The city of Keizer’s computer system was hacked on Wednesday, June 10, and officials were only able to regain access to the data by paying the perpetrators a $48,000 ransom.
At this point, no sensitive data appears to have been accessed or misused.
About 11:45 a.m., Wednesday, June 17, city employees finally regained access to all emails and files. Those concerned that previous attempts to contact city employees did not reach the intended recipient should call 503-390-3700 or attempt to resend the communication.
“We are taking this seriously, and are working to resolve the situation as quickly as possible,” said city officials in a hand-delivered statement.
The digital strike was discovered when city employees could not access some data and programs the morning of Wednesday, June 10.
The city “engaged appropriate authorities” to assist in data recovery, but it soon became clear that the only way to regain access to information stored on the city’s computers was to pay a ransom to the hacker or hackers responsible.
The particular method used to infiltrate the city’s computers is known as ransomware, that encrypts data.
“We were presented with a request for a ransom payment needed to obtain the needed decryption keys,” the city’s statement read.
Rather than destroying or deleting data, it puts the information behind a door that can only be unlocked with a numeric key that remains in the hands of the hackers.
“We believe that the forensic investigation could provide critical information to defend against attacks in the future,” the statement read.
Part of a growing trend
When the City of Keizer was hacked last week by an unknown individual or group, it became the latest victim of such attacks nationwide.
By August of 2019, according to a New York Times report, at least 40 cities had their data held hostage by hackers in the first eight months of the year. At one point, 22 cities in Texas alone had been crippled by hacks that involve infecting servers with malware that puts all the data behind an encrypted wall. The hackers then request ransom to release the data back to the cities.
In some cases the ransom cost was nearly $500,000 in taxpayer money. In January of this year, Tillamook County paid $300,000 to regain access to its data. As companies and towns showed more willingness to pay the ransoms demanded, the attacks ramped up, according to the Times report.
However, the ransom demanded by hackers from a city are only a portion of the costs they incur. In addition to the ransom, Keizer had to contract with a cybersecurity firm to negotiate with the hackers and now it will have to spend even more on security in the future data back-ups and, likely, additional consultants to oversee bringing the system back online.
In the wake of such attacks, every device – from tablets issued to city councilors to the laptops installed in police vehicles – must be examined for existing vulnerabilities and hardened against future attacks.
The strain of ransomware that was used in many of the most recent attacks is named Sodinokibi.
In a report published by the World Economic Forum, cities of all sizes are urged to prepare for future digital strikes in the same way they would for an earthquake.
“Digital security is not only about hardware and software. It is about adopting a comprehensive whole-of-city approach. Security must be conceived as an essential priority, something that is designed into every element of the urban infrastructure, not merely introduced as an afterthought. It requires developing the rules, regulations, procedures and budgets for city authorities, businesses and residents to prepare and respond to digital threats when and after they inevitably occur,” the report states.
The report cites human error and a failure to implement best practices as the leading causes of such attacks succeeding.
Many attacks could be prevented with relatively simple actions such as “software patching, correct firewall configuration, frequent and redundant backups, and use of multi-factor authentication for logons,” the report concludes.
How ransomware works
It will likely take days or weeks to fully understand how Keizer’s data systems were held for ransom, but digital strikes on other cities and counties provide some insight into how it all works.
Ransomware is different than what the average user envisions when being hacked. Rather than destroying or downloading data, ransomware makes data inaccessible through encryption that can only be unlocked with a numeric key held by the hackers.
Hackers are typically known to charge ransom based on the number of servers it was able to lock up and payments are made through a web of untraceable digital transactions. Meanwhile in cities with libraries, the hacks meant checking out books with pen and paper logs. For many police departments, hacks resulted in hand-written citations. Emails sent to Keizer city employees bounced back for several days.
According to a malware Wikipedia site, comprised of knowledge gleaned from those who have dealt with ransomware, a strain known as Sodinokibi is the current scourge of cities near and far.
Sodinokibi doesn’t destroy data and many of the users don’t appear to download much unless the victim refuses to pay ransom. Sudinokibi, also known as REvil, is believed to have originated in Russia and has already resulted in roughly $7 million in known ransoms paid.
Ransoms are paid to affiliates of the hacker or group of hackers. The affiliates reportedly keep 60 percent of the ransom paid and that amount increases to 70 percent after three successful transactions. The remainder goes to the actor or actors behind the hack. As of early 2020, there were roughly 40 known affiliates accepting ransom payments for successful Sodinokibi attacks.
While many cases are resolved with the payment of a ransom, some Sodinokibi hackers raised the stakes earlier this month, according to Brian Krebs, a cybersecurity reporter with The Washington Post.
One of the hackers behind the Sudinokibi ransomware began auctioning off data it stole from a Canadian agricultural production company. The starting price was $50,000 for 22,000 stolen files. The Krebs report suggests that auctioning data is one way hackers are diversifying their portfolios given the decreased ability of some agencies to pay ransoms as a result of the COVID-19 pandemic and the resulting economic crisis.