Tillamook County officials revealed that a $300,000 ransom was paid to regain data access after a January cyberattack.
The ransom amount was disclosed during the Tillamook County Board of Commissioners meeting Wednesday.
Commissioner Bill Baertlein, reading from a prepared statement, said it could have taken one to two years and cost $1 million to unlock the county’s computer system if a ransom went unpaid.
“The county’s rapid and aggressive response to the incident mitigated the compromise and contained the encryption to 17 of 55 servers and five of 280 county workstations,” Baertlein said.
The attack was reportedly carried out by an international cybercriminal organization known to law enforcement . The county's statement said the computer system was disabled for around two weeks, adding that new security measures were being implemented.
“The county made every effort to avoid the payment of a ransom to the cyberattacker, including recovery through two independent backup solutions and hundreds of hours of retained and county resources; however, data critical to county operations could not be restored without paying the cyberattacker for decryption keys,” Baertlein said.
“While the county maintained redundant backup solutions that would have protected our data in the event of a natural disaster, the cyberattack resulted in encrypted backups,” Baertlein said.
Commissioner Mary Faith Bell emphasized that the county was the victim of a crime, noting a new frontier of security hazards in the digital age. Commissioner David Yamamoto said while other municipalities have not disclosed cyberattacks, Tillamook felt transparency was important. He said the attack could have been much worse.
“It was a learning experience,” Yamamoto said.
Baertlein said the $300,000 loss would have a significant impact on the rural county’s coffers. He compared the cyberattack to being shaken down by a bully and called on the federal government to act against cybercrime.
It was not immediately clear what the additional costs of the cyberattack would come to after figuring legal fees, contractor costs and county staff overtime. The county treasurer is working to compile those costs by the end of April. Discussion with the county's insurer are ongoing regarding what costs might be covered.
County systems are now operational and a forensic investigation was concluded. The investigation found no evidence indicating personal information of employees or residents was accessed or taken by the attacker, according to county officials.
County officials said the cyberattack originated from a group called REvil. The group is reportedly also known as Sodinokibi or Sodin. Information Security Media Group reported that the malicious “ransomware-as-a-service” operation appears to be extremely lucrative.
"We all knew that ransomware was big business for cybercriminals and in our past several research blogs speculated about projected criminal profits, but seeing it firsthand by following the money trail gives a different level of realization that we are dealing with adversaries with very deep pockets, literally having millions of dollars as a budget," John Fokker, the head of cyber investigations for security firm McAfee's told Information Security Media Group.
The county’s server, internal computer systems and website went down in the Jan. 22 attack, and phone systems and email networks were affected. County computer network connections were disabled to contain the spread of malware.