Ransomware attack turns 2022 into 1977 for Somerset County

Ransomware attack turns 2022 into 1977 for Somerset County

1977 was quite the year. Led Zeppelin! Jimmy Carter! Saturday Night Fever!

We can now add “a ransomware attack” to this once static list. Somerset County, New Jersey, has been hit so hard by a network assault that they’ve ended up in the direst straits imaginable, with county databases unavailable to provide information on land records and probate records, and with title searches only available for paper records that were entered before 1977.

When a ransomware attack takes out an organization, they often revert to pen and paper to keep things ticking over. This is a common feature of healthcare compromises. Everything slows down a little, but they’re still able to function in the here and now for the most part. When ransomware locks down a chunk of historical data, things apparently become much more convoluted.

Of probates and land records

Somerset County’s statement reads as follows in relation to the attack which happened last Tuesday:

Somerset County offices and buildings remain open for business as the County continues to evaluate the severity of yesterday’s ransomware cyberattack. Network-linked computers remain turned off, and county emails cannot be received or responded to by county personnel.

Somerset County Clerk and Surrogate services that depend on access to county databases are temporarily unavailable, such as land records, vital statistics, and probate records. Title searches are possible only on paper records dated before 1977.

There’s several possibilities as to why everything post 1977 is now unavailable. Perhaps records after that date have all made the leap to digital status only, with no backups available. Maybe there are backups, but those have been encrypted by ransomware too.

Switching to Plan B

In an effort to keep some services moving, temporary email addresseshave been brought into play:

To ensure residents can reach the County we have created temporary Gmail addresses for the public to use to reach critical departments such as the County Commissioners, Health, Emergency Operations, the County Clerk, Sheriff, and Surrogate.

This is certainly better than doing nothing. However, there are several concerns with approaches such as this.

  • Are the email addresses secure? Hopefully “temporary” would still mean “locked down.” At the very least, 2 Factor Authentication (2FA) is needed here. The last thing they need is several email breaches due to weak passwords or other security concerns.
  • Introducing uncertainty into what official email addresses are supposed to look like can confuse customers. A wily phisher could easily set up their own fake temporary addresses. An even smarter one would create fake Gmail addresses which look like the temporary efforts.

Good news and bad news…

Somerset County have confirmed the following:

  • An upcoming Primary Election is unaffected as voting machines are “never connected to the county system.”
  • Courts and Jails are functioning as normal and 911/emergency services are unaffected.
  • According to The Register, systems may be offline for “at least” the rest of this week. This isn’t great, but the ad-hoc replacement system offered currently is better than nothing.

Tips to avoid ransomware

  • Encrypt and back up your data. Keep your data encrypted whenever possible, and back up your files regularly. Store your backups externally away from the main network. Ensure your backups are stored in a logical way and not a confused mess of folders and files. You can’t get to work on recovery if you’ve no idea where everything is.
  • Update your security software. Help what is often your first line of defense by ensuring it’s as up to date as possible. Automate your scans and updates.
  • Avoid strange attachments. Malicious Word/Excel documents are a common threat, especially where Macros are concerned.
  • Keep devices updated. Secure devices with the latest patches. Updating your Operating System is great, but that’s not where your updating journey ends. Outdated software and applications are frequently a launchpad for exploits leading to ransomware attacks.
  • Strengthen remote access. Unsecured remote services are hugely popular with ransomware authors. Provide a limit on password guess attempts for remote desktops. You can also combine remote services with multifactor authentication.
  • Use browser controls for bad ads. Malvertising is another technique to place ransomware where it shouldn’t be. Restricting certain features like JavaScript can help, though this may make some sites unusable. Dedicated extensions which control tracking, scripts, and untrustworthy ad networks will also help.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.