City of Valdez (Alaska, USA) released details of how crippling the July Ransomware attacks were to their community, systems and finances.

Valdez, AK – The City of Valdez began the final phase of recovery efforts this month following a ransomware attack on its municipal information technology infrastructure in late July.

On July 27th, City personnel identified a ransomware computer virus in the City’s IT infrastructure which effectively encrypted all electronic data stored on the City’s network. Immediately following the attack, the City IT department worked quickly to isolate the City network from the internet, as well as isolate internal connections between servers and individual computers to prevent further infection.

City personnel notified the FBI, enlisted help from several Alaska-based malware response and recovery specialists, and contacted other municipalities recently infected by a similar virus to determine best practices. Valdez Mayor Pro Tempore Dennis Fleming declared a local government disaster on July 27th and extended the declaration on August 3rd to aid in procurement of necessary supplies and time sensitive technical assistance.

“Valdez Police Department also reached out through our law enforcement channels for assistance with addressing the ransom demand,” said Bart Hinkle, Valdez police chief and operations section chief for the cyber incident response. “Based on recommendations from several cyber-crimes specialists, the City engaged a specialty cyber-incident response and digital forensics firm based out of Virginia. The firm anonymously contacted the attackers on the City’s behalf to investigate and possibly negotiate ransom terms.”

Through the third-party firm, the cyber attackers demanded four bitcoin, digital currency equal to $26,623.97 at the time, in exchange for an electronic decryption tool.

“After consultation with the City legal team, our insurance carriers, and careful consideration of the best interests of the City, I authorized the third-party firm to negotiate and pay up to the amount of the ransom demand” said Elke Doom, Valdez city manager and the incident commander for the cyber incident response. “Negotiation terms required demonstration of successful decryption of multiple City documents and verification the decryption key would not reinfect our system.”

Over a period of several weeks, City IT personnel used the tool to successfully decrypt all City data infected by the ransomware. While these files and databases can now be read, they remain in quarantine until the data is carefully “scrubbed” and verified virus-free.

“Our progress reintroducing old data from quarantine is deliberately slow and methodical to prevent reinfection of our network”, said Matt Osburn, City information technology director. “At the same time, we have fast-tracked the timeline for a significant IT system rebuild planned for 2019 to replace the system taken offline by the attack. Using lessons learned from this incident, the new system will meet or exceed current industry standards, with more robust security protections and additional efficiencies to better serve our citizens.”

Twenty-seven servers and 170 computers were infected by the virus. To date, there is no evidence to suggest any information was taken during the cyber-attack. Standalone or cloud-based systems, including the City’s phone network and banking relationships, were unaffected.

The City carries specific cyber-crimes insurance which covers costs directly related to the ransomware attack, including the ransom amount, negotiation fees, costs for forensic work and privacy council, and replacement of equipment directly affected by the attack.

All City staff continue to work with limited access to electronic data and documents saved on the City network prior to the incident. Several City departments also await replacement of affected software programs before returning to normal operations, including billing software for the Ports & Harbors Department, TWIC registration software for the Valdez Container Terminal, and event planning software for the Civic Center. Replacements for these programs, access to electronic data, and full restoration of the City system is anticipated to be complete in early 2019.

Hari KotrotsiosComment