BY PHIL CUSTODIO
Clarkston News Editor
Computer hackers enjoyed a $13,600 payday after a successful ransomware attack on Clarkston last week.
The “cyber incident” happened last Tuesday, Sept. 11. City insurance made the payment on Thursday, and City Council met on the matter at a special meeting, Saturday.
“In this case, the ransomware experts we worked with, including those at the Michigan State Police and FBI, recommended that the ransom be paid as the most efficient and effective way to regain access to our files,” said City Manager Jonathan Smith. “The experts told us that, believe it or not, the attackers take pride in their business and predominately provide the decryption codes once the ransom is paid.”
Ransomware attacks can occur to anybody at any time, Smith said.
“Unlike computer attacks where the criminals are seeking the information contained within specific files, ransomware attacks result in all your computer files being encrypted with codes that prevent access,” he said.
To obtain the decryption codes and process, the attackers demand a ransom, which typically escalates every day it’s not paid, he said.
The city’s insurance through the Michigan Municipal League (MML) covers cyber extortion and related costs, he said.
Kivu cyber security firm, the technical consulting firm with MML, handled all communications with the attackers, payment of the ransom, and delivery of the decryption codes, Smith said.
The deductible charged to the city was $2,500. City Council approved the payment unanimously at the Sept. 15 special meeting.
Contracts for services with the McDonald Hopkins legal firm, MML’s legal consultants, and Kivu were approved, 5 to 1. Mayor Steven Percival, and council members Sharron Catallo, Sue Wiley, Jason Kneisc, and Scott Reynolds voted “yes.” Council member Rick Detkowski voted against. Council member Joe Luginski was absent.
The consultants provided range estimates for their services, with Kivu ranging from $23,333 to $36,658 and McDonald Hopkins ranging from $375 to $5,840. These expenses would be covered by the MML insurance, Smith said.
How the attackers gained access to the city server remains under investigation by the Oakland County Information Technology Team and Michigan State Police, said the city manager.
“Our new computer systems were installed in July, but adjustments and refinements to our settings were still underway,” he said. “We had automatic backing processes in place, but unfortunately these backups were also encrypted. While the city is utilizing virtually the same computer security firewall and anti-virus procedures as Oakland County, we are further tightening our security settings and processes to reduce the chances this ever happens again. We are also implementing daily offsite file backups as well as weekly redundant backups.”
According to the FBI, ransomware has been around for a few years, but increased in 2015 particularly against organizations because payoffs are higher.
In a ransomware attack, victims are sent an e-mail addressed to them. If they open it and click on an attachment that appears legitimate, like an invoice or electronic fax, they fall victim to malicious ransomware code. The e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software, according to federal law enforcement.
Once infected, the malware encrypts files and folders on local drives, attached drives, backup drives, and potentially other computers on the same network. Users and organizations are generally not aware they have been infected until they can no longer access their data or begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key.
Several years ago, ransomware was normally delivered through spam e-mails, but because e-mail systems are better at filtering out spam, cyber criminals turned to e-mails targeting specific individuals, “spear phishing.”
FBI tips for dealing with ransomware include employee education about ransomware; Patch operating system, software, and firmware on digital devices, preferably through a centralized patch management system; Ensure antivirus and anti-malware are set to automatically update and conduct regular scans; Manage use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary; Configure access controls, including file, directory, and network share permissions appropriately, if users only need read specific information, they don’t need write-access to those files or directories; Disable macro scripts from office files transmitted over e-mail; Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations; Back up data regularly and verify the integrity of those backups regularly; and Make sure backups aren’t connected to systems they are backing up. For more information, check www.fbi.gov.