Ransomware cyber attack hit Chatham County’s network hard; data stolen

Pittsboro, NC – Chatham County Manager Dan LaMontagne presented an update regarding the October 2020 cyber attack to the Chatham County Board of Commissioners at its regular meeting on February 15, 2021. The following details are included in LaMontagne’s report.

Hacker

The Incident
On October 28, 2020, Chatham County Management and Information Systems (MIS) staff identified a ransomware attack against the County network that resulted in the encryption of much of its network infrastructure and associated business systems. MIS staff quickly isolated the affected systems by stopping communication across the county network and externally. Staff immediately reported the crime to the Chatham County Sheriff’s Office as well as enlisted assistance from other local and state agencies with specialized ransomware experience.

Forensic analysis revealed that ransomware entered the County network through a phishing email with a malicious attachment. The threat actor, identified as DoppelPaymer, acquired data from a limited number of County systems although the data that was acquired could not be specifically determined.

DoppelPaymer’s infection routine (image courtesy of Trend Micro)

Like many modern ransomware families, DoppelPaymer’s ransom demands for file decryption are sizeable, ranging anywhere from US$25,000 to US$1.2 million. Starting in February 2020, the malicious actors behind DoppelPaymer launched a data leak site. They then threaten victims with the publication of their stolen files on the data leak site as part of the ransomware’s extortion scheme.

The Impact
As a result of the cyber attack, the county lost the use of its computers, internet access, office phones and voicemail. The county acquired loaner laptops from other counties, towns and Chatham County Emergency Management.

“Securing these critical resources did not result in additional expenses being incurred by the County and were instrumental in the process of getting us back on our feet as quickly as possible,” said LaMontagne.

Emergency Management was able to provide temporary internet access points and phones. Staff set up temporary email addresses for internal communication and access to the public, and the County created a cyber incident web page to inform the public.

Recovery Efforts
Chatham County Emergency Management coordinated daily briefings with stakeholders during the initial weeks of the incident. MIS staff and agency partners conducted a full rebuild of County network infrastructure. The county worked with its existing software vendors to restore business systems. MIS staff wiped and reimaged the County servers and more than 550 employee computers.

“The commissioners and I are grateful for the work that all of the County staff has done across every department in dealing with the numerous challenges that resulted from this incident,” said Chatham County Board of Commissioners Chair Mike Dasher. “We appreciate their commitment to serve the public and their adaptability to ensure that our residents continue to receive the programs and services that they count on.”

The process of restoring business systems, phones, network connection and returning County computers to staff is nearly complete. Full system recovery efforts are estimated to continue through early 2021.

The County had the foresight to mitigate its exposure to such an incident through the procurement of cyber insurance. “We are collaboratively working with our cyber insurer on this incident and anticipate that the bulk of the direct costs associated with this incident will be covered,” said LaMontagne. “We are thankful for everyone’s dedication and efforts to minimize the impact of this incident.”

Breach Notification
On February 8, the County discovered that the cyber actor(s) responsible for the October 2020 ransomware event against the County released certain data acquired by the cyber actor(s) from the county’s servers. The county’s investigation of this event remains ongoing. This includes efforts to identify and notify every individual whose personal information may have been impacted. 

“Once the Sheriff’s Office received a tip off regarding the data breach, we acted quickly to notify all victims—mostly our own employees—whose sensitive information was copied from Sheriff’s Office files,” said Sheriff Mike Roberson. “All victims identified in our review of the stolen Sheriff’s Office data were notified and provided with Identity Theft guidance within 24 hours of confirming the contents of the appropriated files.”

The county will release information about any resources it assembles to assist individuals in protecting their information. In the meantime, the County encourages any individuals who believe they may have been impacted to remain vigilant and monitor their accounts for any suspicious activity. The county also encourages individuals who believe they may be at risk to consider placing a fraud alert and/or security freeze on their credit report. Information about these safeguards is available on the Federal Trade Commission’s website at: www.FTC.gov. The NC Department of Justice (NCDOJ) provides a free security freeze. More information can be found here.

“While I am disappointed that we are faced with this additional challenge during our recovery process, I know that our resilience will get us through this time,” said LaMontagne.

Improvements
Along with the extensive mitigation efforts taken by the County during the cyber incident, Chatham County MIS also evaluated the existing security protocols in an effort to further build upon the security of the County network. The County is evaluating and implementing additional security measures and reinforcing employee training.

“The threat from outside individuals is constant, and Chatham County aims to take all reasonable actions to secure our data and infrastructure,” added LaMontagne.

During this time, the County also took the opportunity to improve and update some of its software. These actions include upgrading to Office 365, changing from .org to .gov domain for emails, replacing CityView with OpenGov software for Chatham County Central Permitting and completing the Northwoods/Laserfiche upgrade at Chatham County Department of Social Services.

The cyber attack report can be viewed at chathamnc.org/cyberincident.


What can organizations do?

Organizations can protect themselves from ransomware such as DoppelPaymer by ensuring that security best practices are in place. These include:

  • Refraining from opening unverified emails and clicking on any embedded links or attachments in these messages.
  • Regularly backing up important files using the 3-2-1 rule: Create three backup copies in two different file formats, with one of the backups in a separate physical location.
  • Updating both software and applications with the latest patches as soon as possible to protect them from vulnerabilities.
  • Ensuring that backups are secure and disconnected from the network at the conclusion of each backup session. 
  • Auditing user accounts at regular intervals — in particular those accounts that are publicly accessible, such as Remote Monitoring and Management accounts.
  • Monitoring inbound and outbound network traffic, with alerts for data exfiltration in place.
  • Implementing two-factor authentication (2FA) for user login credentials, as this can help strengthen security for user accounts
  • Implementing the principle of least privilege for file, directory, and network share permissions.