Endpoint Security , Fraud Management & Cybercrime , Open XDR

North Carolina County Suffers Repeat Ransomware Infections

Third Time is the Charm as Orange County Keeps Having to Recover?
North Carolina County Suffers Repeat Ransomware Infections

A North Carolina county is recovering from the third ransomware attack that has hit its IT systems in the last six years. However, a spokesman says that no data has been lost or stolen.

See Also: Six Key Trends in MDR 2024: What Top Security Teams are Looking For?

The ransomware attack against Orange County, North Carolina, was first detected by the government's IT staff on Monday. Some of the areas affected by the incident include the computers at the local library, the tax department, the planning board and the county register of deeds, which means real estate closings and marriage licenses could not be processed.

The county's sheriff's department was also disrupted and deputies could not access criminal records or other information, officials say.

By Wednesday, the county's IT department says it had isolated the ransomware and was working on restoring the more than 100 computers affected by the latest attack against the local government. A spokesman for the county told Information Security Media Group that no data had been stolen or lost.

"Right now we can confirm that the county detected an encryption virus on our computer network early Monday morning. At this point, no data has been lost or any sensitive information stolen. The attack is still under investigation," Orange County spokesman Todd McGee wrote in an email to ISMG.

"Almost all of our services have been restored, but we can't put a definite timeline for when all will be back up," McGee added. "We have not received a ransom request."

Why Some Targets Tempt

It's the third time in six years that this one county has been hit by ransomware, local CBS affiliate WNCN reports.

It's not clear what particular strain of ransomware hit Orange County, and the county says this latest incident remains under investigation by local law enforcement, as well as the FBI.

The county has not disclosed how it was originally infected. But in an email to ISMG, Terence Jackson, CISO at Washington-based Thycotic, a provider of privileged access management tools, says these types of attacks often involve either a phishing email, which then delivers the ransomware to the network, or a system that has somehow been infected by malware that was not detected or blocked by preventative software.

Previous behavior may also be partly to blame. "With this being the third attack in six years, I can't help but wonder if the county has previously paid a ransom that has put them in attackers cross hairs or if this is just bad cyber hygiene," Jackson says. "It appears they did offline the network to prevent additional harm, but recovery time will greatly depend the state of their backups. Hopefully they have good ones."

Hackers Shop Local

Orange County is not the only local government entity to have been recently hit by ransomware.

Earlier this month, Jackson County in Georgia paid a $400,000 ransom to attackers after being crippled by a ransomware attack. In this case, officials confirmed that their IT systems had been hit by a strain of Ryuk, which was the same malware used in a very targeted attack against the Tribune Publishing company in late December 2018.

Throughout parts of 2017 and 2018, meanwhile, multiple local government agencies and cities, including Newark, New Jersey; Atlanta, the Colorado Department of Public Transportation, the Port of San Diego as well as several hospitals were all hit by the SamSam ransomware, which locked up some IT systems for weeks and cost local officials millions of dollars to recover from.

In late 2018, the U.S. Justice Department indicted two Iranian nationals in connection with some of the SamSam attacks.

Budgets Matter

One of the reasons why more local governments are being targeted by ransomware is because they may lack the resources required to maintain robust cybersecurity policies, practices or procedures. Inadequate spending on security also means that officials cannot hire the necessary talent to fully staff IT teams, said Chris Morales, the head of security analytics at Vectra, a San Jose, Calif.-based threat detection and response firm.

To prove that point, Morales did a quick analysis of Orange County and its local budget.

"I was able to easily go to the Orange County website and gain information on lots of interesting details, which is exactly what an attacker would do when scoping a target. Per the 2010 census, the population of Orange County, North Carolina, is 133,801 with a median income of $42,372. The county budget is driven by property tax, which for 2018 was $139.6 million. These funds are used for public services, schools, and other county needs," Morales told ISMG.

"These are things that people ask for from their governments with little understanding for cybersecurity," Morales added. "The IT budget at Orange County for capital expenditure in 2018 was $3.4 million. For comparison, Bank of America spends more than $500 million a year on cybersecurity, [or] three times more than the total revenue of Orange County."

So perhaps it's not surprising that with the lack of cybersecurity resources, crypto-locking malware extortionists are continuing try and hold local governments to ransom.

"A small county would have limited funds left for cybersecurity, and attackers understand and know this type of information," Morales said. "This is why local governments and small businesses have always made for easy targets."

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.