Jessica Cejnar Andrews / Thursday, May 18 @ 3:34 p.m.
Homeland Security, FBI Spearhead Curry County Ransomware Attack Investigation; More On The EOC's Role In Rebuilding The Network
Wednesday's Board of Commissioners' meeting
• Despite Having to 'Start Over' After Last Month's Cyber Attack, Curry County Government 'Is Continuing,' Brad Alcorn Says
Curry County weathered its 22nd day of crisis on Wednesday, Commissioner John Herzog reminded his colleagues.
The victim of an April 26 ransomware attack that left its servers inaccessible, the county couldn’t livestream the Board of Commissioners’ regular meeting. Planning Director Becky Crockett had to provide hard copies of her staff reports instead of submitting them electronically.
And an Oregon Department of Forestry incident commander, Eric Perkins, provided a briefing reminiscent of a wildfire update.
Yet it would be easy for the average person to miss those things, Commissioner Brad Alcorn told the Wild Rivers Outpost on Thursday.
“When you drive into Curry you see a clear day and a blue ocean,” he said. “But we can’t plug into a printer and print a document. We can’t process a request on the computer. We can’t send an email. You don’t see any of that.”
The U.S. Department of Homeland Security and the FBI are spearheading the criminal investigation connected with the “Curry County Cyber Incident,” Alcorn said. The attack has been attributed to Royal ransomware group, which has been responsible for attacks against other communities, including in Dallas, Texas about two weeks ago.
Dallas’s Royal ransomware attack affected police, courts and multiple city websites, the Dallas Morning News reported on May 4.
Ransomware is malicious software that prevents users from accessing computer files, systems or networks and demands a ransom for their return, according to the FBI.
“You can unknowingly download ransomware onto a computer by opening an email attachment, clicking an ad, following a link or even visiting a website that’s embedded with malware,” the FBI reports. “Once the code is loaded on a computer, it will lock access to the computer itself or data and files stored there. More menacing versions can encrypt files and folders on local drives, attached drives and even networked computers.”
According to the Dallas Morning News report, Royal can refer to a type of ransomware or a group of people who wield it.
Though Alcorn couldn’t speak to the ransom notice Curry County received, he said on Thursday there are several aspects to consider when responding. This includes whether the perpetrator will hand over a mechanism for unlocking your network if you pay the ransom without demanding more or without re-infecting your system later on, he said.
“Another big factor to take into consideration is who are you paying?” Alcorn told the Outpost. “Is that going to fund an attack against this country or American soldiers? All of those things need to be considered, not to mention when you pay these guys, you’re essentially perpetuating their crime. If no one paid, there wouldn’t be any money in it.”
As for rebuilding its network, Curry County’s response is consistent with its respone to a wildfire, earthquake or Cascadia event. The county has activated its emergency operations center and is operating under the incident command structure civilian agencies have used for more than two decades, Perkins told commissioners Wednesday.
About 42 people have rotated through the Curry County EOC since May 4, Emergency Management Director Monica Ward said during Alcorn’s Facebook live briefing Wednesday.
After doing a call-out for emergency aid last week, responding agencies have included the Oregon Department of Forestry, Klamath County, Lane County, the Oregon Department of Transportation, the Oregon Health Authority, the Information Technology Disaster Resource Center, the Cyber Security and Infrastructure Security Agency and Coos County.
Microsoft is also providing assistance, Alcorn said, bringing people to southern Oregon from other parts of the world.
While the county and other local emergency responders hold training scenarios to prepare for disasters — a simulated mass casualty exercise is planned for next month — a cyber attack is different, Alcorn said.
“The emergency operations center folks are really good at natural disasters, but we’ve struggled with the uniqueness of the cyber attack,” he said. “I think it’s easier to hit a button and make a request for… a specific type of fire truck or rescue apparatus. We know who to call and where to go for those. But it’s more problematic when you’re looking for somebody that can build a network from the ground up and three guys who can work together to do that.”
On Wednesday, Perkins told commissioners that the incident command responding to Curry’s cyber attack is about 10 percent of one that would respond to a wildfire. Perkins, who has been part of ODF’s incident management team for about 13 years, said the incident command structure makes communication and response more efficient. He said he works with the operations section chief who in turn interact with the “smart IT people” working underneath him.
“They speak a language I don’t understand,” Perkins told commissioners. “I understand firefighting and forestry, but (the operations chief) understands it. The structure tries to put the right skillset in the right place and then we can communicate things down to the people doing the work and back up to us.”
According to Alcorn, pinpointing a timeline for when the county’s network and servers will be functioning again is difficult because rebuilding it is complex.
“There’s so much information that’s loaded in this network that you can load stuff in and then you’re just about to get it up and running and then there’s some kind of bug,” Alcorn said. “You got to fix that bug and then that bug turns into two more and you got to reload other information. I think we’re close. Once we get to the finish work, that’s where we’re loading (to) our individual computers and connecting those.”