In the past eight months, three Florida Keys municipal and county entities have been hit by a computer ransomware virus that virtually shut down their systems for weeks.
Two of the computer virus attacks, on Key West City Hall and Florida Keys Mosquito Control District computer servers, occurred in the last 10 weeks. The first of these three systems hacks hit the Marathon city computer system on March 4 and Information Technology staff there have still not gotten all municipal servers up and running.
The computer ransomware virus that shut down the Key West City Hall computer system on Aug. 28 for over three weeks seems remarkably similar to the other two viruses that seized control of the in-house governmental computer servers, encrypting the stored data to make it unreadable and useless. In Key West and Marathon, ransom demands were received. At Mosquito Control, the district’s Chief Technical Officer, Tony Nunez, was able to shut down the system while the attack was ongoing, possibly stopping the infection process before it could become more embedded. Chad Huff, Mosquito Control Public Education and Information Officer, said Nunez was somehow alerted to the attack on the evening of Oct. 20.
“The next morning, all of our phones and computers were non-functional. All of our data was encrypted. He [Nunez] pulled the plug and kept it from getting worse,” Huff told The Key West Citizen this week.
Possibly as a result of that, Huff said, the county mosquito control office never received a ransom demand. But Key West and Marathon weren’t as lucky. Key West City Manager Greg Veliz said the ransom demand got as high as $1.1 million in return for the hackers removing the virus that encrypted the city’s municipal data. The U.S. Secret Service was involved in the negotiations, as was a ransomware expert team put in place by the city’s insurance company, he said.
“They put people in place right away. They were a team we met with pretty regularly,” Veliz said, adding that the team ultimately decided not to pay the ransom demand. “I’m not handing $1.1 million over to anybody. I’m not from St. Louis but you have to show me. I didn’t see enough.”
As a result, Key West City government went back to pre-computer days for more than three weeks. While 911 emergency call service was still operational, staff had no internal computer access for departmental records and operations and had only limited telephone service. They had to scramble to find work-arounds to keep the city functioning, including using personal cellphones and laptop computers. Multiple departments had to go into storage lockers to find paper records. Police officers had to fill out incident reports by hand. Emergency building permits were issued by paper carbon copies while handwritten requests for inspections were being given to inspectors. And since project plans were trapped inside the Building Department computers, inspectors had to depend on contractors to have hard copies of the plans on location to determine where an inspection was needed.
Veliz said that city officials were so tight-lipped at the time of the attack at the request of the Secret Service. In addition to shutting down the servers, the hackers said they had access to personal data for some city staff and residents that they would “dump” onto the Internet if they were not paid. Veliz said the Secret Service told him the more media attention given to the attack, the higher the ransom demand.
However, during the ransom negotiations, it did not appear the hackers had stolen much potentially damaging personal data from local residents.
“We [communicated] through email and they [hackers] showed us some of what they had,” Veliz said. “I didn’t see enough. We decided no.”
At this point, Veliz said there appears to be little risk of a resident data dump. There is a notification process in place, he said, that requires the city to let anyone know if their personal data may be compromised. But so far, the city has “not been made aware” that any resident has been exposed, he said.
Ransomware is a felony under the federal Computer Fraud and Abuse Act.
At the Mosquito Control District offices, Huff said their servers are about 95% restored. At no time during the system crash was the office unable to do its work, he said, including continuing truck and helicopter spray missions to control the mosquito population.
“We just were back in time to 20 years ago. Everything was on paper. Pencils replaced maps and computers,” Huff said.
In Marathon, former Mayor Steve Cook, who was mayor when the hack hit on March 4, attributed the attack to an unnamed European hacker group. He said the city had cyber insurance, which helped pay to hire computer technicians to restore the servers.
“We were completely shut down,” he said, adding that the hack took place 10 days before Monroe County shut itself down to visitors due to the coronavirus, adding to the difficulty of repairing the damage.
Cook said the ransom demand “was made from the very get-go.” He wouldn’t say what the demand amount was.
“Once we realized all of our on-site servers and off-site servers were compromised, we had to make a decision” on how to move ahead, Cook said. “We’re still getting some of our servers back online.”
Two years ago, the Monroe County School System was hit with a similar ransomware attack, shutting down its systems for about a week, although classes were not affected. No ransom demand was made; however, the virus was identified as a type of malware, “GandCrab,” that is typically a form of a so-called “Trojan Horse” virus that scrambles data into unreadable gibberish that can only be unlocked with software keys once the target pays the ransom demand.
And only two weeks ago, the FBI and two other federal agencies warned U.S. hospitals that cybercriminals were unleashing a new wave of data-scrambling extortion leading to “data theft and disruption of healthcare services.”
With future threats possibly on the horizon and with all three of the municipal and county hack victims forced to rebuild their computer systems from the ground up, additional virus protections are being added. At Mosquito Control, Huff said “maximum” firewalls have been put in place for short term and additional, longer-term safeguards are being installed. In Key West, Veliz said IT technicians have “gone the extra mile.”
“If it’s available to protect,” he said, “we’ve got it.”
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.