Dawson County Manager David Headley says the cost of the recent malware attack on government computers is “undetermined at this point”.
Dawson County hit by ransomware attack
Dawson County is the latest target of a ransomware attack. County officials said the attack started at 2 p.m. April 23 and was confirmed to be “a sophisticated ransomware attack”.
At the April 24 county board of commissioner work session it was reported that the tax assessor’s office had reported not being able to save work on some of its files. Calls from other departments soon followed. Upon investigation, the county’s IT department discovered a ransomware attack.
Dawson County basically had two choices: pay whoever hacked into the county to remove the malware or neutralize the ransomware. “We started shutting down servers and trying to minimize the amount of damage, as it spreads very quickly, through the networks and through the different servers,” County IT analyst Will Shattuck said.
The county’s exchange server, as well as phone and internet services, were affected. “We did work through the night to get phones and internet back up,” Shattuck said. “Some of the other servers will take longer to repair and to work through.”
It was the early detection that was key in preventing further damage. In an update on the county website, County Manager David Headley praised several individuals that played a key role in damage control, including Shattuck. “I first want to commend our IT department - Will Shattuck, Cameron Burt and Robin Roland,” the statement read. “This team, led by James Tolbert, discovered the attack early and, because of that, was able to limit the damage to county property.”
On Tuesday morning the county called in a cyber security company, Carvir Cyber Security, which is currently still working in conjunction with the county IT department to resolve the situation. No critical or essential services such as 911 or emergency response were impacted by the attack, according to Headley. “At this time, no personnel data or banking information is believed compromised,” Headley’s statement reads.
County offices remained open, leaving employees without the ability to send or receive emails from the county system. Frustration was evident as employees were unable to register for employment-related training due to their inability to send and receive emails from the county system. Communication was made through telephone calls and bills were paid by handwritten checks. Email was restored to all county offices on Friday, April 27.
Officials with the United States Secret Service, local law enforcement and other professionals are still assessing the damage of the cyberattack. The point of entry for the attack has not been determined, but Headley said “there have been links that suggest points of entry.”
Ransomware is a type of malware that prevents users from accessing their systems or personal files and demands ransom payment in order to regain access. The county does have a cyber insurance policy in place through the Association of County Commissioners of Georgia, (ACCG), but prior to Monday it did not have an emergency management plan in place for a ransomware attack.
Shattuck indicated that the attack is similar to one which brought the City of Atlanta to a halt. The city has spent millions of dollars to fix the malicious hack. When asked if there had been any talk of paying the ransom, Headley said “all options were considered” and he did not respond to questions regarding the amount of the ransom.
According to the U.S. Department of Homeland Security paying a ransom does not guarantee an organization will regain access to their data. Furthermore, some individuals or organizations were never provided with decryption keys after paying the ransom while others were asked to pay additional funds and still others were targeted again.
In an email to Smoke Signals dated May 3—over two weeks since the malware was discovered—Headley said that the cost of the attack is “undetermined at this point” and added that “progress has been made” regarding clean-up.
“This is an unresolved situation currently under investigation and to comment…may jeopardize the work being done by our I.T. Staff and the agencies assisting them,” his statement reads. “Not being an I.T. Cyber-security expert myself, I cannot tell you what the possible adverse effects might be from any additional statement. As soon as we are in a position to make further information public we will do so.”