Ransomware Prompted Emergency Declaration for Mississippi County
Mississippi’s George County suffered a significant ransomware attack earlier this month. The attackers encrypted all three of the county’s servers, downing “nearly all of the government’s in-office computers,” Recorded Future News reported.
Soon after, the county supervisors declared a local emergency, per Alabama Media Group’s AL.com. That declaration let them bypass traditional bidding processes and contract immediately with IT professionals.
The entire county system reportedly went down for more than two days. But the county managed to have one of the three servers fully restored by July 19 and another partially restored by the following day.
County officials reportedly discovered the attack in the early morning of July 15. At the time, the county only had one IT person. But during a July 17 board meeting, the county upped the IT workforce to four people, all of whom began dedicating 12 to 16 hours each day to restoring systems. That meeting also saw county leaders approve budgets for emergency cyber services.
Attackers had gained access to county systems via a phishing email designed to look like a routine system update reminder. When an employee clicked on a link in the email, cyber extortionists were able to gain initial access. The perpetrators then moved laterally among computers until they obtained an administrative account that let them reach the wider network.
“From there, they systematically went through and locked out everybody’s personal office computer,” George County Communications Director Ken Flanagan told Recorded Future News. “It was a highly coordinated attack, and it also appears that after they encrypted all three servers, they went through each department looking at each individual computer to see what was the best data in there.”
The extortionists demanded a steep ransom for a jurisdiction of fewer than 25,000 people, leading investigators to think the perpetrators didn’t realize how small George County is, Flanagan told AL.com.
IT workers discovered the ransomware note while working on restoration July 18. The note was saved on one of the servers, and in it, attackers…
