Tillamook County officials revealed that a $300,000 ransom was paid to regain data access after a cyberattack. The ransom amount was disclosed during the Tillamook County Board of Commissioners meeting Wednesday, March 11.
Commissioner Bill Baertlein, reading from a prepared statement, said it could have taken 12-24 months and cost $1 million to unlock the county’s computer system if a ransom went unpaid.
“The county’s rapid and aggressive response to the incident mitigated the compromise and contained the encryption to 17 of 55 servers and five of 280 county workstations,” Baertlein said.
The attack was reportedly carried out by an international cybercriminal organization known to law enforcement both nationally and internationally. The prepared county statement said the computer system was disabled for around two weeks, adding that new security measures were being implemented.
“The county made every effort to avoid the payment of a ransom to the cyber attacker, including recovery through two independent backup solutions and hundreds of hours of retained and county resources; however, data critical to county operations could not be restored without paying the cyberattacker for decryption keys,” Baertlein said.
“While the county maintained redundant backup solutions that would have protected our data in the event of a natural disaster, the cyberattack resulted in encrypted backups,” Baertlein said.
Commissioner Mary Faith Bell emphasized that the government was the victim of a crime, noting a new frontier of security hazards in the digital age. Commissioner David Yamamoto said while other municipalities have not disclosed cyberattacks, Tillamook felt transparency was important. He said the attack could have been much worse.
“It was a learning experience,” Yamamoto said.
Baertlein said the $300,000 loss would have a significant impact on the rural county’s coffers. He compared the cyberattack to being shaken down by a bully and called on the federal government to act against cybercrime.
It was not immediately clear what the additional costs of the cyberattack would come to after figuring legal fees, contractor costs and county staff overtime. The county treasurer is working to compile those costs by the end of this coming April. Discussion with the county's insurer are ongoing regarding what costs might be covered.
County systems are now operational and a forensic investigation was concluded. The investigation found no evidence indicating personal information of employees or residents was accessed or taken by the attacker, according to county officials.
County officials said the cyberattack originated from a group called REvil. The group is reportedly also known as Sodinokibi or Sodin. Information Security Media Group reported that the malicious “ransomware-as-a-service” operation appears to be extremely lucrative.
"We all knew that ransomware was big business for cybercriminals and in our past several research blogs speculated about projected criminal profits, but seeing it firsthand by following the money trail gives a different level of realization that we are dealing with adversaries with very deep pockets, literally having millions of dollars as a budget," John Fokker, security firm McAfee's head of cyber investigations, told Information Security Media Group.
A cybersecurity specialist said beyond being used as leverage for force payment, stolen information also seems to be getting repurposed to attack new victims.
"We've now got pretty clear evidence that Maze et al are using exfiltrated to spear phish other companies," Brett Callow, a threat analyst at security firm Emsisoft, said. "The problem is, many companies do not disclose these incidents, so their business partners and customers do not know that they should be on high alert. Bottom line: more companies need to disclose, and to disclose quickly.”
A process to bring the county computer systems online after the malware infection began Feb. 3. County officials confirmed the cyberattack took place Jan. 22.
The county’s server, internal computer systems and website went down in the attack, and phone systems and email networks were affected. County computer network connections were disabled to contain the spread of malware.
This story is developing and will be updated