Lake County officials plan to increase cybersecurity following a ransomware attack that shut down the majority of the county’s email server for more than two weeks.

The Data Processing Department contracted CrowdStrike, a California-based cybersecurity company, to help resolve the attack, and the company will continue supporting county technology systems, said Mark Pearman, the department’s executive director.

The Lake County Council will also meet to discuss which employees require email, how many computers are within county offices, what employees can or do plug into their computers and employee training, said Council President Ted Bilski, D-6th.

“You’ll never mitigate all risk, but we’ll look into ways to lessen liability and employee training,” Bilski said.

Ransomware is a category of malware that encrypts computer files and documents “making them inaccessible until a ransom is paid,” said Christine Bavender, spokeswoman for the FBI Indianapolis, in an email.

At 11 a.m. Aug. 22, a computer in the small claims court office displayed a message that stated all the files on the computer had been encrypted and that a decryption key had to be purchased to retrieve the files, Pearman said.

“We didn’t even bother (responding), we took care of it on our own,” Pearman said. “We don’t know how much they were asking. We didn’t contact them.”

The small claims court office reported the message right away, and the Data Processing Department started looking into the issue, Pearman said.

Department officials “suspected (the message) came from an email,” Pearman said, but 64 county servers were scanned to see if the attack originated there.

The email server was “infected” and shut down, Pearman said, and all the other county servers weren’t affected.

The Lake County Sheriff’s Office had access to email Sept. 3 because it is a “critical” department, Pearman said. All other county departments had access to email again Sept. 10, he said.

The Lake County Sheriff’s Office has still “been spending the last few days” catching up with emails, said spokeswoman Pam Jones. Employees in the office did not use personal emails or create separate work emails while the server was down, she said.

Though the lack of email slowed things down, residents could still come into the office if they need services from the sheriff’s office, Jones said.

“We weren’t adversely affected because it was one system,” Jones said. “It was a matter of waiting until our experts could solve the problem.”

The Data Processing Department conducted an internal investigation and contacted the FBI to inform them of the attack, he said.

“We have some information that we passed to the FBI,” Pearman said.

Reporting to the FBI

The FBI investigates ransomware incidents by collecting and processing evidence, identifying malware variants and finding “ransomware actors,” said Bavender, of the FBI Indianapolis.

Ransomware, which can impact anyone, is frequently delivered through phishing emails with either “malicious” attachments or links, Bavender said.

The FBI recommends not paying a hacker’s extortion demands because it “doesn’t guarantee an organization will regain access to their data,” Bavender said. In some cases, organizations never received a decryption key after paying ransom, she said.

“The payment of extortion demands encourages continued criminal activity, leads to other victimizations, and can be used to facilitate additional serious crimes,” Bavender said.

But, depending on the type of data that is at stake or the consequences of not recovering data can complicate a ransomware attack, said Scott Shackelford, chair of the Cybersecurity Program at the Kelley School of Business for Indiana University, in an email.

For example, if a hospital administrator’s computer is compromised, and lives are at stake, “then options are limited,” he said.

Organizations generally follow the procedure of contacting the FBI and local police and meeting with an internal security team to see what data is backed up, he said.

There isn’t comprehensive data on cybersecurity incidents, but “secondary sources” say that ransomware is on the rise, Shackelford said. Symantec, a California-based software company, reports that the varieties of ransomware have more than tripled since 2014, he said.

“We’ve seen recently there’s evidence that the attackers are getting more brazen, going after everything from hospitals and police stations to entire cities,” Shackelford said.

The best way to prevent ransomware attacks is to make sure all operating systems, software, firmware, anti-virus and anti-malware solutions are updated, manage administrative and privileged accounts carefully and practice skepticism, Bavender said.

LaPorte County attacked, paid ransom

On July 6, LaPorte County experienced a ransomware attack that was “particularly insidious in that it jumped over all our firewalls and was able to penetrate backup servers,” said LaPorte County Commission President Vidya Kora in a press release.

In LaPorte County, 7% of computers and two main domain servers were affected by the ransomware attack, according to the release.

The FBI told LaPorte County officials that its decryption keys would not unlock the county’s data, so it had to pay the ransom, Kora said in the release.

The initial ransom amount was $221,000, but a negotiator helped LaPorte County officials decrease that price to approximately $132,300, which was paid in bitcoin, according to the release. The county’s cybersecurity insurance policy covers $100,000, according to the release.

LaPorte County was able to regain access to its servers after paying the ransom, according to the release.

The LaPorte County Commission plans to put protections in place, such as the “use of behavioral-based anti-virus software rather than just a signature based anti-virus software," along with more employee training and an annual cybersecurity audit conducted by a third party, according to the release.

‘No guarantee this won’t happen again’

Before the incident, Lake County already had systems in place, such as firewall software, to prevent ransomware attacks, Pearman said.

“The problem is no matter what we do, how much money was spend, there’s no guarantee this won’t happen again,” Pearman said.

About 10 days before the ransomware attack, the Data Processing Department discussed hiring CrowdStrike to help further strengthen the county’s antivirus software, Pearman said.

The county contracted CrowdStrike to help resolve the ransomware attack, Pearman said, and the company “will continue to be the company in the background” monitoring the county’s systems for viruses.

Though it’s “not deemed” a safe alternative, Lake County employees were instructed to create separate email accounts or use their personal accounts if needed, Pearman said. Employees also had access to phones and fax, he said.

LeAnn Angerman, assistant director of the Lake County Board of Elections & Registration Department, said the two directors and two of the supervisors in the department created separate accounts for work emails. The two other supervisors in the department asked the directors to send emails on their behalf, she said.

The employees in the Lake County Board of Elections & Registration Department don’t use email, so they weren’t affected, Angerman said.

While there’s “always a concern that an email could’ve been missed,” Angerman said she was pleased that anyone who emailed the department received a message that the email was not delivered.

“We were relieved to know that people knew their email wasn’t reaching us,” Angerman said.

Councilman Charlie Brown, D-3rd, a liaison to the Data Processing Department, said he will meet with department heads to see what can be done to prevent a similar attack from happening.

“I’m going to have a meeting with him soon to see what we can do to make sure we don’t run into that problem again,” Brown said.

Copyright © 2020, Chicago Tribune