Vigo County, Ind., 95 Percent Operational After Cyberattack

The ransomware attack that targeted a software vulnerability in 129 of the county’s 489 computers was largely mitigated after more than a week, county IT officials say. The FBI is investigating the incident.

by Howard Greninger, The Tribune-Star / August 2, 2019

(TNS) — Overall, Vigo County's computer system was perhaps 95 percent up and running on Thursday, nine days after being hit with a ransomware attack, according to the county's tech director.

And the county's information technology personnel are now sending analytical information to the FBI to help it discover patterns in the ransomware attack, said Jeremy Snowden, director of the county's information technology department.

"[The FBI] are putting together information in the back end to see if it relates to similar attacks of this nature," Snowden said, adding it is standard protocol to contact the FBI and others, including the Indiana Secretary of State's office, after such an attack.

"It is analytics, like bread crumbs. They [FBI] are trying to see commonalities and see if it is similar to other ransomware attacks," he said, adding the county does not know the source of the attack.

Ransomware is a type of malicious software or malware designed to deny access to a computer system or data until a ransom is paid to unlock data. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.

Vigo County's initial attack came at 2:22 a.m. on July 23 through a computer in Vigo County Superior Court Division 4.

The virus likely came through an email, Snowden said. However, "we have tracked it down further. We have a zero-day exploit," Snowden said.

"There exists no software at this time that could have reversed what we had, that much we do know," Snowden said. "It was a zero-day exploit. That means it is a vulnerability found in a piece of software and is exploited the moment that is found. This was a vulnerability found and in 12 to 24 hours [it] was utilized against us," Snowden said.

Other county governments have recently been hit by ransomware attacks. LaPorte County earlier this month paid $132,000 to hackers after a ransomware shut down part of the county's computer system, the Times of Northwest Indiana reported.

The Michigan City News Dispatch reported that the attack on LaPorte County occurred July 6. The attack was confined by the county's IT department to less than 7 percent of the organization's laptops, but the ransomware did hit two domain controllers, preventing servers from accessing network services.

In June, two cities in Florida paid to unlock data, according to CNBC. Riviera Beach paid $600,000 and Lake City almost $500,000 to get their data unlocked.

Earlier measures, fast reaction helped

Snowden said alerts set in place immediately notified him of a computer virus attack. Snowden said he happened to be awake after 2 a.m. on the day of the attack and was able to put measures in place to help contain it.

After the initial attack, IT personnel work 37 1/2 hours straight to combat it. No ransom is being paid, Snowden said.

"Aside from some overtime, some food and lack of sleep, not a penny is going out."

Last week's attack marked the second time in five months Vigo County's computer system has been hit.

The first was in early February, but unlike last month's attack, it was localized. It also came through an email, prompting suspension of email and other internet activity.

That attack was seeking to steal financial data, hitting a software vulnerability that 129 of 489 county computers did not have a patch for, Snowden said.

After that event, the county increased its security and at one point, Snowden thought it could have been too much.

"It wasn't," he said.

The county is now adding even more security measures, he said. Much of the county's data was stored off-site with computer vendors through the county, as well as in backup servers. The county auditor's office brought in a separate computer server to issue county payroll checks.

No personal or financial or property records were compromised, Snowden said. However, a large backup server for the county was impacted and had to be replaced.

The county was about to replace the server and hardware anyway, Snowden said, "but this just forced our hand." Also, there are about 14 computers that will require replacing, Snowden said. The county has close to 500 computers, which are desktop or laptops.

At prosecutor's office

Vigo County Prosecutor Terry Modesitt is one example. His desktop computer, along with his chief deputy's, uses Windows 7, a software system that soon will no longer be supported by Microsoft.

"I had a detective in here [Thursday] who had a thumb drive with a video that he wanted me to watch ... so I could give him my opinion on charges and other things ... and I couldn't use my computer," the prosecutor said. "It is locked and won't do anything," so the prosecutor moved to another office with a working computer.

Before Thursday, the prosecutor's office had only about 25 percent of its previous computer capacity, Modesitt said. By Thursday morning, more than 80 percent of his group had functional computers, Modesitt said, adding his office has 53 employees in the courthouse, includeing child support services.

Linda Jefferies, who staffs the prosecutor's front office, said she and others were able to make some use of personally owned laptops on secure, ubscription-based services.

For other tasks, "those of us who knew -- we just went old school," Jefferies said in reference to pen and pad. I've got three notepads, and I am not losing any of them," she said.

In some cases, attorneys were able to use tablets, but operations did get slowed by inability to print, she added.   "We had to use thumb drives and take them to a printer. What held us up the most was having to rebuild the court system so we could file," Jefferies said.

"Everyone pitched in. The sheriff's department printed out reports every morning like we used to do before computer system. Terre Haute police faxed us things over every morning," she said.  


Vigo County Commissioner Judith Anderson said commissioners did not have all computers working in their office on Thursday, but she said the office has been using its fax machine to receive invoices and people are using notebooks.

Snowden said he expects the county's system to be fully operational by the end of next week. And while dealing with the ransomware computer virus attack, another unrelated event occurred Wednesday.

It was a hardware failure.

The county suffered a "catastrophic failure of a switch stack that supports the west side of the Vigo County Annex," Snowden said in an email to county workers. That failure required IT workers to yank out the equipment, replace it and re-ensure connectivity for the county's system.

©2019 The Tribune-Star (Terre Haute, Ind.) Distributed by Tribune Content Agency, LLC.  

Platforms & Programs