AUGUSTA — The apparent, and still unknown, source of a cyberattack that shut down the city’s computer network and forced the closure of Augusta City Center for two days sought a ransom payment of more than $100,000 to unlock the frozen system.
Instead of paying the ransom, city officials — who as soon as they knew an attack was underway, literally pulled wires from devices as fast as they could to prevent the malicious software from spreading further through the system — decided they had the necessary data backed up, erased the city’s servers and set about restoring them.
City Manager William Bridgeo told city councilors Thursday that the attack was ransomware — software from a creator who seeks to get them to pay up to have it removed from their systems — and included an offer to unlock the system if Augusta paid a ransom “in the six figures.”
“We did not pay the ransom,” Bridgeo said. “If the ransom was $250,000, I was committed to paying $500,000 to fighting it.”
Fred Kahl, director of information technology, said if the city paid the ransom it may not have even fixed the problem.
“You’ve got to remember you’re dealing with criminals, so if you pay the ransom, there’s no guarantee you’re going anywhere with that,” he said. “I was warned when this type of thing started they were pretty good about unlocking, but that’s no longer the case. They’ll just take your money and say bye.”
City officials declined to reveal the exact amount of the ransom demand, other than that it was for more than $100,000, saying doing so could encourage other similar attacks.
Ralph St. Pierre, finance director and assistant city manager, said the city has not yet tallied up the cost of dealing with the cyberattack. Most of that expense will likely be overtime for the five-member city information technology department — some of whom put in 80 to 100 hours of work over eight days on the problem. Additional costs have been incurred by the city hiring Systems Engineering of Portland to help fight the attack and fees to vendors for software that may need to be reinstalled.
Bridgeo said the city will file an insurance claim to seek to be reimbursed for at least some of those costs.
Bridgeo said the ransomware that hit Augusta appears similar to ones that have recently hit other municipalities, businesses and companies. Imperial County, California; Stuart, Florida; and Greenville, North Carolina were hit by ransomware last week as well, according to an article in the online cyber security publication SC Magazine. The capitol of New York — Albany — was hit by a cyberattack earlier in the month, according to the Albany Times Union.
City officials still aren’t sure how the malicious software got into the city’s network.
Mayor David Rollins said he understood that it is not believed the shutdown was triggered by a mistake by a city employee opening up something on a computer they shouldn’t have. Kahl said what happened is still under investigation.
The city notified the FBI of the incident, and Kahl said he responded to their questions; St. Pierre said the city sent some devices to the FBI for their investigation into the criminal act.
Kahl said the FBI gave him a list of things organizations should do to help avoid cyberattacks, and the city was already doing 11 of the 12 things cited.
The one step the city was not doing is whitelisting, in which computers on a network are restricted to only run certain programs, such as those needed for employees to do their work, while blocking other programs. Kahl and St. Pierre said they were already considering whitelisting the city’s network before the attack but had not yet done so.
Bridgeo said restricting employees’ internet use on the city network can be a balancing act involving employee morale and the security of the system. He said the city would look hard at taking that step.
Kahl said IT workers are meeting next week to review best practices and look for any weaknesses in the city network. He noted they already regularly do security audits but said that, obviously, someone found a way through the city’s network security.
“I’m sure there were mistakes made on IT’s part,” he told councilors. “I don’t know what they are, or I wouldn’t have made them.”
Bridgeo said the good news is the city stores all its data on a mass storage device, and that was not compromised. He said data was not taken or breached, as far as they know, so the data can be recovered.
But the cyberattack is still interfering with city operations now.
The city’s Enterprise software system that runs many functions including payroll, accounts payable and receivable, motor vehicle registration and assessing, was restored Wednesday night, just in time for city employees to be paid Friday.
Other systems, including a record-keeping system tied to a scale at Hatch Hill landfill that electronically tracks transactions, was running again Friday, meaning workers there no longer have to write out receipts to haulers and other users of the landfill and recycling area.
But some operations, most of which don’t directly impact the public, may not be fully restored for a week or a week and a half. And staff will have to spend time entering in data that accumulated, but wasn’t entered into computerized record keeping systems, during the outage.
Remaining problems caused by the cyberattack, as of Friday, include the now non-functioning door swipe system that provides access to city buildings like Lithgow Library and the gate at the John Charest Public Works Facility, an internal calendar and scheduling system used by city staff and the system that sends out a tone to alert public safety employees of emergency calls.
St. Pierre said the lack of that system does not pose a risk to public safety because firefighters are still alerted when there is a call and where they are needed, just not the nature of the call immediately. He said response times to emergencies have not been impacted by the computer problem. He also said city buildings with the inoperable door swipe system are instead just being manually locked with keys until the system is back up and running.
Kahl said the malicious software got into the city’s network server. When it activated itself early on the morning of April 18, it moved through the network, from server to server, encrypting software and making it unusable. He said an unusual aspect of the attack was it encrypted not only data files but also the operating system files themselves, which he said was not good.
“We saw what was in progress and we, quite frankly, just started disconnecting things, pulling wires out so it couldn’t move around anymore,” Kahl said. “Then we started looking at what was damaged and what wasn’t.”
Send questions/comments to the editors.