Delaware County paid $25,000 in ransom during cyberattack

The perpetrator responsible for the fall cyberattack on the Delaware County government’s computer network got access through a phishing email — and got the county to pay $25,000 in ransom before relinquishing control of the system and the data in it, according to a publicly released county memo.

“Upon payment of the ransom, the threat actor provided the decryption tool necessary to unlock the county’s systems, a list of the files that were exfiltrated, and a general description of how the cyberattack commenced,” Frank Bilotta, the county’s chief information officer, said in the Dec. 28 memo sent to members of the County Council.

For nearly two months, county officials had been dealing with the aftermath of the malware event, which caused disruptions in the government computer network but not the Board of Elections or Emergency Services Department networks. Yet not much was known about the details of the cyberattack itself.

“The initial attack occurred in the form of a phishing email to a county employee from an external threat actor received on Sept. 10, 2020. The email contained malware that was downloaded, and once in the system captured credentials and infiltrated the network,” the memo said.

Phishing is a cyberattack tactic used to try to get sensitive information from someone through a disguised source of electronic communication.

At some point between the time the phishing email was received and Nov. 21, the county believes the perpetrator was stealing important information and activating the ransomware.

Ransomware is a type of malware that threatens to publish sensitive information and or block access to data until the ransom is paid.

Delco’s IT department first identified network anomalies on Nov. 21 and ordered the immediate disconnection of the county’s servers and computers. All county officials were soon notified, as were the Department of Homeland Security and the county’s insurance agent.

Outside cybersecurity experts and county IT staff began reclaiming the network.

“The team installed software to protect each computer and to stop the threat actor from communicating into or out from the environment,” Bilotta’s memo said.

However, the ransomware wasn’t a problem that just went away with the push of a button.

“The threat actor early on indicated that its intent was to hold the county’s system for ransom, accompanied by a threat to release data, including potential personal information, unless the ransom was paid,” Bilotta’s memo said. “Although the county was able to restore its capabilities from its backup systems, the executive director recommended to council that the ransom payment be made as the county’s exposure was limited to the deductible amount ($25,000) on its insurance policy and that working with the threat actor would accelerate system restoration and prevent information from being published.”

Since the attack, all of the county government’s networks and systems are secure, according to Bilotta’s memo. In the future, the county plans to update its system, apply security patches, and remove old hardware.

“These actions will require continued use of outside resources, including extending the use of the cybersecurity firm, upgrading security software, and engaging third-party project management to supplement existing staff,” Bilotta’s memo said.

A WHYY News request to Delaware County officials for an interview was declined.

“The county is not commenting any further as it’s an ongoing criminal investigation,” said Adrienne Marofsky, the county’s public relations director.

Ransomware attacks targeting municipalities are growing increasingly common in the United States — specifically those targeting local school systems, according to a December report by the federal Cybersecurity and Infrastructure Security Agency (CISA).

“According to MS-ISAC [Multi-State Information Sharing and Analysis Center] data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year,” the CISA report said. “In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July.”