Stuff happens: Four months after ransomware attack, Johnson City shoring up defenses

David Floyd • Feb 14, 2020 at 7:45 PM

On Oct. 21, a message from hackers started popping up on Johnson City employees’ computers.

“Hi company,” it began. “Every byte of any types of your devices was encrypted. Don’t try to use backups because it were encrypted too.”

The message gave contact information, which the hackers said city employees should use to get their data back (the city has said no employees engaged the hackers), and even had a brief frequently asked questions section, presumably listing questions that workers could be pondering in light of the supposed hack.

For example: What should workers tell their boss? “S*** happens,” the hackers said.

Roughly four months after it was struck with a ransomware attack that crippled the city’s main backup system, Johnson City has taken steps to prevent similar intrusions on its network.

Johnson City IT Director Lisa Sagona has said quick thinking and a pre-cautionary investment in the city’s cyber security infrastructure helped prevent lasting damage from the attack. The city said its financial system and credit card information were not compromised, and a Jan. 28 report from Asylas Security, a Nashville cybersecurity firm hired to investigate the incident, found that there was a “low probability” that the hackers stole any city data.

Since then, the city has spent $350,000, which includes the cost of buying 400 desktop computers, 50 laptops and the implementation of new software. Of that figure, Sagona said roughly $150,000 was already budgeted, and the city is already on a three-to-four-year rotation for computer replacements.

The city said some of the old computers will be recycled, but it might be able to deem some of the equipment surplus. All of the hard drives for those computers, however, would have to be destroyed.

During the attack, the city said 314 desktops and 35 laptops were compromised. The city said it will use the additional computers to replace unaffected computers as they reach the end of their useful life. The additional laptops are being used for training purposes.

Officials are also getting ready to hire a senior systems engineer, who will ensure the city’s information systems run in a stable, secure and efficient manner. Sagona estimated the pay range for that position could be between $67,000 and $95,000. The city has offered that job to a candidate, and Sagona anticipates the new employee will start in the first week of March.

Serendipitously, the attack occurred just three weeks after the city rolled out a hyperconverged storage area network, a tool that the city said enabled it to restore files in less than a day.

“What concerns me now is ... that’s public knowledge and that always gives me more pause for concern because, when somebody doesn’t get what they want, they don’t always go away,” Sagona said. “They then make other attempts in more sophisticated ways if it’s worth it to them.”

Because Johnson City is a mid-sized municipality with a budget and population smaller than large cities like Nashville or Murfreesboro, Sagona doesn’t think that’s something the city needs to obsess over. But cyber attacks are a problem that impact large organizations on a semi-regular basis.

“It’s in the news every single day,” Sagona said. “Somebody has either had an attempt made on them or a hack has actually happened. And what’s going to happen next year, in my opinion, is that they’re going to get even smarter and more creative.”

Asylas Security said there were 140 reported cyber attacks in 2019 targeting governments and health care providers.

“Johnson City was one of many recent victims in a flood of recent attacks against local government agencies by an unknown cyber crime group leveraging a common set of attack tools and tactics,” the report said.

Asylas Security said the path the attackers took to compromise the city’s network is not clear, but noted that they could’ve gained access through email links or malicious attachments.

“We’re pretty confident it was an email phishing attempt,” Sagona said.

Additionally, Sagona said the city has looked at purchasing YubiKeys for employees, which are devices small enough to fit on a key ring that act as a form of two-factor authentication. The city is also considering the implementation of software that evaluates employees’ computer use patterns and flags abnormal behavior. Those tools will be implemented once the senior security engineer is onboard.

“I never want to be in this position again,” Sagona said. “Now, we can’t spend millions, but we can spend one (full-time equivalent) that will also help with other things.”

Johnson City Press Videos