Full Report
ARDMORE, Okla. (KTEN) — The City of Ardmore is alerting the public after a ransomware attack earlier this month that may have involved personal information. According to a Facebook post from the city's account, staff say the incident was discovered April 8, after attackers targeted some internal servers. While not all systems were accessed, information tied to criminal complaints and investigations may have been involved — including names, addresses and phone numbers. Financial systems, like water billing, are stored separately and were not accessible during the attack. Emergency services also remained available. City staff say they brought in outside IT specialists and federal agencies — including the FBI and Cybersecurity and Infrastructure Security Agency — to investigate.
Analysis Summary
# Incident Report: Ransomware Attack on the City of Ardmore
## Executive Summary
In early April 2024, the City of Ardmore, Oklahoma, experienced a ransomware attack targeting internal servers. The incident potentially compromised sensitive data related to criminal complaints and police investigations, though critical financial systems and emergency services remained unaffected. Outside IT experts and federal agencies were engaged to assist with the investigation and recovery.
## Incident Details
- **Discovery Date:** April 8, 2024
- **Incident Date:** Early April 2024
- **Affected Organization:** City of Ardmore, Oklahoma
- **Sector:** Government / Public Sector
- **Geography:** Ardmore, Oklahoma, USA
## Timeline of Events
### Initial Access
- **Date/Time:** April 2024 (Specific date not disclosed)
- **Vector:** Unknown (Targets were internal servers)
- **Details:** Attackers gained access to specific internal servers containing municipal records.
### Lateral Movement
- **Details:** The attackers navigated the network to access systems containing criminal complaints and investigation files; however, their movement was limited, as they failed to access segregated financial systems.
### Data Exfiltration/Impact
- **Data Compromised:** Personal information (PII) including names, addresses, and phone numbers.
- **Specific Records:** Information tied to criminal complaints and law enforcement investigations.
### Detection & Response
- **Discovery:** Staff discovered the breach on April 8, 2024.
- **Response Actions:** The city alerted the public via social media, isolated compromised systems, and notified the FBI and CISA.
## Attack Methodology
- **Initial Access:** Not disclosed; internal server targeting.
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Specific targeting of internal municipal servers.
- **Lateral Movement:** Attempted network traversal; blocked by network segmentation.
- **Collection:** Gathering of law enforcement sensitive files and resident PII.
- **Exfiltration:** Potential exfiltration of names, addresses, and phone numbers.
- **Impact:** Encryption or unauthorized access (Ransomware).
## Impact Assessment
- **Financial:** Unknown (Costs of specialists and potential recovery). Water billing and financial systems were stored separately and remained secure.
- **Data Breach:** Compromise of PII (names, addresses, phone numbers) for individuals involved in police matters.
- **Operational:** Disruption to internal administrative servers; emergency services (911/Dispatch) and utilities remained operational.
- **Reputational:** High; public notice required due to the sensitive nature of law enforcement data.
## Indicators of Compromise
- **Network indicators:** Not disclosed in public report.
- **File indicators:** Not disclosed in public report.
- **Behavioral indicators:** Unusual activity on internal servers leading to discovery on April 8.
## Response Actions
- **Containment measures:** Isolation of internal servers; maintaining the air-gap/separation of financial systems.
- **Eradication steps:** Engagement of "outside IT specialists" for forensic cleanup.
- **Recovery actions:** Notification of federal law enforcement (FBI) and CISA for technical assistance.
## Lessons Learned
- **Key takeaways:** Network segmentation proved highly effective in this instance, as the separation of water billing and financial systems prevented a more catastrophic financial impact.
- **What could have been done better:** Earlier detection mechanisms may have identified the intrusion before the attackers reached sensitive law enforcement files.
## Recommendations
- **Prevention measures:**
- Perform a thorough audit of all internal server access controls and permissions.
- Enhance monitoring and alerting on servers containing sensitive PII or criminal justice information (CJI).
- Continue the practice of network segmentation for critical infrastructure (utilities/finance).
- Implement multi-factor authentication (MFA) across all municipal entry points to prevent unauthorized server access.