How Cyberattacks Affect a Smart City from the Quincy Security Incident

The administrative system of Quincy, Illinois was hit by a ransomware attack on May 7, 2022, Mayor Mike Troup confirmed at a news conference on Tuesday.

In response, the city council passed a resolution authorizing emergency payments of more than $145,000 for cybersecurity consulting services and an undisclosed ransom payment of less than $500,000. “The total cost, including the fees of three cybersecurity consulting firms and the cost of obtaining specific decryption keys, is $650,000,” Troup said in a news release.

Troup said the ransomware attack affected administrative office email and phone calls, police and fire department communications systems, and the Quincy Public Library, as library services are hosted on City Hall servers. It appears that no data was leaked. “Through the entire [cyber incident] situation, we’re still able to provide our critical services to the city like water, recycling, waste [the sewage treatment plant], police and fire departments, which is remarkable,” he said.

Process

During the press conference, Troup discussed the exact timeline of how the cyber event will unfold, starting with the initial hiatus on May 7. According to Troup, the attacker’s entry point has yet to be determined, and cybersecurity advisers as well as law enforcement agencies including the FBI are still investigating.

The first signs of the attack came in the early morning of May 7, when police and fire department officials began to face systemic problems. “The cops have laptops in their cars, and the fire department has something like that. It’s affected and it’s causing problems with their day-to-day communications,” Troup added, raising a flag to the city’s IT department, which “rushes to the ground.” Come in” to check the problem and eventually found the ransomware attack. The following Monday – May 9 – when the city’s administrators returned to work, email and office phone lines were found to be down, leaving some city employees, including the mayor himself, unavailable.

Troup said it was an “emergency” and the city immediately contacted its IT partners, including their cybersecurity insurance provider. Troup added that these consultants start work immediately before payment for their services is even approved.

Payments to authorize cybersecurity consulting services have been approved by the city council, Troup said. The three companies were not named in the press conference. The city’s meeting agenda posted on Quincy’s website did note two of the three names, Mullen Coughlin, LLC – a law firm that specializes in representing companies facing data privacy and information security incidents – and Kroll Associates, Inc. , a provider of cyber risk and governance solutions.

Decryption key

Although the city of Quincy had to pay more than $500,000 to obtain the decryption key for the ransomware, plus the cost of cybersecurity consulting services, Troup said so far there has been no evidence that data was stolen from the affected systems, which It gives a “feeling of relief,” he said.

“[Illinois City] has two distinct systems: the first is a public interface to various servers, and the second is the financial system, including payroll and ledgers. This [financial system] has never been compromised. Anything therefore , employees, customers, or personally identifiable information of any kind will not be compromised,” Troup explained. “In accordance with U.S. federal guidelines, we need to notify affected parties immediately, so we are monitoring this closely,” he added.

Earlier this week, Troup said, most employees’ emails were working fine, although historical email data wasn’t guaranteed to be recovered. But he added that the recovery of all email accounts is expected to be completed by Memorial Day.

Troup didn’t say what kind of ransomware affected the system, but did say, “It’s clearly not domestic, not from Illinois or any domestic region.”

Ransomware also hits New Jersey County

Around the same time Troup was holding a news conference, Somerset County, N.J., also revealed that it was the target of a ransomware attack that disrupted its email service. “Somerset County experienced a cybersecurity breach involving ransomware this morning. As a result, the county email system was down and Tuesday night’s committee meeting was postponed. All county offices and phone lines are functional, but the Staff emails cannot be temporarily received or responded to,” it noted in the announcement.

“The county is performing its most normal functions, other than email. That said, we have activated the ongoing operations of our emergency operations center and government programs,” said County Executive Colleen Marr. “We assume that this will remain in effect for at least the rest of the week,” she added.

In an event update, the county said it was assessing the severity of the ransomware attack and that all “connected computers remain off, and county personnel are unable to receive or respond to county emails.”

In addition to the email, the notice said Somerset County clerk and proxy services that rely on access to county databases, including land records, vital statistics and probate records, are temporarily unavailable. “Title searches are only available on paper records prior to 1977,” the updated notice said.

Somerset County will reportedly hold its 2022 primary on June 7, but issued a statement clarifying: “Digital recording and voting machines for the upcoming primary were never connected to the county system and are not affected. The board and county clerk continue to perform their normal election-related functions, but replacement mail-in ballots are only available by phone or by visiting the county clerk’s office. Calendars for mail-in, early and in-person voting are not affected.”

This ransomware assaults emphasize the hazards associated with well-known Internet-facing software vulnerabilities—at least those known to attackers but maybe not to the enterprises operating the afflicted software. When it comes to vulnerability management, organizations of all sizes may fall behind, which is why it’s critical to have many levels of security against hostile behavior. A server and client-side VM backup solution stops ransomware operators from starting assaults using unprotected servers, such as VMware Backup, oVirt Backup, Xenserver backup, and so on. Enterprises and organizations may determine the best strategy to safeguard their data.