A devastating April 13 ransomware attack on Imperial County’s computer network, website, email and phone systems has already cost more than $1 million to repair with more work needed, county officials said.
“Like I said, it’s going to be a painful process” to rebuild, county board Chairman Ryan Kelley said April 30. “The most important message is, county offices are fully operational and serving the public. We will still have some limitations as we continue to secure our network.”
A malware variant known as “Ryuk” was unleashed on the county’s computer network and an online note appeared demanding a ransom payment in bitcoin --- a type of digital currency --- to unlock the system and restore the county’s access to its information, officials have said.
The ransom was reportedly more than $1 million, though county officials have declined to confirm the amount.
The county board during an emergency meeting April 15 opted to fight back and rebuild the system rather than give into ransom demands.
Officials have maintained that no personal information was lost or compromised.
Kelley said the county is tracking all costs and has so far spent more than $1 million in equipment and technical assistance, with the lion’s share of that money being covered by an insurance claim. Kelley said the county was insured against a cyberattack.
So far, Kelley said, “We are well within the coverage of our claim.”
While he did not have exact amounts, Kelley said the county is having to dip into special funds “to help pay for those security enhancements” not covered by insurance.
“Some things are covered by insurance, and some things aren’t. That’s why we’re keeping track,” he added.
The county did have to pay at least $50,000 out of pocket as its contribution to the claim, Kelley added.
“As of today (April 30), email is back up, the website (www.co.imperial.ca.us) is back up, and the reconstitution of departments is staggered,” he said. “Some have limited access, and some have full access to their records.”
The county’s main emails with the suffix @co.imperial.ca.us were rendered unusable by the attack but are now restored. County officials had used Google “@gmail” emails as replacements.
County Public Information Officer Linsey Dale stated in an email April 30 county information and technology staff was “migrating our email into a new system and is expecting to be functioning at full capacity on May 1. The county’s website and phone system have been 100 percent restored.”
Kelley said every day the county is receiving new equipment, such as computers and servers. He added there are also new firewalls up and new protocols in place.
Some examples, Kelley said, include guidance for county employees on how and why to be vigilant about what emails they open, and there are “added layers of protection, not just on their workplace computers, but on the personal electronic devices” employees are issued by the county. Such devices, he said, have been “screened and cleaned.”
Dale added the county has purchased a subscription to a training platform to prevent further attacks and viruses.
“We’re able to do the business of the county today,” Kelley said.
Still, some departments have been badly hobbled by the ransomware attack. Clerk/Recorder Chuck Storey said April 30 his department continues to climb out from under the rubble.
“It wiped us out. We were down for three days trying to figure out where our path was to rebuilding,” Storey said.
From April 15-17 documents such as deeds of trust, title changes, death and birth records, marriage licenses and more could not be recorded. Storey said it wasn’t until April 18 that his department began accepting documents to be recorded and payment for those documents. Even then, he said, it was being done manually.
On April 26, the department went back online, but only partially. The public still cannot fully access past records through public computers at the department’s front counter.
“We’re still struggling to make everything work the way it did before this all happened,” Storey said. “It’s going to be a bit before we’re back in smooth operation.”
He added, “My staff is just doing a wonderful job; they are busting their little fannies. They are beyond praise; they’re doing marvelous, marvelous work.”
The Clerk/Recorder uses specialized software developed by South Tech Systems, and Storey said the firm volunteered its services free of charge to the county to get the Recorder’s Office back online.
“Had it not been for them, we would not be back where we are now,” he said.
During the April 23 county board meeting, as part of the consent agenda, the board voted 5-0 to issue county Chief Executive Officer Tony Rouhotas Jr., and the county’s purchasing agent “blank check” powers for expenditures related to “urgent technology matters” stemming from the attack.
Sometime after the discovery of the ransomware attack, the county contacted the Federal Bureau of Investigation, which worked with the county on a forensic investigation into the incident, Imperial County Supervisor Ray Castillo said April 19.
Dale stated the attack is still under investigation but did not answer by whom.
The county never lost any information, officials have said, as all systems were backed up.
Ryuk is the same malware that was believed to have caused havoc at newspapers throughout the country, including the Los Angeles Times, the weekend of Jan. 1, the Times reported.
“Once Ryuk gets into a network, it spreads from computer to computer, node to node, encrypting important files along the way with an unbreakable code,” the Times report states. “Try to access the encrypted data, and the malware presents a ransom note: deposit bitcoin into an anonymous wallet and receive a key to decrypt your entire system. Refuse to pay and the files remain locked for good.”
The Calexico Chronicle first reported April 18 that the culprit in the attack was believed to be ransomware.