Hall County government offices — including the courthouse, government center, community centers, sheriff’s precincts and a number of other facilities — have experienced issues with phone and email service since the attack. County officials do not believe residents’ or employees’ data has been compromised, according to a news release sent the evening of the attack.
County leaders have detailed how government services have been affected and provided updates as services come back online.
Assistant County Administrator Zach Propes speaking with The Times Monday, Oct. 12, declined to comment on the investigation.
The Times asked county spokeswoman Katie Crumley whether the county had information about who was involved, whether anyone was demanding money to restore access, whether the county would negotiate with anyone involved and who would be involved in fixing the system. Crumley said the county was continuing to investigate the situation and could not share further information.
“As soon as it occurred, the County began working to investigate the cause, to restore operations, and determine the effects of the incident,” according to the news release. “Hall County has also enlisted the assistance of third party cyber security professionals to expedite the recovery.”
The Hall County Sheriff’s Office referred questions about law enforcement involvement to Crumley. Crumley declined to comment on the county’s investigation, as well as on who was working to resolve the issue, backup measures to save county information, how the ransomware reached county networks or who oversees the county’s security network.
On Thursday, Oct. 8, the Hall County Board of Commissioners unanimously approved “the authorization for the County Administrator or his designee to take any and all actions necessary as a result of any potential security incident, and ratification of all actions taken to date as a result of any potential security incident.”
County Administrator Jock Connell said Thursday he could not provide details about actions already taken or planned to address the incident.
Ransomware is a type of malware -- a software that can attack a file, computer or entire server -- that has grown in popularity in recent years, according to Ash Mady, University of North Georgia department head of computer science and information systems.
Ransomware can be uploaded to a server in a few ways but is most commonly spread via email, Mady said. A cyber attacker can send an email with a seemingly innocuous attachment that, when opened, can infect any server the computer in question is connected to.
“Maybe somebody gets an email with an attachment saying, ‘Congratulations, you have won a gift card. Please download the code for your gift card,’” Mady said. “Anything that gets people excited. Or a tricky email, as you know, please click on the link to update your information, or your account will be deleted. Things like that. These may carry downloadable files to go in, and this is how the ransomware will find its way to the server or to the individual. Every computer on the network can act as a gateway to install information on a server.”
Once the ransomware is installed, the owner of the computer or server will lose all access and will need to input a password known only to the attacker to get back into the system. The victim will receive a message, often displayed on the screen of the infected computer, giving instructions on how to pay a sum of money in exchange for the password, according to Mady.
Users of this type of malware often request payment through untraceable sources such as Bitcoin, Mady added.
Once a ransomware has infected a computer or server, the owner of the system has a couple of options. They can either pay the ransom to regain access to the locked away files, or they can decide not to pay and figure out a way to manually restore the system. Mady said the most common way organizations do this is by rebuilding a server through the most recently made backup, but this method could cause those who regularly access the server to lose files they have worked on after the most recent backup was made.
Mady said ransomware does not give the attacker access to a system’s files, so the Hall County files are not necessarily in danger of falling into the wrong hands. However, an attack of this nature often exposes the weaknesses in a system’s cyber security, and it is not uncommon for hackers to launch subsequent attacks aimed at gaining access to the files, according to Mady.
Ransomware is difficult to get rid of once it attacks a system, Mady continued, so the best way for organizations to protect themselves from it is to take preventative action ahead of time. He said all organizations should make regular backups of all files, storing them on multiple different systems and even making hard copies on hard drives to be locked in vaults as a failsafe for if a similar attack occurs in future.
He said trying to trace the source of the attack back to the attacker is not always the best strategy, as hackers can use a variety of strategies to mask the true source, and trying to find them is often unproductive.
“What is important for businesses and individuals and state agencies is to learn how to protect themselves, rather than chasing someone down,” he said.