Cybersecurity breach may have been perpetrated by Russian actors

Records reveal City of Cartersville paid ransomware attackers $380K

By JAMES SWIFT
Posted 12/31/69

On May 6, 2019, the City of Cartersville alerted residents that the local government had fallen prey to a ransomware attack. Yet since then, details on the size, scope and severity of the …

This item is available in full to subscribers.

Please log in to continue

Log in

Don't have an ID?


Print subscribers

If you're a print subscriber, but do not yet have an online account, click here to create one.

Non-subscribers

Click here to see your options for becoming a subscriber.

Cybersecurity breach may have been perpetrated by Russian actors

Records reveal City of Cartersville paid ransomware attackers $380K

Posted
On May 6, 2019, the City of Cartersville alerted residents that the local government had fallen prey to a ransomware attack. Yet since then, details on the size, scope and severity of the cybersecurity breach have remained scarce.

City officials broke their nearly yearlong silence on the cyberattack, however, in the wake of an Open Records Request filed by The Daily Tribune News.

Newly publicized documents indicate the City of Cartersville did indeed pay the ransomware attackers — to the tune of $380,000 in non-tradable Bitcoins, “with an additional $7,755.65 paid for transaction fees and negotiators.”

The payout is significantly lower than the amount demanded by the individuals responsible for the ransomware attack. Per Cartersville Assistant City Attorney Keith Lovell, the sum sought by the hackers was initially $2.8 million.

“That came out of our property and casualty insurance line item,” said Cartersville City Manager Tamara Brock. “That is an internal service fund, so it’s just a rollover amount every year that we have budgeted in all the departments.”

Brock said the City regained access to its internal files about 48 hours after the Bitcoin payment was made. The City, she said, was fully operational about six days after City of Cartersville Network Administrator Steven Grier was first alerted of the ransomware attack in the early morning hours of May 4.

In total, Brock said about 3 terabytes worth of data was impacted by the ransomware attack. That included what Brock describes as “very intensive operating files,” such as electric department substation drawings. 

“All of the departments had been affected with their internal files,” she said.

During the attack, however, Brock said City utility services continued to operate.

“Customer service could still open bills, see what customers needed to pay, customers could still come in and make a payment," she said. "Basically, the iCloud payments was the only thing that was down for us.”

City employees were notified of a potential data breach on May 6, 2019.

“None of our payroll documents are on those files, but we did not know if there was anything with addresses or phone numbers that that information was on,” Brock said. 

Ultimately, Brock said no employee or customer information was compromised in the ransomware attack. 

May 5, 2019, communications between Cartersville Assistant City Manager Dan Porta and Grier revealed by the Open Records Request indicate the City’s police and fire departments were prioritized in the ransomware response.

Brock said that was because of the departments’ access to the Georgia Crime Information Center (GCIC) database.

“We changed all employee passwords at that time, and we wanted to make sure police and fire were changed first so they still had access to GCIC and other files within the State that they needed to get to and use,” she said. 

Although Brock said she was aware of the ransomware attack on the morning of May 4, City utility customers were not informed of the cybersecurity breach until two days later.

“We were still trying to figure out what was actually locked down versus what we still had access to,” she said. “And it was all of our internal files — so it was just our day-to-day operational files that we use internally with each other and other departments.”

Text messages between Porta and Grier on May 5, 2019, indicate the ransomware attack that struck the City of Cartersville one day earlier was a “Ryuk” infection.

The particularly virulent strain appears to have surfaced in 2018. Since then, the same ransomware variation that shut down the City of Cartersville has also hobbled United States Department of Defense contractors, numerous school districts throughout the country and several police departments.

The ransomware — fittingly enough, named after a demonic Japanese comic book character — has been responsible for everything from the closure of American libraries to the disabling of oil pipelines to forcing several hospitals to turn away patients.

Information technology specialists and cybersecurity experts with the Federal Bureau of Investigation suspect the Ryuk ransomware is the handiwork of Russian cybercriminals. 

According to Crowdstrike — A California-based firm the City of Cartersville contacted in the wake of the ransomware attack — the Ryuk strain primarily targets “enterprise environments” through emails containing malware. 

Once enacted, the ransomware effectively holds data hostage, encrypting files until a payment, almost always in the form of cryptocurrency like Bitcoin, is made to the attackers.

“What we basically have kind of narrowed it down to is it started as an email string, most likely, and came in when a file was clicked on,” Brock said.

While the Ryuk ransomware has a patently Russian signature, City officials were hesitant to say for sure that the cyberattack on Cartersville was of international origin.

“We can’t confirm that, because we can’t trace it back to the source,” Lovell said. “But based upon the style and type of attack, it is consistent with those.”

The case is still being investigated by the FBI. To date, Brock said no arrests have been made in connection with the ransomware attack. Nor did she say that the cybersecurity breach resulted in any employee terminations or disciplinary actions.

To the best of her knowledge, Brock said that no vulnerability in Cartersville’s cyber infrastructure was exploited by the attack.

Brock said it remains unknown why Cartersville, in particular, was targeted for the ransomware attack.

“What we have kind of been told by the FBI and some other cities, once you are more visible in the media — whether it’s through development projects, a local company locating or expanding — your community is kind of more visible,” she said. “You’re kind of a target at that point because in a simple Google search, you might come up.”

Brock said it simply wasn’t financially feasible for the City of Cartersville to dump its servers — thus, the local government’s decision to pay the ransom. 

“When you looked at the time it would take for us to either try to recreate the files, or wait and see if we would be able to get it back, the downtime on it was too great,” she said. “And the expense to potentially have a contractor or a third party redevelop those files for us, it could’ve gotten at a higher price tag.”

Brock said the FBI put the City of Cartersville in touch with several third party cybersecurity vendors — a “couple of entities that tried to help, but were unable to assist us with that.”

Lovell noted that those third party costs were included in the City’s additional $7,755.65 transaction and negotiator fees associated with the ransomware attack. 

“There were a couple of others that did not come to fruition,” Brock said, “so we did not pay them.”

For all intents and purposes, Brock said the City was functioning normally again by May 10, 2019. 

“We had some monitoring practices in place, but we have changed some of our procedures and our protocols, as well as our changing some different security measures internally,” she said. “We’ve also purchased some additional software to help for security purposes.”

Since last year’s ransomware attack, Brock said the City has migrated to a new email filtering provider, added a line of software that monitors local government computers 24 hours a day and even implemented a new protocol to help personnel weed out malicious emails from their inboxes.

“Now, we’re regularly sending employees internal phishing emails to teach them how to recognize those for training purposes,” Lovell said. 

Over the next two months, Brock said the City will be evaluated by a third party auditor for cybersecurity weaknesses.

“The biggest thing is to look at when new vendors come in, making sure that we notify the IT department that they are a new vendor on the list, so that potentially helps with fraud coming in,” she said. “We’ve also been more restrictive on emails and documents that are mailed out and that come in internally — attachments are your biggest nemesis in these things.”

As bad as the ransomware attack was, Lovell notes that the situation could’ve been much worse — not just for the local government, but its residents and utility customers as well.

“I’m not aware of a city being held liable for a leak of customer data, as long as the city has done everything a reasonable, prudent person or entity would do to secure that data,” he said. “Unfortunately, it’s a cross of our current society that it is internet-based and data-based, and there is no fool-proof system.”