‘It feels like a digital hurricane’: Coastal Mississippi county recovering from ransomware attack

A coastal Mississippi county is in the process of recovering from a wide-ranging ransomware attack that took down nearly all of the government’s in-office computers.

Nestled along the border with Alabama, George County is the quiet home to more than 25,000 people. But the local government was thrown into chaos this weekend when ransomware actors used a discrete phishing email to gain deep access to the county’s systems.

George County communications director Ken Flanagan told Recorded Future News in an interview that the situation “felt like a digital hurricane” after IT officials discovered the attack early on Saturday morning.

“When a hurricane comes through, you lose your ability to communicate. You lose your computer systems with power and networks and cell phone towers. So in a lot of ways, it feels like we're in a hurricane but we still have the power on,” he said.

Investigators traced the attack back to a phishing email made to look like a routine system update reminder.

When an employee opened the email and clicked on the link, that gave the unnamed ransomware group access that allowed them to jump from computer to computer until they reached an administrative account with access to the wider county network.

The hackers made their way through the system throughout the weekend, encrypting everything they could in what Flanagan called a “brute force attack.”

“From there, they systematically went through and locked out everybody's personal office computer. It was a highly coordinated attack and it also appears that after they encrypted all three servers, they went through each department looking at each individual computer to see what was the best data in there,” he said.

“So it was not just an automated attack. It definitely appears that there was a process and highly efficient one at that. Once they got behind the gate, that was it.”

Flanagan said it was only by Monday that county officials realized the extent of the damage, finding that it covered “every server and network based computer that we have.”

The county already had a board meeting scheduled for Monday that allowed all of the local leaders to convene and figure out a plan forward.

At the meeting, they approved budgets for emergency cybersecurity services and increased the number of IT workers from one to four. Since Monday, all of the IT workers have been working 12 to 16 hours a day trying to get systems back up and running, Flanagan said.

One server at a time

There are three county servers that need to be restored and IT workers are going one-by-one in their process to bring the county back online. As IT workers began their work restoring the servers on Tuesday, they discovered a file titled “Restore” that contained a ransomware note.

Flanagan said the note was “professional sounding” and had a Bitcoin wallet address to send the ransom to — the attackers demanded payment within five days.

“There was honestly nothing threatening in the wording of it. If you didn't know any better, you would think you were just looking at a standard IT contract or agreement,” Flanagan said, declining to name the group responsible or the dollar amount of the ransom demand because they were advised not to release the information.

“The County Supervisors unanimously agreed not to pay the ransom. We are a small rural county and the ransom amount was just not feasible for our budget. And, of course, there are no guarantees with these types of transactions. So, we had to say no.”

The county contacted the FBI on Monday morning, and have had three calls with them and officials from the Department of Homeland Security in recent days.

The local sheriff’s department has also coordinated with several state agencies in response to the attack. They have been passing along as much information as possible to the FBI but have been told it is unlikely the people behind the incident will ever be tracked down.

The county 911 dispatch system was not affected because the phone lines run on a separate analog system. But operators did use computer systems to take notes on incidents, so now those have to be recorded by hand with the network down.

IT officials were able to restore at least one server by Wednesday afternoon and one of their major office systems was back up and running – allowing them to do employee payroll.

According to Flanagan, there were concerns that they would have to use a more traditional paper check system. With at least one server back online, county officials hope that most systems will be back to normal by next Monday.

Due to technology purchases made to support work-from-home efforts during the COVID-19 pandemic, many county offices also had disconnected laptops available that allowed them to continue working as IT staff rebuilt infected systems. The county has about 130 employees, according to local news outlet WKRG.

“That’s the reason that we just sent out our laptops to all of our major departments like Land Records, the Circuit Clerk's office, our Justice Department, the court, the tax collector, myself, and finance,” Flanagan said.

“That way we could do some work on what we had and we’ll update the official systems at some point.”

It took IT staff about 16 hours to restore one server, and they are prioritizing the offices most necessary for county functions.

Flanagan noted that they do not think employee financial information was accessed during the attack because it is held on a standalone internal computer system that is not connected to the internet. But they are still advising employees to change any passwords for financial accounts just in case.

The wider landscape

The attack on George County is the latest in a string of incidents affecting counties across the U.S., including ones in Delaware, California, South Carolina, New Jersey and Oregon as well as major metropolitan areas like Oakland and Dallas.

Both Oakland and the California city of Hayward declared states of emergency due to their ransomware attacks’ devastating effects.

Ransomware groups have shown little preference, targeting both small counties and large ones alike.

Recorded Future ransomware expert Allan Liska said that while the attacks on Dallas and Oakland drew national headlines, the numbers show that in the first quarter of 2023 there were less publicly-reported attacks than the first quarter of 2022.

Mentioned yesterday that there has been an uptick in attacks against local governments.

Ransomware attacks against municipalities was one of the few good news stories, with an actual decrease in *publicly reported* attacks:

2020: 188
2021: 203
2022: 195 pic.twitter.com/vQs8R6QQnu

— Allan “Ransomware Sommelier” Liska (@uuallan) July 18, 2023

But things began to ramp up in April, May and June of this year, with 18,19 and 22 publicly-reported attacks respectively.

The second quarter of 2023 saw 59 attacks, far above the 51 seen in the second quarter of 2022.

Liska had several theories on the increase, arguing that the deluge of new ransomware groups and actors splintered off from disbanded gangs was part of the reason why the numbers increased.

“More experienced ransomware groups know municipalities don’t pay the ransom. But these newer groups are still figuring it out. Right now, all we can say is the numbers are higher, we really need more data to determine if it is a significant increase,” he said.

“I think a lot of new actors don’t know they won’t get paid. But, even if they do know they won’t get paid, a lot of actors like to do it for the ‘clout.’ There is some reputation building in being able to knock over a city/county and generate a lot of headlines.”

Emsisoft ransomware expert Brett Callow, who also has been tracking ransomware attacks on municipalities, counted at least 48 incidents involving local governments which is in-line with figures from past years.

His data shows that there were 113 ransomware incidents affecting local governments in 2019 and 2020. There was a massive dip in 2021 with only 77 attacks but an uptick in 2022 with 106.

“This year is shaping up to be similar with 48 incidents,” Callow said. “The numbers would seem to indicate that the public sector is as vulnerable as it was in 2019, which is not good news.”