Hackers demanded Bitcoin ransom from town

Public WiFi locked-down as security precaution
By Louis Bettcher | May 15, 2018

Rockport — During a meeting of the Rockport Select Board on May 14, Town Manager Rick Bates and the town's IT specialist, Gus Natalie, explained that hackers who crippled the town's computer systems last month demanded payment via the cryptocurrency Bitcoin.

Natalie also explained that the town's public WiFi has been disabled as a security measure in the wake of the hack, which occurred on Friday the 13th of April.

"Currently the town's wireless network is locked-down to being a private network only for town employees. The public network has been shut off until we come up with a new plan, which I believe we're in the works of doing," said Natalie on May 14.

April 13

The Rockport Town Office was closed April 17 as the result of a computer virus, which affected the municipality's computer servers. The virus was sent on April 13, and initially presented itself by "blacklisting" town employees, a process through which the computer server sent back rejected emails. Additionally, town documents and information were encrypted.

"On Friday the 13th the Rockport Town Office was hit with a serious virus that effected our server and our off-site back up. There was no theft of data that occurred, but files were encrypted in an attempt to get us to pay a ransom to get the encryption removed," said Bates in a statement that day.

Information technicians worked throughout the weekend to restore the encrypted data and are currently working to rebuild the town's computer network. Bates said that the town office was closed in order for employees to re-enter transactions from April 13 and tax payments, before the office could begin processing new transactions.

Natalie worked throughout the weekend and into the week, devoting 100 hours to resolving the problem. With the help of IT consultant Mike Dean, he was able to rebuild the town office's servers and recover all of the data from the computers with the exception of data from April 13 because the virus prevented it from being backed-up. This information has since been re-entered, and the Rockport Town Office reopened at 10 a.m. on April 18.

"I'm not sure what the [ransom] demand said, as it was a file found by the IT guy in the server. We did not pay the ransom. There are no leads, as it could be a computer anywhere in the world," said Bates on April 19. The virus was able to bypass software and firewalls installed on Town Office computers to prevent such threats.

Bates said that the Rockport Police Department is not investigating the matter, and does not have officers trained in such instances of computer hacking. He said that an investigation would have been conducted if it was felt that the virus was sent internally, from someone at the town office.

May 14

At the Monday night Select Board meeting, Bates explained that there are still two weaknesses in the Town Office's computer system -- the public WiFi and the e-mail server -- and presented to the board a number of solutions that he and Natalie had devised to provide additional security moving forward. Bates and Natalie also referred to the ransom demand.

"What we went through is not unheard of; thankfully [Natalie] and [Dean] got us out of it very well. I lot of people are surprised that we were able to get all of our data back and we didn't have to pay the ransom, which I would have gladly paid. But I think for [Natalie] it was more of a challenge -- he didn't want them to win, and they didn't," said Bates.

Bates said that as a result of the incident, the town's previous methods of backing-up data and managing email would have to change. Bates said that data security, and how it relates to insurance rates within a municipality, was highlighted at a conference he attended recently.

In order to achieve heightened security, a recommendation by Bates and Natalie is to remove data from on-site servers to a "Cloud" server. A cloud server allows customers, who rent virtual space on a server, to access their information remotely.

"I just want to make it clear that the reason we didn't pay the ransom is that it was going to take awhile to get the Bitcoin: it would have meant two weeks of the Town [computers] being down, while we were waiting for Bitcoin and the decryptor from the hackers," said Natalie. The dollar amount requested by the hackers was not mentioned.

Suggested technological upgrades

Natalie recommended at the meeting that the town move their email, which is currently hosted on-site, to the "cloud" through Microsoft 360. This would remove the risk of "infected" emails or those containing viruses from getting into the town's network. Natalie said another benefit of the plan is that town employees would be able to keep their current Microsoft operating products, and that data would be backed-up.

According to Bates' manager's report, the cost of this service will be between $9,000 and $12,000 per year.

"We have developed solutions...but they come with a cost. A cost that we did not plan for in our [fiscal year 2018-2019] budget. Many of these changes are a dramatic shift from the approach we had been using but will give us the security we need in the future," said Bates.

Chairman Ken McKinley asked Bates if the Selectmen were expected to make a motion to approve the expenditures at that evening's meeting. Bates said that the town could go ahead an approve the new tech array, provided that the Select Board would be aware that funds from the reserve account may be required in the future to pay some of the initial costs back.

Selectman Mark Kelley asked Finance Director Megan Brackett what she anticipated the total dollar amount of the email and off-site server upgrades would be. Brackett estimated the total cost would be approximately $20,000. Brackett said that she hoped that some of the money could be provided by making cuts to the upcoming municipal budget.

Selectman Doug Cole asked how much the ransom was demanded by the hackers last month.

"$1,000," said Natalie.

"I think that this proposal is helpful, but I don't know how many computers we have, so I would like to ask that [Brackett] and [Bates] look at how many computers we have, pick what we need and then put it into a spreadsheet so that it's easy to look at and see what the costs are, what's a one-time cost, what's a recurring cost...that would be very helpful for me to understand what we're being asked to do," said Cole.

Brackett and Bates said that there had been difficulty preparing some of the figures for the evening's presentation due to a problem with the town's Treo software, which hadn't been working correctly since April 11. They said the problem with the software was unrelated to the April hacking.

McKinley proposed that the conversation about purchasing the new technology be continued at the Board's next meeting. The Rockport Select Board will meet Tuesday, May 29 at 7 p.m. in the Geoffrey C. Parker meeting room of the Rockport Opera House.





Comments (1)
Posted by: Ken Pierce | May 16, 2018 06:15

You never pay ransom to hackers, EVER. There is no guarantee they will ever release your data even if you pay them. Offsite backups are the only way to get your data back with any certainty. You will end up having to re-enter any data entered between your last back up and the attack. These attacks are usually accomplished through fishing schemes as opposed to a targeted attack. Most likely someone on the town network opened an emailed file or link that looked legit but was actually a virus that infiltrates the server and locks up the data. Never open a file or click a link from someone you don't know! Moving to an off site email server is good, too. That way if your server is attacked your email is not there to be taken ransom. Virus scanners often do not catch these things. Some do and will not let your computer open the file but you really can't trust it 100%. I've been through one of these attacks at work and we did not have an offsite backup at the time. My boss had also slacked on USB backups so we had to rebuild 6 months of data loss. That's no small task and we lost some data that we will never get back. We were hiring at the time and my boss didn't think twice about opening a file labeled as a resume. Needless to say, we no longer accept applications or resumes via email for this reason. Be careful when using the Maine Job Bank. They encourage emailing resumes and applications but there is no reason hackers can't go to that website and get a list of hiring businesses to attack.

If you wish to comment, please login.