IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Ransomware Attack Could Cost Modesto, Calif., $1M

According to a report, the recent ransomware attack on Modesto's IT network may cost the city at least $1 million for expert help in recovering from it and for better IT security that could have deterred the attackers.

(TNS) — The recent ransomware attack on Modesto's IT network may cost the city at least $1 million for expert help in recovering from it and for "additional security detection and prevention tools that may have deterred the attacker," according to a city report.

The City Council on Tuesday is expected to approve spending as much as $586,645 for the expert help and as much as $497,000 annually for the security detection and prevention tools.

Modesto anticipates it will be reimbursed by its cybersecurity insurance provider for the cost of the expert help, less the city's $100,000 deductible, according to a resolution accompanying the city report.

The Police Department's IT network was hobbled by the Feb. 3 ransomware attack. The laptops in patrol vehicles and other technology were not working. The report states it took five weeks to recover from the attack.

Officials have said the attack did not prevent police from responding to 911 calls or put the public at risk. A department spokeswoman said last week that nearly all of the network has been restored, including the laptops in patrol vehicles.

The city report states that before the ransomware attack, Modesto's IT Department had been working on asking the City Council to approve this month the purchase of additional security tools.

"The City was obviously planning some upgrades, but that doesn't necessary mean that what they already had in place was subpar," said Brett Callow, a threat analyst with the cybersecurity firm Emsisoft, in an email. "That said, most attacks do succeed as a result of basic security shortcomings like not using MFA (multi-factor authentication) everywhere it should be used."

Callow reviewed the city report at The Bee's request.

Withholds companies' names

The city did not respond Monday morning to an interview request. Instead, it referred The Bee to City Manager Joe Lopez's recent blog post about the cyberattack. The post essentially restates what is in the city report.

But while the city manager's blog post states the cyberattack was limited to one department, which a city spokesman has confirmed was the Police Department, the city report states the cyberattack was "primarily limited to a single department."

The report does not state the name of the firms that helped the city in the cyberattack and are providing it with security detection and prevention tools. The report cites California Government Code section 7929.210(a) in not releasing the names.

The section exempts disclosure of information that if disclosed would "reveal vulnerabilities to, or otherwise increase the potential for an attack on, an information technology system of a public agency."

But a city spokesman has provided the names of two cybersecurity firms that helped Modesto in the ransomware attack: MoxFive and one of its subcontractors, Entara. It's not known whether these are the same firms that are not named in the city report.

The spokesman has said MoxFive's services included confirming backups are valid and usable and hardware reimaging and rebuilding to eliminate possible infection on servers, workstations and laptops.

A ransomware group called snatch has claimed responsibility for the attack and last week posted 15 files on its website that it claimed contained Modesto data. Callow, the cybersecurity expert, said that generally means a city has not paid the ransom.

He said that is the right thing to do because there is no guarantee the cybercriminals won't keep the data despite being paid or sell it to other criminals.

Personal data accessed?

Modesto has said personal information — including Social Security and driver's license numbers — may have been accessed in the ransomware attack. The city in early March sent letters to people whose personal information may have been compromised and offered them one year of free credit monitoring.

The city has not said how many people received letters, but the city manager has said they were mainly city employees and almost entirely limited to Police Department employees. He has said a small number of people who don't work for the city may been affected, too.

Callow has said ransomware attacks have become more common among public agencies.

For instance, Oakland continues to deal with the fallout of a ransomware attack from February. The cybercriminals have posted Social Security numbers, medical records and home addresses of thousands of current and former city employees, according to CBS Bay Area News.

The news station reported confidential information of some Oakland residents who have filed claims against the city or applied for city programs also has been released.

The City Council meets at 5:30 p.m. Tuesday in the basement chambers of Tenth Street Place, 1010 10th St. The meeting also will be on Zoom. The meeting ID is 869 4597 0570 and the passcode is 84326.

© 2023 The Modesto Bee (Modesto, Calif.). Distributed by Tribune Content Agency, LLC.