Ransomware attack that forced a New York county back to pen and paper began in 2021, official says

New York’s Suffolk County has concluded an investigation into a destabilizing ransomware attack that forced government workers to rely on fax machines and paper records, discovering stark deficiencies in the county clerk's cybersecurity practices.

Suffolk County Executive Steven Bellone held a press conference Wednesday to unveil the findings of the forensic investigation into the September 2022 ransomware attack, which leaked the sensitive information from the Long Island region’s 1.5 million residents.

The BlackCat/AlphV ransomware group took credit for the incident and eventually leaked 400GB of data that was stolen during the attack — including thousands of Social Security numbers.

Bellone explained that the forensic report revealed that the hackers broke into the county clerk’s office in December 2021 through the Log4j vulnerability.

“[The report] describes in great detail the eight months that the criminal actors spent in the clerk's office installing bitcoin mining software, establishing persistence, installing exfiltration tools, creating fake accounts, harvesting credentials and installing remote monitoring tools to establish command and control,” he told reporters.

By August, the hackers managed to gain access to a folder with passwords to “highly critical systems that were kept on the clerk's network unprotected.” Within three hours of acquiring that folder, the hackers were eventually able to move into the broader county IT environment.

The report pinpoints the acquisition of this password folder as one of the main causes of the attack, since it gave the hackers access to “database systems, servers, phone systems, backup systems, network appliances, file shares, service accounts, critical operational systems, web hosting sites, virus software network monitoring software and more,” Bellone explained.

The hackers then spent months laying the groundwork for the attack before exfiltrating troves of data on September 1 and finally deploying the ransomware on September 8. Bellone said the hackers initially demanded $2.5 million in ransom before lowering their demand to about $500,000. No ransom was paid, he added.

Back to pen and paper

Despite the longstanding access the BlackCat hackers had, Bellone said the report found that just 1.6% of systems across all county domains were impacted in any way.

Nonetheless, the effects were far-reaching. Officials had to disable the email systems for more than 10,000 county workers, forcing many to use pen and paper for government services. Emergency dispatchers spent weeks taking down calls by hand and police used radios to share details of crimes due to the network outages caused by the attack.

Contractors were paid with paper checks because of concerns that the hackers were watching payment transfer systems. The title search system was down for weeks, limiting real estate transactions entirely before state officials sent new computers.

Driver’s license numbers linked to 470,000 moving violations were among the sensitive data leaked during the hack alongside information and contracts from the Suffolk County Court, sheriff’s office and others. The County said it will be providing identity protection services to those affected.

Bellone went on to criticize the IT department of the clerk’s office, noting that because their office was segregated from the county IT department, it “unfortunately made it easy to withhold information” from other offices.

At least one member of the clerk office IT department was placed on administrative leave in December 2022 due to their alleged refusal to cooperate with county investigators and a longstanding refusal to implement cybersecurity mechanisms county-wide, Bellone said.

For months, former Suffolk County Clerk Judith Pascale and Bellone have traded barbs over the ransomware attack, blaming one another for not responding to the crisis quickly enough. Pascale, whose tenure ended in December, claimed that she had warned officials in the county of cybersecurity deficiencies and asked for more funding but was denied.

The New York Times obtained emails showing she did ask for a firewall but was rejected by Bellone. Bellone said on Wednesday the investigation proved that her claims were false and that the county had provided her with funding to install a different security system that was never implemented.

He added that the county is still working to restore many of the systems that were damaged during the attack, noting that teams from Cisco and Palo Alto Networks are working on the effort. Significant parts of the county network have been back up and running for almost two months, Bellone explained.

Local news outlet WSHU reported that the county has spent nearly $5.5 million on the recovery and investigation efforts.