A Madison County ransomware attack over the weekend has resulted in most of the Indiana county’s computer systems being taken out of action, causing major disruption to county services.
The ransomware is believed to have been installed on Saturday November 4, and was noticed by Central Dispatch after access to files could not be gained.
The voting system was unaffected and emergency services continued to run as normal, although the attack did take out systems used by the courts and on Monday, many of the county’s offices remained closed while efforts continued to resolve the infection.
Madison County holds a cyber insurance policy with Travelers, which was contacted once it was clear that file access was prevented as a result of a ransomware attack. According to John Richwine, Commissioner for Madison County, Travelers advised him to pay the ransom to obtain the keys to unlock the encryption.
The ransom has now been paid and keys have been supplied by the attackers to unlock the encrypted files. It is unclear how much was paid to the gang behind the attack, although unofficial sources suggest a figure of $21,000 was paid in a virtually untraceable cryptocurrency. The ransom payment will be covered by Travelers, with Madison County only required to pay the deductible.
Decrypting data is not necessarily a straightforward process, even when valid keys have been supplied. Care must be taken when restoring data and the process can take a number of days. County officials remain hopeful that the infection will be resolved by Wednesday.
Checks are currently underway to determine whether any data were accessed or stolen by the attackers, although usually these attacks are performed solely to obtain a ransom payment. Data are not usually stolen by the attackers.
Madison County was in the process of upgrading its systems when the attack occurred, although it is unclear whether the upgrade would have prevented the attack. Lisa Cannon, director of the county’s IT department, gave a statement to the media saying a backup system is now being installed. Should further attacks take place, data should be recoverable from backups without the need to pay any ransom demands.