IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Ransomware Attack Targets Pierce County, Wash., Entities

Russia-based ransomware group LockBit claims to have stolen "confidential data" from Pierce Transit and about 300 GB of data from the city of Lakewood. The cyber attack was discovered Feb. 14, officials said.

Russian hacker breaking into server
Shutterstock/Dmytro Tyshchenko
(TNS) — Two Pierce County government agencies have been the subject of ransomware attacks in the past three months, putting public data at risk. Russia-based ransomware group LockBit claims to have stolen "confidential data" from Pierce Transit and about 300 GB of data from the city of Lakewood.

On Feb. 15 LockBit threatened to leak "a huge portion of the confidential data in our hands" from Pierce Transit, including personal data of customers, contracts, postal correspondence and non-disclosure agreements if a ransom is not paid by Tuesday, according to information on the dark web found by Brett Callow, a threat analyst at computer security company Emsisoft.

On Feb. 14 there was a ransomware incident "that temporarily disrupted some agency systems," Pierce Transit communications manager Rebecca Japhet said in an email to The News Tribune on Monday.

"Upon discovering the incident, our team immediately took action to contain and isolate the threat," Japhet said. "Third party forensic experts were engaged to conduct a thorough investigation into the nature and scope of the incident, and law enforcement has been notified."

A spokesperson for the city of Lakewood said in late December the city "became aware of technical difficulties resulting in disruption to the city's computer systems. We immediately began taking steps to remediate these issues and initiated an investigation into the incident with the assistance of subject matter specialists. The investigation is ongoing. Additional information will be provided as it becomes available."

Japhet said Pierce Transit operations and rider safety were not impacted as a result of the ransomware incident and "a majority of operations have now been fully restored," although "temporary workarounds were put in place for certain affected administrative systems in the initial hours and days following the incident."

"We are aware that an unauthorized actor has claimed responsibility for this incident. We are working diligently to investigate the extent of this incident and what, if any, sensitive data may have been accessed as a result. If the investigation determines that any individuals' personal information was involved, those individuals will be notified in accordance with applicable law," Japhet said in an email. "Pierce Transit takes seriously the privacy and security of our systems and the data we maintain. As our investigation continues, we are committed to keeping our community informed, as appropriate."

Ransomware incidents like these are growing common.

Callow said LockBit is responsible for more than a thousand similar reports, and it's only one group of many.

According to Emsisoft's estimates, 106 state or municipal government agencies nationwide were affected by ransomware in 2022, an increase from 77 attacks in 2021. It's likely more attacks have occurred, including on private sector companies, but have not been disclosed publicly or reported to law enforcement.

Those who create ransomware operations often are based in Russia or Eastern Europe, but people who use ransomware to carry out attacks could live anywhere, Callow said.

Data can be accessed and misused by cyber criminals in many ways, Callow said.

"How ransomware attacks work nowadays, it's really twofold. Back in the old days, they would simply encrypt, lock up their target's networks and demand a ransom to unlock them. They still do that. But now they also steal a copy of the data, which is then a second point of leverage," Callow said. "Even if the company is able to recover its systems using its backups, and so it doesn't need to pay the ransom to do that, it's still got the problem of what to do about the stolen data. And the threat [hackers] can use is that if they don't pay, the data will be made public. And they can do that on their site or the dark web."

Callow said unfortunately there's not much individuals can do to protect themselves from data-extortion attacks, besides look for suspicious activity.

"Generally speaking, LockBit isn't interested in nickel-and-dime extortion against individuals," he said. "They want hundreds of thousands or millions from the companies they've attacked."

©2023 The News Tribune (Tacoma, Wash.) Distributed by Tribune Content Agency, LLC.