NEWS

Hackers seizing Ohio government systems

Adrian Burns
USA TODAY NETWORK - Ohio

Pay up or suffer the computerized consequences.

That’s the bottom line for an increasing number of local government bodies that have fallen prey to a relatively new cybercrime trend that spread in 2016.

Called “ransomware” and often launched from outside the country, the attacks come in the form of a computer virus that a freezes a computer system until a ransom is paid.

While it may sound like the plot of a Hollywood thriller, the attacks have hit a handful of Ohio governmental bodies and can strike a devastating blow to the ability of a local government to function efficiently.

A shut-down of the computer systems of Licking County, the state’s 17th largest county, is the most recent example. The county’s phones and computer systems - including part of its 911 system - went down the evening of Jan. 31 and could be out for weeks, said local officials, who have not announced if a ransom will be paid.

“We don’t believe we were specifically targeted,” said County Commissioner Tim Bubb. “Clearly, it’s designed to make money for somebody. It was just our unlucky day. It was something created to cause havoc.”

While hacking efforts were once mainly confined to expert programmers, attacks such as that seen in Licking County have become more common in recent years as cheap, readily available hacking software has emerged around the world, said Anish Arora, a computer science professor at Ohio State University.

“It has become extremely cheap,” he said. “You can get this stuff for tens of dollars, like thirty dollars.”

The result of a combination of a tiny initial investment requirement and typically zero chance of prosecution for foreign operators: a surge in ransomware attacks.

“On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015,” stated a Department of Justice report on ransomware, which can strike individuals, businesses or government bodies.

The average ransom demand is $679, according to a 2016 study by computer security firm Symantec.

Ohio has seen several other attacks, and ransomware was the subject of a June 2016 bulletin from the office of Ohio Auditor Dave Yost. One such attack hit the Columbiana County Juvenile Court in 2016, and $2,500 was ultimately paid to free the computer system because system backups hadn’t been made, Yost’s office said.

Such incidents are disruptive and not particularly good for the public image of the affected government body, said Columbiana Count Auditor Nancy Milliken.

“Counties hate to admit that it has happened to them,” she said. The auditor’s office has performed data backups for years, but instituted some new security procedures following the ransomware attack on the juvenile court computers, she said.

Indeed, system administrators need to assume that a ransomware attack will occur, and back up all systems regularly, Arora said.

“The challenging part is there is no guarantee that if you pay the money the system will be restored,” he said. “The right thing to do is to clear the servers and start again.”

Newark officials said they believe their backups are sufficient to bring their systems online, but could take at least another week to accomplish.. Ideally, however, a procedure should be in place that keeps systems from staying down for a long period following a ransomware attack, Arora said.

“It really goes back to the sense that you have to assume even after you do everything that there is some chance you will get compromised,” he said. “They may have had a good policy for avoiding this but their policy on how quickly they could recover was not as well defined.”

For Marion County, which has had a handful of ransomware attacks in recent years, the incidents were less disruptive because backups were sufficient to restore affected systems - and no ransoms were paid, said Keith Vanderpool, the county’s IT administrator.

“We’re on edge all the time,” he said.

Ransomware can be such a threat to a government body’s operations that Richland County Auditor Patrick Dropsey said he wouldn’t discuss the matter at all.

“It’s a touchy subject,” he said. “It’s taken very seriously.”

Viruses frequently enter a system because a user clicks a link in an email or downloads an infected attachment. But websites with infected links or prompts to start a download have also become a popular route for hackers, Arora said.

It is important to train employees not to make the types of mistakes that can let a virus in, but ultimately the IT system must be designed to fend off attacks and to back up files in the case of an infiltration, said Andy Wettersten, who heads up IT for several government agencies in Ross County.

“I know that the threat is growing and that we are a target simply by existing and participating in this line of work,” he said.