Original article by The Joplin Globe
While Joplin officials continue to mostly remain mum, a failure of the city government’s computer and telephone systems more than a week ago could have been the result of a ransom demand, a Joplin information technology expert says.
City systems seemed to be operating July 6, but city officials announced July 7 that the city’s computer systems were down. That interrupted the city’s internet-based telephone system and its online capabilities.
In a statement, the city called it a “network security incident” and said it was reported to a law enforcement agency.
There has since been no explanation of the cause and not much word on the status of the investigation. City officials did cite phone system restoration, but nothing about the computer systems. In recent days, the city has not made further statements or answered Globe questions sent to officials about the situation.
John Motazedi, the owner of a local IT consulting firm, SNC Squared, speculated that the city might have been hit by ransomware, a malware program used to encrypt computer systems. Motazedi said his opinion is conjecture but that the failures reported by the city resemble what happens when hackers disable a system to demand a ransom payment.
Motazedi said there are several ways to infect a computer system with crippling software. It can be done by sending a coded program through an email that can unleash encryption through the system, downloading a malicious program without knowing it is infected, or by going into the system’s servers, the central brain of a computer system, to implant the encryption.
“Typically they get in through some administrative account because that account can get into other machines that are connected together,” Motazedi said. An administrative account is used by IT technicians to oversee computer operations and make changes to the system.
Once a system is overtaken by encryption of its programs, the user cannot operate the computer or the system but will instead receive a pop-up message to pay a certain amount of money to receive a code that can be used for decryption. Typically, internet criminals demand payment in bitcoins, a kind of online currency difficult to trace.
If a computer owner does not pay the ransom, hackers might sell any information found in the system on the dark web, Motazedi said. The dark web is a place online that requires a special browser to reach. Both legal and illegal information can be posted on the dark web, but it is known as the place to buy and sell stolen data such as identity information and credit card numbers.
Ransomware hackers demanded $1.6 million in an attack on the Crowder College computer systems in July 2019. That shut down computer operations campuswide and took about five months to overcome, college President Glenn Coltharp said.
The college immediately contacted the FBI about the intrusion. He said that could be a reason Joplin city officials aren’t providing the public with much information about their situation.
“The FBI is one of the first contacts we made, and they recommend that you say as little as possible for the reason that it hurts them trying to do an investigation and track it down if information is out there” for sale, Coltharp said.
“We chose not to pay ransom and rebuild our (computer) system,” he said. “At that time, the insurance company and the FBI recommended we not pay. This is a group (the hackers) that’s not the most ethical group in the world, so even if you pay them, how do you know if they are really going to open your system back up? If they open it back up, how do you know it’s not going to go down again in a week” with another ransom demand?
“We chose not to pay it, and I never second-guessed this decision,” he said. “The only way we get through this as a society is if we don’t pay because the only way they are going to quit is if they don’t get the money.”
The FBI operates an internet crime complaint center called IC3 that recorded a million reports in one year as of May, according to its website. That was after logging 5 million over 19 previous years. Many of those cases involved individuals rather than institutions and businesses who are defrauded by internet scams.
Only days before Joplin city government experienced its trouble, the Joplin Board of Education decided to spend nearly $200,000 this year for added computer security. It will cost another $160,000 the next two years, but Kerry Sachetta, assistant superintendent of school operations, said that’s far less than the cost of recovering from a disabled computer system.
In addition to the cost of repairs to the system, there’s the loss of operations from what Coltharp described as a frustrating process of regaining system operations.
“It’s a terrible situation to go through,” Coltharp said. “It’s like nailing Jell-O to a wall. … That’s what this process is like. When you fix part of your system, you’re hurting another part until you can get it fixed. For the whole time, you’re taking two steps forward and one step backward as you get something up and running and you have to take something else down. You’re also working with outside vendors, so you have to get your software to work with theirs.”
Sachetta told the school board that cyberattacks like those in May on Continental Pipeline, which shut down fuel deliveries to the eastern U.S. for a few days, and on JBS, the world’s largest meat processing company, have become common now. On July 2, only five days before the Joplin city government was hit, about 1,500 cities and businesses that use Kaseya IT management software were hit by ransomware demands.
“No sector is immune, and there’s no rhyme or reason to these attacks other than throwing a dart on a map,” Sachetta said.
“It’s not a matter of if you get hit. It’s just a matter when,” he said.
The original story can be read here.