Ransomware attack knocked a Kentucky city-operated ISP offline before holiday

As tourists descended on Bardstown, Kentucky — the “Bourbon Capital of the World” — for Labor Day weekend, the town had a problem: A ransomware attack hit the local government, knocking municipal internet service provider (ISP) Bardstown Connect offline. 

The initial outage struck last Friday and lasted 18 hours, the Nelson County Gazette reported. Bardstown is a small city of roughly 13,000 people — and Bardstown Connect is the high speed ISP for a large portion of the city’s residents and local businesses. 

Cybercriminal gangs have often struck local governments which may not have the IT resources to immediately respond — at times disrupting vital services. 

Emsisoft threat analyst Brett Callow says this is the 34th local government attack he’s tracked so far this year. But the disruption of Bardstown Connect stands out, he said. 

“Governments being hit by ransomware is nothing unusual. What is unusual for a city-operated ISP to be affected, knocking both people and businesses offline,’ Callow said. 

“In fact, it’s the first time I can recall this happening,“ he added.

Recorded Future threat analyst and ransomware researcher Allan Liska agreed the attack appears to represent a new, and particularly devastating, tactic.

“The internet disruption for all of those people is huge,” Liska said.  

The blackout cost businesses tourist dollars because they couldn’t process credit cards without internet access, according to local outlet WDRB. The Nelson County Sheriff’s office also had to  switch to AT&T hotspots and relay calls through a State Police post, WDRB reported. 

However, issues continued throughout the week, both for some Bardstown Connect customers and those seeking to access some digital city services. 

“​​We are still hard at work restoring services. We will make a post here and likely on the official government pages when e-mail services have been fully restored,“ Bardstown Connect posted to Facebook on Monday. 

An ongoing investigation

Thursday, nearly a week after the major outage began, the city acknowledged it was the “victim of a cyberattack involving ransomware.”

“Working around the clock through the holiday weekend, our priorities have been fully investigating the cyberattack and getting services restored for our customers and constituents,” the city said in a post on its Facebook page. “So far, we have successfully restored all Bardstown Connect customer email accounts that are hosted by the City and brought back internet services for a vast majority of impacted residents.”

The investigation remains ongoing, Bardstown Mayor Dick Heaton said in a Thursday press conference. 

The city had not paid a ransom, but he couldn’t speculate how the investigation would proceed, he said. 

In the early days of ransomware attacks on local governments, such payments were common, according to Liska. But they’ve become increasingly frowned upon, he said. In some areas, such as in North Carolina, ransomware payments from government entities are banned. 

The city had focused on restoring services to network customers as quickly as possible, but was still working to restore systems affected by the attack in their own back offices, according to Heaton.

Day-to-day city operations largely continued uninterrupted, he said. 

“Our people have adapted very well to this – we have a surplus amount of information on paper, maps and stuff, so we retained a lot of what they need,” Heaton said. 

The city is investigating the attack itself with the help of cybersecurity firm Kroll as well as local law enforcement with FBI and DHS assisting, according to Heaton. 

The ability for the attackers to access many different parts of Bardstown’s systems appears to reflect the often flat nature of municipal and other small government networks, according to Liska. 

“We see this all the time where the ransomware actors get in through, say, the town’s finance department, but they are able to go over to, say, the courts. The networks aren’t segmented,” he said. 

But this could be particularly concerning for towns that run municipal broadband networks, something not especially appealing to small cities like Bardstown in scenic locations who may seek to attract remote workers, Liska added. 

“I think this should also serve as a wakeup call to towns that are offering municipal broadband — security has to be part of your business plan,” he said.

Bardstown has deployed “state of the art threat monitoring systems” on its networks, changed system passwords, and taken other steps to improve security in response to the attack, Heaton said. 

However, he also asked for patience from city residents and Bardstown Connect subscribers.

“There may be some unexpected bumps in the road that could cause additional intermittent outages – if that happens, like it did this past weekend, we will work to restore services as quickly as possible,” Heaton said.