The website for a public health department serving about 210,000 people in central Illinois, including students at the state’s flagship public university, has been hit with ransomware that could leave it shuttered for up to two weeks. While the perpetrator of the cyber attack has not been identified, the closure comes as Illinois has 20-some confirmed coronavirus cases, and raises the prospect that other government agencies instrumental to responding to the epidemic could face similar challenges.
Julie Pryde, the chief administrator for the Champaign-Urbana Public Health District, said Wednesday that the agency’s website went down Tuesday morning and that, within a few hours, her staffers and an outside contractor had determined it to be the result of a ransomware attack. Officials at the Illinois State Police and the local FBI office cannot yet confirm whether they are involved in any investigation.
“It’s inconvenient,” Pryde said, before citing a “robust continuity of operation plan” that the agency was using to keep people informed despite their site’s closure, including its more popular Facebook page and sharing information via local media outlets and other county government agencies.
Ransomware is software that an attacker loads on to a victim computer to lock files or block access, usually in concert with a demand for payment. Pryde did not offer any details on the ransomware itself, how the agency fell victim to it, or whether the agency had considered paying the ransom. It’s not clear what information the agency lost access to or what data the attacker could access, but Pryde suggested that electronic medical records, email, and environmental health data were still functional. Pryde says the agency and its systems are distinct, leaving other local government offices unaffected.
While the Champaign-Urbana Public Health District may be the first such agency in the US to be hit with ransomware during the coronavirus epidemic, it is only the latest in a long string of such attacks. Since 2013 there have been at least 350 instances of ransomware targeting state or municipal political entities, according to data compiled by StateScoop, a cybersecurity trade publication marketed to government workers. Illinois has seen 14 incidents in that time, according to the data.
Allan Liska, an intelligence analyst with cybersecurity firm Recorded Future who published the research underlying StateScoop‘s report, says that state and local governments, along with healthcare-related entities, are among the most frequent targets of ransomware. Both kinds of victims want to get their services back up as quickly as possible “even if being quick means having to pay the ransom,” he says, explaining that private healthcare providers are more likely to pay than governments because “nobody wants to admit they used taxpayer dollars to, essentially, pay blackmail.”
Information security efforts are also typically underfunded at state and local government agencies, he says, and preventative measures to prevent hypothetical ransomware attacks are usually a low priority.
While Liska says ransomware can be relatively simple to deploy—launched, say, via an email link or suspect email attachment—some recent attacks have been harder to defend against. He points to one 2019 case where an attacker managed to infiltrate a third party internet technology provider and simultaneously attack 22 Texas cities. The attacker wanted $2.5 million to unlock the cities’ computers, according to NPR. “That’s a fairly sophisticated attack,” Liska says.
In November, a Wisconsin-based cloud data hosting provider fell victim to a ransomware attack, cutting 110 nursing homes and acute-care centers in 45 states off from important patient data. The head of the company that ran those facilities told cybersecurity journalist Brian Krebs the attack put her patients in grave danger.
“Another attack like that could cause significant disruption, especially while everybody’s so worried about the coronavirus,” Liska says. “If senior care gets disrupted while we’re in the middle of a pandemic, it could cause loss of life.”
John Bambenek, an Champaign local who runs a cybersecurity consulting firm and who happened to be attending a public meeting of the county commissioners Tuesday night, says County Executive Darlene Kloeppel announced that the health department’s website had been “hacked.” Beyond saying it would be down for a week or so, Bambenek says she shared very little additional detail. “I found that extremely suspect,” he says. “It’s not really a great time” for an outage, he added, noting that in “the absence of trustworthy information you can get hype.”
Bambenek says that although no cases of coronavirus have been officially reported in the area so far, rumors of cases are circulating locally via social media. He notes that the advice to check Facebook for information might work for some, but not for people lacking accounts on the platform.
Pryde says that most people are aware they shouldn’t pay attention to such reports, and that the community knows that her agency should be its main source for authoritative information. “If there is a case, the information will come from public health,” she says. “It will not come from your hairdresser or somebody on Twitter.”
This is all the more reason why, she says, the ransomware incident didn’t come at a great time. “Unfortunately during these kinds of pandemics or crises, all kinds of things are going to happen,” she says. “Life goes on, and anything above and beyond dealing with the pandemic itself makes it all the more difficult.”