Howard County fights back against ransomware after attack

Written by Mitnick Security | Dec 14, 2016 12:00:00 AM

A ransomware attack on the Howard County government last month affected more files than officials first realized and has led to an all-out effort to fight the encryption malware.

When the county government system was attacked on two separate days in mid-November, officials in the information systems department initially thought around 33,000 files had been encrypted. After more research, they discovered the number was actually more than 76,000.

Two emails, disguised as the same FedEx message, had been opened by county employees two days apart, one in a work email, the other a personal account. The emails told recipients that a package was undeliverable and provided an attachment for an invoice or certificate.

Once the attachment was clicked, encryption of county files began, according to Howard County Information Systems Director Terry Tribby.  At the outset, Tribby and his crew thought the situation was fairly well-contained. Sometime after the second attack, though, they discovered the ransomware had gone through the network and encrypted more files than originally thought.  “[33,000] is what we originally discovered, and then after more research and going through the rest of our servers and files and everything, which takes a significant amount of time going through our entire file structure, we found different applications with data in it that we found were encrypted files,” he said.  

Though old viruses or malware would affect only one computer, ransomware can scan the network to harm other PCs, not just the person who received the infected email. “That’s the major difference, why it’s so scary,” said Howard County Network Administrator Jeremy Stevens. “Someone in [the county administration building] could be encrypting files in the courthouse.  “Typically, the older ones only affected itself, and kept one person out of commission instead of departments, buildings.”

The ransomware that hit Howard County is a form of malware that encrypts files on infected systems and forces users to pay a ransom, usually with the hard-to-trace cryptocurrency Bitcoin, to obtain a decrypt key, or password, for the undamaged files.  Most often, hackers use scam emails, similar to the FedEx emails sent to Howard County employees.

An almost identical hack has cost Madison County nearly $200,000, according to The (Anderson) Herald Bulletin.  In response to the attack, the Madison County commissioners approved contracts for off-site data storage, a cooperative effort with the city of Anderson for firewall protection and a backup system for the court system, reported the Herald Bulletin.  But most importantly, a $21,000 ransom was paid to obtain the encryption keys after the county’s computer system was hit by a ransomware attack that locked up county files, a decision made at the recommendation of the county’s insurance carrier.

The difference, however, between Madison and Howard counties came down to one major factor – backups.  While Madison County had its backups online, leaving them open to encryption, Howard County utilizes three backup systems, including tape backup, disk-to-disk backup and cloud backup. These backup systems allowed the county to have nearly 100 percent recovery after last month’s attacks.  

The tape backup, which utilizes actual thick, square tapes, is maybe the most straightforward form of backup in the county.  According to Stevens, each data center has the same tape rotation and setup, and each night a complete backup of data is written to tape. The county computer system is broken down to two central server locations, or data centers, one for downtown and the other for the west side.  Effectively, there are 10 daily tapes to account for the previous two weeks of data, which are eventually condensed to four Friday tapes. The department then collects 12 end-of-month tapes, followed by one end-of-year tape.  Tapes are overwritten at the end of their life cycle, meaning the first Friday tape gets overwritten by the fifth tape, and on down the line.  After the tape is written, it gets stored at a local bank’s safe deposit box, explained Stevens, protecting the county from data loss in the case of a fire or other disaster at county data centers.

As for disk-to-disk backup, Stevens said “high-production data is replicated to partner data center via internal wireless connection.” The county then keeps the last 10 days of data before it starts to overwrite itself.  “With the disk-based backup, we get offsite data production and quick recovery,” explained Stevens. “The drawback is that it is not completely offline, which could allow nefarious programs to corrupt backups as well. This is one reason tape is still utilized.”

And lastly, according to Tribby, the county also stores land and financial records, and soon court records, in the cloud backup.  “Basically, our vendors provide solutions for us to come in and grab our data every night that’s been changed and they’ll store that for us in case there’s an attack,” he said.

Moving forward, Tribby and the rest of the information systems department has taken a number of additional steps to fight ransomware.  Already, the Howard County Commissioners have approved the purchase of Sophos security software which specifically targets ransomware. Tribby said the software has fought back successfully in five out of five test runs against the same email the county was struck with in November.  The cost is $15,000 for a three-year contract.

County employees also will undertake online training modules to become more familiar with the Internet’s always-evolving threats. Those modules, said Tribby, utilize the genius of Kevin Mitnick, an infamous computer security consultant who was once arrested by the FBI and deemed the most wanted hacker in America.

With governments, along with the banking and hospital industries, becoming ransomware targets because of their sensitive information, Tribby said he is being as cautious as possible moving into 2017.  “We are just trying to do everything in our possible means to fight the criminals with this, because our data is so important, not only to us but also to our general public,” said Tribby, noting the prevalence of infected emails during the holiday season.

“I can’t imagine possibly ever, ever losing our land records. We would be toast. Or our financial records. We’ve got birth and death records. We’ve got criminal history records. Almost all of our records are so critical that we have to do everything that we can potentially do to stop all this from happening.”

Source: KOKOMO TRIBUNE