between March and July until at least July 31.

Chilton County Tag Division’s commission chairman, Joseph Parnell, released this statement:

“On Tuesday, July 7, 2020 Chilton County officials and their information technology team detected a Ransomware cyber incident on the County’s information system. The incident has caused a temporary disruption to the County’s computer records systems including the tag office and probate court records. Persons needing services provided by our various departments should check with the clerks in the particular department before coming to the courthouse to ensure that needed records are accessible.

The County Commission sincerely apologizes for any inconvenience this disruption may cause but it must take appropriate measures to protect the County’s information and data before restoring the computers to normal service.

This incident is being thoroughly investigated by the County’s legal counsel and technology experts who have taken immediate and appropriate actions to reinforce existing security measures and to mitigate its potential impact, as well as determining its origins. Investigations are ongoing to understand if any specific data was targeted.

The County has contacted the relevant regulatory authorities and the data protection authorities including the Alabama Attorney General’s Office and the FBI.”

Related: The Ransomware Survival Guide

Parnell later told the Clanton Advisor that the county does have a cyber policy in place and has hired a New York firm to assess the IT system. This situation is ongoing. According to the State of Email Security Report by Mimecast, 32% of the public sector says ransomware has impacted their operations in the past 12 months. Two to three days is the average length of downtime, with 9% of those attacked suffering from downtimes a week or longer.

Interestingly, on June 10, Florence, Alabama was also hit with a ransomware attack. After hiring a security firm to negotiate the ransom, the ask was dropped from 38 bitcoin to 30 bitcoin—or about $291,000. The ransom was paid. Whether or not to pay a ransom can be a tricky call to make.

Lessons Learned:

Naturally, all breaches and ransomware threats should be reported to the authorities, but is it advantageous for your organization to pay the ransom? It depends, says a Tripwire article by Graham Cluley. “That ultimately is a decision that only you can make. Bear in mind that the more companies that pay a ransom, the more the criminals are likely to launch similar attacks in the future. At the same time, you may feel that your business needs to make the difficult but pragmatic decision to pay the criminals if you feel your company cannot survive any other way.”

Related: Enable Secure Business With A Zero Trust Strategy

Regardless, paying a ransom doesn’t leave you in the free and clear. While breaches are inevitable, a strong cyber solution that includes the five parts of NIST ensures that your organization maintains the safety and integrity that is expected of today’s enterprises.

Quick Tips:

Most ransomware attacks are enabled through phishing. Therefore, it is important that government agencies invest the time and money into strong cyber security policies and organization best practices such as:

  • Making it easy to report suspicious emails by embedding a “report phishing” button into all incoming emails which triggers a cyber security incident response
  • Giving employees the least amount of access they need to do their job, i.e. implementing a zero-trust strategy
  • Practicing and testing anti-phishing awareness internally or with the assistance of a cyber security third party vendor
  • Reducing workplace stress and creating a slower-paced environment, as cyber criminals pray on psychological human responses such as carelessness and hurriedness