Indiana County Suffers Service-Crippling Ransomware Attack

Lake County, Ind., was hit by a cyberattack that forced email service and several internal applications to go offline last week. Systems administrators first noticed problems on some county computers Thursday afternoon.

by Will Racke, The Times / August 26, 2019

(TNS) — Lake County has been hit with a cyberattack that forced the shutdown of email service and several internal applications throughout county government, officials said Friday.

The breach came in the form of ransomware, a type of malicious software that denies access to computer systems until a ransom is paid to the attacker.

As of Thursday afternoon, the county's IT staff was installing cybersecurity software on 3,000 individual employee laptops, Mark Pearman, director of county's information technology office, said. They are also working through installing cybersecurity to clear the ransomware on 40 county servers.

"We are making progress," Pearman said. "We are going slow because we don't want to miss anything that could cause problems in the future or re-infect the system."

He said there has been no evidence of date theft from county servers and communications, calling the attack a "lock out." It will be an all-weekend project to restore all systems and more information will be known by Monday.

Systems administrators first noticed the ransomware on some county computers Thursday afternoon. To prevent the virus from spreading, IT staff began taking encrypted and unencrypted servers off the network “out of an abundance of caution,” he said.

The IT department is working with Crowdstrike, the county’s cybersecurity contractor, to conduct a damage assessment, which involves scanning all county servers and roughly 3,000 computers to determine which have been corrupted.

“Our main effort right now is to mitigate the issue,” Pearman told The Times, adding that a preliminary investigation indicates the ransomware was hidden on county systems earlier this month and “sat there until now.”

Pearman said in his 45 years of working with Lake County, nothing like this has ever happened. However, the reality is that more and more instances of ransomware attacks are becoming more common.

"It's becoming more prevalent," Pearman said. "More counties and cities having been dealing with this issue."

The attack against Lake County computers comes about a month after LaPorte County suffered a similar breach. In that case, LaPorte paid a ransom of $132,000 worth of Bitcoin to the attackers to restore access to their affected systems.

Lake County maintains insurance coverage against various cybercontingencies, according Commissioner Mike Repay, D-Hammond. Repay said the Board of Commissioners has not decided if it will end up paying whoever launched the attack, because the ransomware only included a "request for communication" and the county has yet to respond.

As of Friday afternoon Pearman said no dollar amount had been requested and the county has not answered the cyberattackers' request for communication.

Meanwhile, email service on the county domain remains suspended, meaning messages cannot be sent from or received by addresses ending in lakecountyin.org, according to Pearman. County employees still have internet access and have been asked to conduct business using their personal emails, if necessary.

Lake County’s critical public safety agencies appear to have been spared from the ransomware attack. Systems at Lake County 911 and the Sheriff’s Department remain online, so “law enforcement was not affected,” Pearman said.

At this time, Crowdstrike is still investigating the source of the attack. He said because the FBI was involved in the LaPorte cyberattack, it is likely they will also be involved in this investigation down the road. Any leading information Crowdstrike finds will be passed to law enforcement agencies.

"All ransomware attack motives are always for money and sadly that's the word we live in," Pearman said. "We can only do what we have to in order to prevent it. Still, there's no 100 percent guarantee to prevent such attacks from happening."

©2019 The Times (Munster, Ind.). Distributed by Tribune Content Agency, LLC.

Platforms & Programs