Delco admits paying ransom to cyber attacker
MEDIA » Delaware County Chief Information Officer Frank Bilotta updated county council during its regular meeting Wednesday night on a cybersecurity breach earlier this year.
And, for the first time, officials admitted the county paid a random to have service restored.
“The initial attack occurred in the form of a phishing email to a county employee from an external threat actor received on Sept. 10, 2020,” Bilotta said. “The email contained malware that was downloaded, and once in the system captured credentials and infiltrated the network. During the period between Sept. 10, 2020 and Nov. 21 2020, the threat actor was most likely stealing credentials, identifying sensitive data, and exfiltrating the information from the county’s operating environment.”
Bilotta, who began his employment with the county a few days early to deal with the threat, said the hacker activated a ransomware application sometime between Sept. 10 and Nov. 21, when it was detected by a member of the county’s Information Technology staf f. That staff member notified senior leadership and disconnected all servers and computers, Bilotta said.
The county’s elected officials were made aware of the intrusion, as was the Department of Homeland Security and the county’s insurance agent, which provided contacts for a cyberforensics team and outside legal counsel with expertise in cybersecurity.
“Working with these resources, the county’s IT staff began claiming back the system environment and credentials,” said Bilotta. “The team installed software to protect each computer and to stop the threat actor from communicating into or out from the environment. The focus at this point was to contain the intrusion while evaluating the status of data backups.”
Bilotta said the hacker made it known fairly early on that their intent was to hold the county’s system for ransom, with a threat to release data like personal identifying information should their demands not be met.
It was previously reported that the sum sought was $500,000, but Delaware County spokeswoman Adrienne Marofsky did not confirm that figure Wednesday because it remains an ongoing investigation.
Delaware County Executive Director Howard Lazarus recommended that council pay the ransom because working with the hacker would allow for faster system restoration and prevent information from being published. The county was insured for such acts and the deductible would only be $25,000.
“Upon payment of the ransom, the threat actor provided the decryption tool necessary to unlock the county’s systems, a list of the files that were exfiltrated, and a general description of how the cyberattack commenced,” said Bilotta.
Bilotta said all county systems have since been restored and IT staff is pursuing various initiatives to build a more secure network in the future. These include rebuilding server infrastructure, updating operating systems and applying security patches, and removing vulnerabilities identified by outside support agencies.
Bilotta said these actions would require continued use of outside resources, including the cybersecurity firm, upgrading security software, and engaging a third party project manager to supplement existing staff.
To that end, council approved a $254,400 one-year contract with cyber security firm Kroll Inc., paid for out of the general fund, and a $150,000 professional services agreement with Judge Inc. to oversee Kroll and manage other potential technology and security projects, which will come from the IT budget.
Bilotta said the county should also pursue additional measures, such as moving data storage to a more secure, off-site location; continually evaluating back-up systems; ensuring all security applications are systematically upgraded across the network; and providing for cyclic upgrades to old software and hardware through the Capital Improvement Program.
Council and Lazarus thanked Bilotta and IT staff for their work on the issue, as well as the county Controller’s Office for continuing to put out payroll and pay vendors during the attack. Councilwoman Christine Reuther said council decided it could not put those payments at risk in deciding to pay the ransom.
Council Chairman Brian Zidek also addressed concerns council had about acquiescing to the hacker’s demands, such as what the costs might be and what kind of message paying the ransom might send.
“I, for one, don’t welcome the idea of paying a ransom to anybody, but we also have to balance that with the costs to the county if we didn’t pay the ransom, and those costs were going to be significant both in terms of manpower and womenpower and
downtime for all departments,” he said. “It’s tough to measure the economic consequence of that, but I know that it would have been a profoundly – even more profoundly – disturbing incident had we not taken the action that we had taken.”
Councilman Kevin Madden indicated council had inherited a “shell” of IT infrastructure and applauded Bilotta and his team for working to rectify that as quickly as possible.
“I think one might look at this and say, ‘Great! This only cost the county $25,000!’ but how do we make sure it doesn’t happen again?” asked Madden. “That’s really what our emphasis is on now.”