The demand was big: $5 million to unlock Wheat Ridge’s municipal data and computer systems seized by a shadowy overseas ransomware operation.
The response was defiant: We’ll keep our money and fix the mess you made ourselves.
“The city has made the determination not to pay a ransom,” Amanda Harrison, a Wheat Ridge spokeswoman, said this week. “The city’s IT professionals are working diligently to restore files stored within the city’s network from viable backups.”
But the decision not to play ball with the digital thief, who the city describes as a “foreign agent” likely from Eastern Europe, was not an easy one. It took three weeks from the Aug. 29 cyberattack for Wheat Ridge to determine that it had adequate redundancies and the know-how to put its databases and systems back into operation without the help of the hackers, who demanded payment in a hard-to-trace cryptocurrency known as Monero.
Following the attack, Wheat Ridge had to shut down its phones and email servers to assess the damage the cybercriminals had done to its network. That, in turn, prompted the city to close down City Hall to the public for more than a week.
Things have slowly returned to normal since the intrusion, with the help of the FBI. Harrison said the city “is prepared to inform any residents, businesses, and employees if it is determined their personal information was compromised. That aspect of the investigation is still ongoing.”
Wheat Ridge is the second Colorado municipality to recently get knocked offline by a relatively new ransomware attack known as BlackCat, which cybersecurity experts characterize as particularly pernicious and aggressive. BlackCat is encoded with a more stable and robust programming language, called Rust, that is harder for system administrators to detect.
Fremont County, southwest of Colorado Springs, was a BlackCat victim last month and its website is still down more than a month later.
“This has been a mess,” said Mykel Kroll, manager of emergency services for Fremont County. “It affected all of our county systems.”
Some county employees, he said, have been sent notifications about potential data compromise. On Monday, the Fremont County Sheriff’s Office posted online that its inmate accounting systems “have been deemed unrecoverable” because of the ransomware attack. That means any money that may have been added to a prisoner’s account following the Aug. 15 attack “has been lost.”
“The Fremont County Sheriff’s Office will honor deposits made to an account after the inmates’ last known balance with proof of a receipt for the transaction,” the sheriff’s office said in its posting.
Brandi Wildfang Simmons, a spokeswoman for the Governor’s Office of Information Technology, said her agency has been working with Fremont County to clean up the mess wrought by BlackCat.
“The state deployed resources to Fremont County for five weeks to assist with this incident from both an emergency management and security perspective,” she said. “We have alerted counties, municipalities and agencies throughout the state so they can take the necessary steps to protect against the BlackCat ransomware variant.”
Ransomware is malicious computer code that can be inserted into an organization’s computer network, where it encrypts — or locks up — files and databases. Typically, payment of a ransom is demanded to unlock the seized data. Cyber thieves can gain access to a network by tricking employees into downloading an infected file or revealing sensitive information.
BlackCat, which first appeared in November, has been implicated in an attack on OilTanking GmbH, a German fuel company, along with aviation firm Swissport. Last month, a BlackCat perpetrator claimed to have stolen “700 gigabytes of data from networks controlled by Italy’s GSE energy agency,” according to a report from Bloomberg.
Closer to home, the servers of Suffolk County on New York’s Long Island, was hacked by a BlackCat actor last week. The thieves leaked some of the files they had obtained — containing personal information of residents — and threatened to publish more unless the county paid them off.
Neither Fremont County nor Wheat Ridge will say how their systems were infiltrated, though Harrison said Wheat Ridge doesn’t suspect that it was due to “employee error.” Like the Denver suburb, Fremont County has no intention of paying off the thieves, Kroll said.
“There will be no ransom paid,” he said.
Simmons, with the state, said organizations are discouraged from paying ransoms to hackers.
“Federal and state guidance is to not pay the ransomware demand as it funds cyberterrorism, perpetuates cybercrime, and entities are not guaranteed they will get their systems back online or regain access to their data,” she said.
But the ability to withhold payment comes down to the nature of the attack and the data stolen. In 2019, Regis University in Denver paid an undisclosed sum to cybercriminals who had infiltrated its network and ground operations to a halt. A year later, Lafayette paid $45,000 to ransomware hackers to restore its network.
City spokeswoman Debbie Wilmot said after the attack, Lafeyette “deployed additional cybersecurity systems, implemented regular vulnerability assessments, and initiated additional security protocols.”
It also sent some of its IT folks down to Wheat Ridge for a day to help the city with its intrusion, Wilmot said. Harrison, the Wheat Ridge spokeswoman, said the city has taken several steps to increase security — two-step verification is now required on all electronic devices used by city employees and monitoring software has been implemented across its systems.
Simmons said those are all good steps but she’s under no illusion that they will stop the most dogged of cybercriminals, especially as hackers’ tools become more sophisticated and sneaky.
“Are we worried?” she said. “Yes, we are always on guard because in the world of cybersecurity, it is not a matter of ‘if’ but ‘when’ entities will come under attack from hackers.”