Ransomware hammers Madison County, Indiana

Madison County, Indiana, population of about 130,000, was the victim of a ransomware attack last week. Government workers without working computers were thrown back into the past to pen and paper, confusion abounds, and county commissioners unanimously voted to pay the ransom.

Indiana State Police Capt. Dave Bursten told WTHR, “It’s like when I came on in the 80s – we’re doing everything with pencil and paper.”

“We cannot query old information to bring up prior reports or prior court records,” Madison County Sheriff Scott Mellinger told Fox59. “If we want to bring somebody’s record up for something in the future, let’s say for somebody that has been arrested or somebody who is even in jail then we cannot look up information that would help us at a hearing. On the sheriff’s office side, we cannot book people into jail using the computers. We are using pencil and paper like the old days.”

In one of many contradictory reports, sheriff’s deputies were not using pen and paper but were “using laptops.” And since they couldn’t access police reports, they were “collecting information and creating documents in Microsoft Word.” While that’s not normal operating procedure, typing in Word is not quite the same thing as using pen and paper.

County residents making special trips to the courthouse were reportedly ticked, turned away, or their information was jotted down on paper. Auditor employees took vacation or burned personal time off, since “without the computer system there could be no work done,” auditor Jane Lyons told TheHeraldBulletin. “We have to access all our information on the computers.”

Two of the Circuit Court divisions kept going, keeping track of court activities by hand, but one judge moved all of Monday’s court hearings to another date.

The ransomware was discovered “Saturday” at the county’s Central Dispatch after the “computer system started locking up.” Indiana State Police Capt. Dave Bursten mentioned that 911 calls were being taken down by hand as opposed to being entered into a computer.

Otherwise, there are conflicting reports about the details of the ransomware attack. For example, after the attack reportedly occurred on Friday, Nov. 4, locking the county out from accessing records, Fox59 asked Madison County IT Director Lisa Cannon how could this happen “to an entire county’s computer system?” In return, “Cannon explained that the IT department took all the security measures they could have, but hackers found a way in.”

Wouldn’t taking all the security measures possible have included having offline backups, or at least some backups? Cannon told TheHeraldBulletin, “We’re in the process of adding a backup system.” Unfortunately, that’s too little too late.

Employee awareness might also need a bit of work, or perhaps it was simply sound advice when an Indiana State Police spokesman advised people that it is “critical to back up pictures, files, records – everything either in the cloud or a on a hard drive. Also, avoid clicking on any links you’re not familiar with.”

Cannon claimed, “County officials are confident that no personal information from local residents was compromised.” However, she also added, “We’re checking to determine if any information was harvested through the attack.”

There was no mention of the ransomware variant that hit the county. Several articles reference a specific quote on Fox59 that is no longer a part of the article. That missing quote was allegedly a statement by Madison County Sheriff Scott Mellinger: “There are so many unknowns here because even the investigators that had a lot of experience in this area are telling us they have not dealt with this specific virus before.”

Umm, that is doubtful but not impossible. However, now the article quotes Sheriff Mellinger as saying, “They are calling this a very significant event and that means whoever is behind it absolutely knows what they are doing and it is going to be extremely difficult for us to gain access of our servers on our own.”

Additionally, there have been only vague references to the ransom amount demanded. WTHR claimed the ransom was “thousands of dollars.” Cannon refused to reveal the actual amount, but he told Fox59 that it was a “large sum.” Yet Madison County Commissioner John Richwin claimed the ransom “was for an amount less than most county residents would have anticipated.”

According to StateScoop, during an emergency meeting on Saturday, county commissioners were told “they had seven days to pay the ransom. Commissioners unanimously agreed to pay the ransom.”

Madison County was covered by Travelers Insurance, which will reimburse a portion of the cost, less the county’s deductible.

Here’s another head scratcher: TheIndyChannel reported, “No one has taken responsibility for the attack.”

Hello? Read the ransom note. I’d be willing to guarantee the payment is going to someone as opposed to “no one.” Tracking down that someone may not be so easy. The Indiana State Police were continuing to investigate.

Presumably the inconsistencies are a result of people being unfamiliar with ransomware and how it works. The IT director explained ransomware so non-security-minded individuals would grasp it: “Just as you would have a ransom note you see on a drama on TV when someone is kidnapped, there is a ransom note and it is exactly that type of thing.”

As for the county commissioners meeting and voting to pay the ransom on Saturday, did paying the ransom work? As of Monday, it was reported that Madison County was not expected to be up and running until today. StateScoop said earlier today that “services are still being brought online.”

Thankfully voting in Madison County was not affected, as it was on a different system.