Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Global ransomware attack takes a Maryland town offline

‘You couldn’t open any document, you’re completely locked from all your files’, Maryland town administrator explains

Rachel Lerman,Chris Velazco
Thursday 08 July 2021 16:00 BST
Comments
The attack has affected computer users from Sweden to New Zealand
The attack has affected computer users from Sweden to New Zealand (AFP via Getty Images)
Leer en Español

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

It was just after 12.30 pm on the Friday before the Fourth of July holiday when a warning popped up on Laschelle McKay’s computer screen.

Ms McKay, the town administrator for Leonardtown, Maryland, didn’t even have time to read the whole message before it disappeared and her computer froze.

“Everything shut down,” she said in an interview. “You couldn’t open any document, you’re completely locked from all your files.”

Ms McKay learned later that day that the town had been a victim of the massive ransomware attack that breached a popular software made by the information technology company Kaseya. The attack reached Leonardtown through its IT management company, JustTech, which uses the affected Kaseya product, JustTech told Ms McKay.

In emails sent to Leonardtown and shared with The Washington Post, JustTech wrote that neither its “servers nor your network were directly hacked or breached. The intrusion came through the remote monitoring and security software we utilise from an industry leading provider”.

The firm was part of what cybersecurity researchers are calling potentially the largest ransomware attack ever, affecting hundreds of businesses and other entities globally. In a ransomware attack, hackers break into a company’s systems, lock them and demand money for a key to unlock those systems.

Last week, hackers exploited a software vulnerability at the IT services provider Kaseya. The resulting hack infected about 60 of Kaseya’s customers like JustTech, customers that in turn provide IT services to small businesses. The attack then spread through the Kaseya software to affect as many as 1,500 US businesses, Kaseya has said, and the full extent of the damage is not yet known.

The Russian-language hacking group REvil has taken responsibility for the attack and demanded a total ransom of $70 million (£51 million) to unlock the files of all of its victims. Hundreds of grocery stores in a cooperative chain in Sweden had to close temporarily because of the hack, and at least nine schools in New Zealand were affected.

JustTech owner Joshua Justice said in an email that his team is working around-the-clock to restore backups to its affected clients in five states. “We had plans to bring clients back and fully recover from situations such as this but never envisioned we would need to do everyone at once,” he said.

McKay said JustTech informed Leonardtown that the ransom demand was $45,000 (around £33,000) per computer but that the town’s leaders never seriously considered paying. Instead, they are undertaking the painstaking work of restoring computer system backups. The town has 19 computers, and all but two were frozen. One was spared because the employee who uses it was on vacation and the machine was turned off, and the other was an older computer left at an employee’s home.

On Friday after the computers froze, Ms McKay said, city staffers called JustTech, which told them to start turning off the devices.

“Shut down everything,” JustTech reportedly told the city staffers, noting that the problem was bigger than just their organisation.

A JustTech employee showed up at the office Friday afternoon before the town had even been informed of the extent of the attack. The worker turned off the affected server, too. In its initial email to clients on Friday, JustTech wrote that it had “discovered the breach, disabled, and shut down the affected servers within eight minutes.”

The IT firm said it has secure backups for the town’s systems that it will be able to restore. But it’s unclear how long that will take. Experts say it can take weeks or months to fully recover from a cyberattack.

JustTech also has been inundated in the attack, Ms McKay said.

“We’re trying to be patient,” she said. “We were able to finally talk to one of the reps yesterday, and they’re just exhausted. I mean, it’s just been 24 hours a day since last Friday, working to try to recover, so I feel really bad for them.”

Ms McKay and the city staff of 15 others are doing their best to work without computers in the near term; they’re helping residents in person and over the phone. Their electronic billing software and system to send utility bills has shut down, and the office doesn’t have any internet access, except through individual cellphone plans.

Staffers need to run home to print documents, and even simple activities like scanning documents have become a chore.

“We can’t access any of our data right now, to be able to service our customers,” Ms McKay said.

The staff had been preparing quarterly utility bills to send out to about 3,000 residents. The bills were being finalised Friday, but all of that data probably has been lost, Ms McKay said, and the bills will be delayed.

“We have a lot of residents that are used to getting their bills on time,” she said.

She’s also trying to ensure the town’s payroll system is back online before paychecks need to go out next week, even if that means working with a different IT firm to get it running, something the town is considering.

Many residents have made contact by phone calls and texts to express their support for the small staff, Ms McKay said. Several asked if any personal information had been accessed during the hack. JustTech told the town it doesn’t think any personal information was taken.

Kaseya is working on a software patch for its customers affected by the hack but did not give an exact timeline for the fix.

Another town in Maryland, North Beach, issued a news release confirming that it, too, had been a victim of the attack. The town’s water and phone systems were still working, it said.

“Resolution of this incident is expected to take approximately one week and your patience is appreciated while our IT service provider works to reinstate the network server and workstations,” it said in the release.

Ransomware attacks have surged in the past few years as hackers work together to extort as much money as possible from victims including health-care providers, schools, municipalities and businesses of all sizes.

High-profile cyberattacks on Colonial Pipeline, the meat supplier JBS and several health-care providers have highlighted the dangers and potential widespread fallout from the attacks. The attack on Colonial caused a panicked run on fuel at East Coast gas stations, leaving some empty. An attack at a hospital in Vermont delayed chemotherapy treatments for some patients.

The Kaseya attack has put further pressure on the Biden administration to address cybersecurity within the United States and to resume talks with Russia about cybersecurity, given that many cyberattacks appear to originate inside Russia.

REvil is believed to be based mostly in Russia.

“If the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own,” White House press secretary Jen Psaki said Tuesday when speaking about cybersecurity consultations between the two countries, discussions that the leaders agreed to begin when they met last month.

The Washington Post

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in