Roughly a month after St. Clair County was allegedly targeted by a ransomware cyberattack, the county is moving to bolster its network’s defenses. But questions still remain on the specifics of the attack.
The county board voted unanimously Monday night to approve a new policy hoped to minimize security risks from future attacks. The new policy adds multi-factor authentication on county accounts and raises requirements on county network passwords.
But the county has yet to comment on the specifics of the attack, outside of confirming that it happened and that the severity of the attack was being investigated by the county and law enforcement.
There was no discussion at the board meeting on the new policy or the cyberattack itself. However the board did discuss “security procedures and protocols relating to information technology precautionary measures” during a closed executive session.
A ransomware group calling itself Grief stated it targeted the county along with several other organizations in late May, demanding payment in cryptocurrencies such as Bitcoin and Monero.
In screenshots of the group’s website, obtained by the Belleville News-Democrat, the group claims it had 2.5 gigabytes of data, including internal company documents, personal and customer information.
County Information Technology Director Jeff Sandusky said because of the nature of the attack and the investigation that’s followed it, the county can’t say much about it at the moment.
He couldn’t confirm whether the attack was indeed ransomware or if hackers had stolen information. He described the situation as ‘delicate’ and said he hopes more transparency will be able to come soon.
“It’s the nature of the world we live in. There’s certain things we can share and certain things we can’t,” Sandusky said. “None of this is trying to keep things from the public. It’s just about safety and trying to make sure things are handled correctly.”
After the attack, the county took down its website for several days, and for weeks some services on the website were unavailable, including access to court records, tax records and bills and more. As of Tuesday, all of those services have been restored.
Ransomware attacks
Brett Callow, a threat analyst with antivirus software provider Emsisoft, told the Belleville News-Democrat attacks like the one on St. Clair County have been increasing in recent years. He said in 2020 there were nearly 250,000 attacks on local governments, school districts, police departments, health providers and other organizations.
He added that ransomware attacks against government agencies are often “shrouded in secrecy,” with no information released about the attack until long after it happens.
In ransomware attacks, a small amount of data is lifted from an organization’s networks and “ransomed” back to the organization. For larger amounts and sensitive data, hacker groups may encrypt the data within the network of a company or local government, only to decrypt it when payment is received.
While making payment restores access to the data, it doesn’t mean that data won’t also be sold on the dark web. It isn’t clear how much the group is demanding the county pay for the data.
Kavahn Mansouri is a reporter for the Belleville News-Democrat, a news partner of St. Louis Public Radio.