Tillamook County Board of Commissioners report $300,000 ransom paid

COVID19 Volunteer Group Form

Statement from Tillamook County Board of Commissioners, March 11, 2020:
Tillamook County recently experienced a cyberattack which disabled our computer systems for approximately two weeks. The forensic investigation is complete, and every effort is being made to prevent a similar event from occurring in the future, including strengthening security measures and ensuring the County network and systems are resilient and secure.
What follows is an accounting of the incident and our response.

On January 22, 2020, Tillamook County became aware of a data security incident when it began to experience computer difficulties. The Information Services department director immediately launched an investigation and determined that the county was a victim of a cyberattack. The county retained a legal counsel expert in responding to data security incidents and a leading independent computer forensics provider to assist with restoring the county’s operations, determine the scope of the incident and what information may have been impacted, and to negotiate the ransom payment, if necessary. The county activated its Incident Command Team and coordinated with county law enforcement, as well as the FBI. The county’s rapid and aggressive response to the incident mitigated the compromise and contained the encryption to 17 of 55 servers and 5 of 280 county workstations.
Tillamook County was attacked by an international cybercriminal organization known to law enforcement both nationally and internationally. The cyber attacker demanded ransom in the amount of $300,000. At stake was our data including public records. Had we chosen not to pay the ransom, our encrypted data would have been irretrievable. The county made every effort to avoid the payment of a ransom to the cyber attacker, including recovery through two independent backup solutions and hundreds of hours of retained and county resources; however, data critical to county operations could not be restored without paying the cyber attacker for decryption keys.
While the county maintained redundant backup solutions that would have protected our data in the event of a natural disaster, the cyberattack resulted in encrypted backups. In addition to jeopardizing the county’s ability to function effectively for 12-24 months, the cost to recreate the data may have exceeded $1 million. After considering all available possibilities, the county determined its only viable option was to authorize the ransom amount of $300,000 in order to obtain the decryption key for its data.
County systems are now operational, and the forensic investigation has concluded. The county is pleased to report that the forensic investigation has found no evidence indicating the personal information of its employees or residents was accessed or taken by the attacker.
Our world has seen an explosion of cyberattacks in recent months as attackers grow more advanced in their capabilities. The privacy of sensitive information is a top priority for Tillamook County. While it is unfortunate and regrettable that Tillamook County had to pay a ransom to recover access to our data and public records, the Board of County Commissioners believes that the decision to pay the ransom, however distasteful, represents our commitment to uphold the best interests of the county and the people we serve.