Systems Down

By Charles Parker, II; Cybersecurity Lab Engineer

There are vast numbers of municipalities of various sizes adjacent to each other throughout each state in the nation. Each of these obviously has a computer network, of varying sizes, in place for the day to day operations. One of these counties, in Michigan, also recently had an interesting issue. Genesee County has had much written about it, as the city of Flint is at the center of the media storm. In this county, there was recently a successful ransomware attack, unfortunately.

Attack

Ransomware has been over the last few years been exceptionally successful as an attack. The trend continues, as published repeatedly across many industries. One of these was the municipal offices of Genesee County, located in Michigan. The successful attack used one of the ransomware tools. The Genesee County Clerk stated the county servers were shut down due to this. The ransomware followed its standard protocol and encrypted the files. There naturally was a demand for money with this. Once received the attackers would provide the decrypt key. The initial forensic work indicated no files were exfiltrated, which was a good thing.

What to do?

This was a rather significant issue for the county. There were a few options for the county to follow, given the parameters of the attack. They could pay the fee and hope they would provide the decrypt key. The county would also have to hope the attackers did not leave any malware or back doors in the network. As an alternative, they could not pay the fee and use back-ups, which would require time and accurate and viable back-ups being in place prior to the attack. As the third option, do nothing and hope for the best.

The county ended up not paying the ransom. This was the safest bet as long as the county had up to date recent back-ups, which had been tested, in place. Fortunately for the county and their general fund, and their insurance company, there were adequate back-ups in place. The back-ups had been done the evening before at midnight. This indicated the data replication would be minimal. There would still be al mass amount of time, as the back-ups needed to be used to replace the encrypted data and files.

Affected

The attacks can vary in depth and width across the network, depending on the network itself and the form of ransomware. This could affect one system or the complete set of servers. In this case, nearly all of the networks in the system were affected. The county had signs in the window of the offices that the computer system was down, they were using manual systems, and the computer systems had been down for several days. The one relatively pertinent system for payroll was not, however, affected.

Forensic Work

This was a rather large project. The county contacted and had been working with the Michigan State Police and the FBI for their expertise. They may have been other third-party contractors involved.

Lessons Learned

Ransomware is a curious tool. While very devastating, it may also be viewed as being modular, in that the malicious tool may be adjusted according to the end result needed. All it takes is one employee in the wrong department to click on the wrong link. This issue did, however, show the importance of back-ups and testing them to ensure these really are backing up. This also shows there still is a distinct need for the employees to be trained.

On a brighter note, the county was able to hire a CISO, focused on the county and its work.

Resources

Acosta, R. (2019, April 4). Ransomware computer virus hits the county network. The Flint Journal, A1.

Ciak, M. (2019, April 4). Genesee county hacking incident ‘more extensive than initially thought’. Retrieved from Genesee County hacking incident ‘more extensive than initially thought’

Dissent. (2019, April 3). Genesee county’s email system not functional after the ransomware attack. Retrieved from https://www.databreaches.net/genesee-countys-email-system-not-funcitonal-after-ransomware-hack/

Olenick, D. (2019, April 5). Genesee county ransomware attack more severe than originally thought. Retrieved from Genesee County ransomware attack more severe than originally thought | SC Media

Pierret, A. (2019, April 3). Genesee county’s email system not functional after a ransomware attack. Retrieved from Genesee County’s email system not functional after ransomware hack

Winant, D. (2019, April 4). Servers in genesee county were hacked. Retrieved from https://www.wnem.com/news/breaking-servers-hacked-in-gen-co/

 About The Author

Charles Parker, II has been in the computer science/InfoSec industry for over a decade in working with medical, sales, labor, OEM and Tier 1 manufacturers, and other industries. Presently, he is a Cybersecurity Lab Engineer at a Tier 1 manufacturer and professor.  To further the knowledge base for others in various roles in other industries, he published in blogs and peer-reviewed journals. He has completed several graduate degrees (MBA, MSA, JD, LLM, and PhD), completed certificate programs in AI from MIT and other institutions, and researches AI’s application to InfoSec, FinTech, and other areas.