Butler County’s plight with ransomware is over. Administrator Will Johnson told commissioners Tuesday morning that all systems will be operating back at 100 percent by the end of the business day on Tuesday. The final pieces, ORION software, which runs the appraisal department, went online Tuesday afternoon after an extensive backup and restore which took four days.
“The backup takes so long because there is so much data there,” Johnson said. “We had an offsite backup. We were able to recover everything and no information was stolen.”
The county was hit with ransomware between 2 and 3 p.m. Sept. 9. It was the 911 communicators who noticed the attack first. Johnson said that within 20 minutes IT was contacted and able to shut down different software to stop the attack. Meanwhile 911 switched to a backup system and continued to operate as normal. At no time were emergency communications down because of the ransomeware attack Johnson said. However, staff did have to take paper notes, which will be entered into the information system now that it’s back and operational. It’s something the department drills on at least once a quarter, Johnson said.
“Dispatch practices on that a lot,” Johnson said. “Because while we have backup systems and generators, you never know when the backup power might fail or a generator might fail and they’d have to resort to paper. Especially in a major disaster.”
Travelers, the county’s insurance provider, was able to bring on a law firm and forensic computer analysts to assist in correcting and investigating the attack. Johnson told commissioners he is not sure if that involved the insurance company paying the ransom or not. However, by last Tuesday night (Sept. 12) Johnson and the IT department had the instructions on how to crack the encryption.
“Our IT department has put in a ton of time to get us back up and operating as soon as possible,” Johnson said.
From there to make sure the ransomware was completely out of the system, data was moved off the servers to another, then scoured by programs to make sure no suspicious data remained. Then the original servers were wiped, and then the information moved back onto the servers. The vast amount of information stored by the county and by outside vendors made the process take awhile. Top priorities were to get systems for emergency, motor vehicles and treasures back up as quickly as possible.
Email and the Western office were the last to re-open on Tuesday. Now the county has follow ups to do. Travelers is working with the forensic analysts and the law firm to devise plans to help prevent another attack. This means new longer passwords for every employee, and stricter access for remote users. The computer where the attack originated was located and sent to the analysts firm in St. Louis for testing. Once discovered to be the source Monday, it was taken completely offline. A software was installed by the forensic team to monitor all county computer activity for the next 45 days.
“We were told by Travelers it’s not an if, but a when, when you’re hacked,” Johnson said. “The best thing we can do is try and stay ahead of the curb. We were told that ransomware is getting to be more common than stealing data because it can yield immediate financial gains.”
“So this was nothing but a high tech holdup” commissioner Marc Murphy asked.
“Exactly,” Johnson said. “We’ll probably never be able to track where they came from. We’re watching for a back door to make sure there’s no other way they can get into our system. That’s part of why it’s taken so long to get back online. Never was public safety compromised. This was nothing more than a major inconvenience to the public and to us.”
(Read more: AndoverLeader.Com)