UPDATE April 22, 9 p.m.
Imperial County officials sent out an update April 21 stating the county’s network system, which was the subject of a wide-ranging ransomware attack April 13, had been quarantined, that multiple safety features have been upgraded, and data is being reviewed by multiple security firms and law enforcement agencies to determine the extent of what occurred.
County officials added security teams have reported they have not found evidence of any personal data being compromised by the attack, and “will continue to diligently monitor our system.”
As of the afternoon of April 22 the county’s website, www.co.imperial.ca.us, has been partially restored and is expected to regain full operational status in the coming days. The email system is still down, and departments continue to work through temporary email addresses. No timeline has been given on expected email restoration.
Also on April 22, the phone system, which is tied into the county’s computer network, was spotty in places. County officials said information technology professionals continued to reboot and reconfigure the system, and that the phone system should be fully operational April 23.
Meanwhile, the Imperial County Board of Supervisors is expected to meet as usual April 23. Although there isn’t a great deal pertaining to the cyberattack on the agenda, it does appear the board is being asked to approve a “blank check” of sorts for the county chief executive officer and the purchasing agent for expenditures related to “urgent technology matters” stemming from the attack.
Although the Calexico Chronicle has asked numerous times over the past week, county officials have declined how much in public funds have been spent so far on battling the cyberattack and restoring and upgrading the system.
Imperial County Refuses Ransomware Demands, Rebuilding Network
By Richard Montenegro Brown, April 19
Hackers who hijacked the county of Imperial’s website and computer network through a wide-ranging ransomware attack did not gain access to any personal information, nor was any information permanently lost, county officials said on April 19.
The county’s computer network is being rebuilt from the ground up with the help of a third-party vendor after the Imperial County Board of Supervisors opted to reconstruct its systems rather than give into the demands of hackers, county Supervisors’ Chairman Ryan Kelley said.
Two teams were expected to work through the weekend on the attack: one conducting a forensic investigation on what happened, and another continuing to rebuild the downed network that earlier in the week crippled the county’s email and phone systems and cut off the county’s access to its own information, officials confirmed.
As of midday April 19, the email system was still down, but phone system access had been restored. Access to network information was still ongoing.
“The board chose to rebuild and not pay the ransom. It will be a painful process, but we will use our resources to create a more secure environment for our access and controls rather than paying a hacker who breached our systems,” Kelley told the Calexico Chronicle.
Imperial County Supervisor Raymond Castillo likened the attack to a home invasion.
“Imagine your house being burglarized,” Castillo said, referring to the loss of property and feeling of helplessness. “We’re still trying to assess the extent of the damage done to the system.”
What is known as of April 19 is that sometime April 13 Imperial County officials discovered the ransomware attack when a note appeared online announcing the attack and demanding payment in bitcoin, Castillo said. Bitcoin is a type of digital currency that can be used anonymously through the Internet.
While county officials would not reveal how much the ransom demand was, the board decided it would need to beef up its system to prevent such attacks any way and opted to fight back.
Kelley said the decision came during an emergency special meeting April 15.
Kelley said the board weighed its options with county staff and the county’s insurance carrier and decided not give into the hackers’ demands.
“The options were to pay a ransom or rebuild,” he said.
Kelley and Castillo were asked whether the price to rebuild the network was more or less than the cost of the ransom demand.
Kelley said he could not answer yes or no, that the cost of rebuilding the system is a “moving target at the moment.”
“We were going to have to rebuild or reinvigorate the system whether we paid or not,” he added.
Kelley wouldn’t say how the board voted when considering to pay or rebuild, but he did say, “There was a united voice of the board.”
Kelley also would not say how much in county funds have already been diverted to restoring the network, just that money was allocated during the special meeting.
Late April 18, county Public Information Officer Linsey Dale sent out a press release through a temporary gmail address (email@example.com) revealing that the county had been the victim of the ransomware malware variant Ryuk, rendering the county’s access to its own online and network services and devices nil.
Sometime after the discovery, the county contacted the Federal Bureau of Investigation, which is still working with the county on the forensic investigation, Castillo said.
Castillo added that the county is also getting help on restoring its systems through the California State Association of Counties.
Throughout the week, the county has been communicating with the public through temporary gmail email accounts and alternative phone numbers while the phone system was down. Kelley said the phones were directly tied to the computer network.
The county, both as the overall umbrella agency and through individual departments, has also been communicating with the public through Facebook and Twitter.
Among the information shared through social media has been alternative phone number lists for the Sheriff’s Office, the Public Health Department, the Treasurer/Tax Collector’s Office, and the Department of Social Services.
The hack also affected the county’s ability to take online payments and access some information through specific departments, Castillo confirmed.
Individual departments are coming back online, Castillo said, as the network is rebuilt and the departments are separated from the inaccessible network.
As of midday April 19, the county home page, co.imperial.ca.gov, was still offline.
The process to restore the county’s systems could not be confirmed with any other county staff April 19. Also, because April 19 is Good Friday, county departments were closed and department heads were unavailable for comment on how they were affected.
Castillo said two teams were working on the breach, and likely would continue working through the weekend and Easter Sunday, April 21.
Castillo said he does not believe hackers, which the county referred to as “bad actors” in its press release, have control of the systems or the website; rather, they have blocked the county’s access to its own information.
“They’ve done the damage already,” he said. “We don’t have access to the information.”
Still, county officials do not believe any private information was accessed.
Kelley added that while information in the attack is inaccessible, the county already had a backup system in place, and that no information was lost.
That fact was reiterated in an updated press release from the county around noon April 19: “County officials were able to restore backup files; they will continue working with outside cyber professionals to rebuild a new and secure system utilizing this information. In addition, new practices and guidelines will be established to enhance its existing security measures.”
Kelley said he was confident the system would be rebuilt and functioning early next week and that more information would become available during the April 23 Board of Supervisors meeting.
Ryuk is the same malware that was believed to have caused havoc at newspapers throughout the country, including the Los Angeles Times, the weekend of Jan. 1, the LA Times reported.
“Once Ryuk gets into a network, it spreads from computer to computer, node to node, encrypting important files along the way with an unbreakable code,” the Times reported Jan. 1. “Try to access the encrypted data, and the malware presents a ransom note: deposit bitcoin into an anonymous wallet and receive a key to decrypt your entire system. Refuse to pay and the files remain locked for good.”
The Calexico Chronicle first reported April 18 that the culprit in the attack was believed to be ransomware. The LA Times, through what is believed to be a leak within the county of Imperial government, reported later in the day that the Ryuk variant was used.
Ryuk is also the Japanese word for “death note.”
Kelley, Castillo and Dale were all asked whether they were concerned that information from within the county had been leaked to the media; all said yes.
“Anytime info is given confidentially, and that info is leaked out, it is a concern,” Dale said.