City Of Springfield Computer Data Hijacked By “Ransom-Ware”
SPRINGFIELD TENNESSEE: (Smokey Barn News) – The city of Springfield is currently recovering from what they are calling a Ransom-Ware virus attack that encrypted all their files. To get the files back they would have to pay a ransom.
After the attack was discovered it took the city almost a week to recover. “We had to regain all of our data and now we are taking some measures to get additional backup procedures,” said Springfield City Manager Paul Nutting.
The virus was discovered on Sunday the 11th by Lisa Crockett who is the CPA, CMFO Director of Finance and City Recorder for Springfield. “I noticed some files were not showing up on our server, and when I clicked on that drive, the format was no longer PDF. It had been changed and an email address was attached to each of the files.”
Crockett said all the files had been encrypted and if the city wanted them back they would have to pay $1000. The city decided even before receiving the demand amount that they were not going to pay a ransom. The city instead installed a new server and restored from backup. Referring to the consideration of paying the ransom Crockett said; “That was my very last resort, but we were not really considering it as an option.” If all of the backups had failed they may have taken another look at that option.
Crockett said the outside I.T. company that handles their technology (Local Government) sent an email to the address attached to the files. The reply had the instructions to have the files freed from encryption and the ransom amount. Crockett said if the city had paid the ransom the criminals would have probably just asked for more money.
Here’s a copy of the reply they received:
Wed, Sep 14, 2016 at 11:17 AM Hello Your files have been encrypted with cryptographic algorithm! We suggest you purchase a decoder which decrypt all your files in a fully automatic mode on the same day after payment! (You not need to send any files to us). As we can guarantee – we can decrypt files for free (2-3 total weight <= 2mb). For warranty decryption The cost of the decoder: 1000$ payment instructions: 1. Go to https://…………. (link removed) 2. Register (sign up) 3. You need to buy Bitcoins from people. (You can pay with any method, which is convenient to you) 4. Send purchased Bitcoins to our address listed below. If you have any questions, you can contact support this service, or email us. Our Bitcoin wallet: 9link removed) Please write the exact amount of payment. Send me a screenshot of the Payment.———-
Crockett said all the files on one entire server were encrypted by the virus. The city wasn’t just missing a few files, they were missing everything. “We had to restore from our backup tapes, then Local Government had to actually put the files back on our server.”
“The system that the city uses is called Zortek, it handles our utility billing, property taxes, business licenses, pretty much all of our programs were affected, that’s why we were down,” Crockett said.
Crockett said the city was completely down for four days after which a good portion was back up and running but it took a few more days for the city to get back up completely. “Everything was pretty much running Friday, we were still working out some kinks but we were up.”
Lisa Crockett, CPA CMFO
Smokey Barn News asked Crockett if any customer data was compromised in the attack. “No, no, when I spoke with our outside I.T. help I asked them that question. They said with a ransom virus, the virus typically comes into your system and encrypts all of your data. They’re not taking the data out, the virus comes in (typically from opening an email) and is released into your system.”
How was it operating without computers for a week? “Slow, you really appreciate your technology and how far we have come and how much easier everything is, not having to do everything on paper. We had a good backup plan that we started Monday, since I found out Sunday. We had everybody ready to be operating and giving out cash receipts. We were slowed down but we kept reading meters, we were doing everything that we would normally do, we just didn’t have the benefit of great technology. My team was great,” Crockett said.
Crockett said the jobs of about 40 employees were affected by the outage.
Were there any surprises along the way? “Not really, I knew when that server was down it was going to affect us in pretty much every aspect. I knew what we were up against.”
Crockett said the city uses Commvault back up tapes to protect the data and each night the data is stored in a safety deposit box at the bank, so their off site and not in our building. Data is also being backed up to the Cloud, that’s what the city was able to restore from. “We’re going to have multiple types of storage going forward,” Crockett said.
Was there a sense of panic at first? I wouldn’t say we panicked, there was concern. You instantly go into -what are the first steps so we can still support our citizens. Then it’s, what do we need to do to get this back up and running.”
The Springfield police department was notified of the virus. Smokey Barn News spoke to Springfield Police Chief David Thompson about the situation. “We’ve had previous problems with ransom-ware viruses and we’ve done a bit of research in this area.
“We have contacted I.T. professionals and law enforcement professionals (including on the federal level) the bottom line is that these things are routed outside of our country. Because of that there’s no easy solution, you can’t just go out and start arresting people because you cant even identify who they are.
“We have found that trying to prosecute somebody for ransom-ware is next to impossible.” Thompson said that a ransom-ware virus made it’s way into one of his systems via a thumb-drive. In that case the infected files had redundant copies. Thompson said, so no data was lost.
Chief Thompson highly recommends that you employ a good back-up solution so if you get hit with a ransom-ware virus, you will have a way to successfully negotiate around it.
Crockett said that no services were cut off for citizens during the ordeal. Everything just ran a bit slower. She added that their servers were temporally disconnected from police and fire servers to prevent the virus from infiltrating their systems.
“I thought we did very well considering what we had to go through,” Crockett said.
Crockett would like to thank the community for their patience and understanding while they were getting the system back up.
Smokey Barn News (Sponsor/Advertisement)
We bring you ALL the News in and surrounding Robertson County, Tennessee.