Monroe County and Clay County lost many government services after recent ransomware attacks. Local governments are a growing target for cybercriminals, and smaller municipalities have a harder time staying secure.
(Lucinda Larnach / WFIU-WTIU)
Monroe County government is recovering from a ransomware attack that paralyzed it earlier this month. In a way, it was lucky. Government services were down for one week, but other communities have a much harder time bouncing back.
County IT staff recognized there’d been an unauthorized access to the network on June 30th. They shut down government servers as part of the security response. That forced the court system to close and temporarily shut down other services.
The county treasurer and auditor froze their bank accounts, which meant vendors had to wait to be paid.
Monroe County Commissioners’ Administrator Angela Purdie said most county jobs rely on connection to the network.
“County government couldn't operate because we didn't have email or access to any of our network drives,” she explained.
Monroe County says cybercrime syndicate BlackSuit pulled off the attack. The Russia-based group has a history of attacking local governments and critical infrastructure.
Cybersecurity and Global Policy Program Co-Director Isak Asare said that makes Monroe County part of a troubling trend.
“Malicious actors in cyberspace, they're consistently looking to attack local governments,” he said. “So this is not much unlike other attacks that have been happening across the country.”
Director of Communications and External Affairs for the Indiana Office of Technology Graig Lubsen explained that has a lot to do with vulnerability. Hackers tend to target systems that they're familiar with breaching, and entities that get hit once are more likely to experience a second attack. “The bad actors are really looking for the path of least resistance,” he said.
Ransomware blocks access to a victim’s files, essentially holding them hostage. Monroe County has plans in case of these events. It had already backed up all of its data on hard drives and managed to recover what was lost.
“We just asked for very simple details,” Lubsen said. “When did the attack start? When did you discover it? Give us some details on it, and then we're able to see what is the landscape.”
Lubsen said that reporting helps the state prepare other local governments for possible threats. Before the 2021 law, “We didn't have a sense of where and when and how many were happening,” he said. “So that's the biggest thing that we're seeing from this collection. Additionally, anything that's very severe, we do send out alerts and notices to all of our cybersecurity incident reporters.”
Thankfully, Monroe County IT staff managed to save important data.
“The process that we have worked, and our backup was all secure,” Purdie said. “It's rather impressive, really, by our technical services department to get us up and running.”
Although the government is now functioning as normal, it hasn’t said whether BlackSuit asked for a ransom or what information it stole. It’s waiting on the results of a law enforcement investigation.
“What I can say is that employee information is secure, and our banking information was secure,” Purdie added.
The attack overlapped with two other cyber scares in Southern Indiana – one real, and one purported.
Clay County government still has no web services after a ransomware attack which took out its servers on July 9th. The county issued an emergency declaration, saying the attack prevents it from providing critical services such as the courthouse, community corrections and county probation.
With just 26,000 residents, the county is less than 20 percent the size of Monroe and lacks the same IT resources.
The county's Emergency Management Agency declined our request for an interview, saying it didn’t want to jeopardize the ongoing investigation.
BlackSuit also claimed to have hacked the Richland-Bean Blossom School Corporation in a post on its dark web site.
Local media reported the alleged hack last weekend, but on Monday the district denied that its servers had been compromised.
Still, school board president Dana Robert Kerr saidthe district is still taking the threat seriously.
“All of our data has been secure, nothing has gotten out of RBB hands, and we took immediate action to look into what was going on,” he said.
Documents extracted from the zip file on BlackSuit’s website bear the logo of Edgewood Primary School – in Nottingham, England.
Despite the cluster of Indiana targets, Asare says cyber criminals usually cast a wide net rather than target particular regions.
“The notion that a malicious group of actors online is sitting around and thinking, ‘You know, we're going to for Monroe County is not what's happening,” he said.
Ransomware usually targets employees indiscriminantly through spam emails. Even a well-protected server can fall victim to a cyber attack if a worker makes a mistake.
Asare said Indiana and Monroe County have strong security protocols, but it’s going to take sustained improvements to stay secure.
“As long as we don't make cybersecurity one of the foremost considerations in our budgeting and investment at a local level, we're going to be stagnant in terms of our cybersecurity posture,” he said.
Monroe County has cyber insurance, although no claim payments have been made to date. It also regularly tests employees’ digital awareness with fake phishing emails.
“What we're waiting on is to is the forensics that what we're hoping will identify how this event occurred,” Purdie said. “We're concerned that they're not going to be able to identify it.”
The Indiana Executive Council on Cybersecurity recommends any Hoosiers who become victims of cyber crimes follow instructions on its website to know how to respond and recover.
The FBI reports 60 Hoosiers fell victim to ransomware attacks last year, costing them over $300,000.