Full Report
Outage occurs on same day as special election, but election offices remain open.
Analysis Summary
# Incident Report: Jackson County Suspected Ransomware Attack
## Executive Summary
Jackson County, Missouri, suffered a suspected ransomware attack leading to significant disruptions in its IT systems, prompting the declaration of a state of emergency. Key services like tax payments and marriage license issuance were rendered inoperable, though election offices remained unaffected. The county initiated diagnostics with cybersecurity partners, and while the threat is suspected to be ransomware, data compromise had not been confirmed at the time of reporting.
## Incident Details
- **Discovery Date:** On or around Tuesday, April 2, 2024 (Date of official statement/declaration)
- **Incident Date:** Occurred prior to April 2, 2024
- **Affected Organization:** Jackson County, Missouri
- **Sector:** Government (County Administration)
- **Geography:** Missouri, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown
- **Vector:** Suspected ransomware infection. Specific initial vector is not detailed in the provided text.
- **Details:** Attack led to significant disruptions across digital infrastructure.
### Lateral Movement
- **Details:** Not specified, but the attack resulted in certain critical systems being rendered inoperative while others continued to function normally, suggesting targeted compromise or segmentation issues.
### Data Exfiltration/Impact
- **Details:** Systems confirmed inoperable include tax and online property payments, issuance of marriage licenses, and inmate searches. Officials stated there was no evidence that data had been compromised, but this was pending comprehensive analysis.
### Detection & Response
- **Details:** Disruption was identified by county officials. An executive order was issued by County Executive Frank White Jr. declaring a state of emergency. The county began immediate diagnostic procedures working with cybersecurity partners.
## Attack Methodology
- **Initial Access:** Suspected ransomware infection (Specific mechanism unknown).
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown, but affected multiple core administrative functions.
- **Collection:** Unknown, pending investigation into data compromise.
- **Exfiltration:** None confirmed (Data compromise pending investigation).
- **Impact:** Operational disruption affecting public-facing services.
## Impact Assessment
- **Financial:** Potential significant budgetary impact requiring appropriations from the County’s emergency fund or subsequent budgetary adjustments/cuts.
- **Data Breach:** No definitive data compromise confirmed at the time of reporting.
- **Operational:** Closure of Assessment, Collection, and Recorder of Deeds offices; inoperability of tax/property payment systems and marriage license issuance.
- **Reputational:** Localized negative impact given the public declaration of a state of emergency coinciding with a special election.
## Indicators of Compromise
- **Network indicators:** None provided (defanged).
- **File indicators:** None provided.
- **Behavioral indicators:** None provided, other than the outcome of system disruption.
## Response Actions
- **Containment measures:** Key county administrative offices (Assessment, Collection, Recorder of Deeds) were closed until further notice.
- **Eradication steps:** Diagnostic procedures initiated with cybersecurity partners to identify the root cause.
- **Recovery actions:** Ongoing investigation and restoration efforts underway.
## Lessons Learned
- Relying heavily on centralized IT infrastructure makes county operations highly vulnerable to single points of failure via cyberattack.
- The incident occurred on the same day as a special election, highlighting dependency risks impacting critical civic functions.
## Recommendations
- Immediately review and bolster network segmentation between critical administrative systems and non-critical or public-facing services.
- Conduct a comprehensive forensic analysis to definitively confirm the presence or absence of data exfiltration.
- Develop and test comprehensive Business Continuity and Disaster Recovery (BC/DR) plans for essential public services, prioritizing manual failover procedures for critical functions like land records and payments.
- Review remote access and patching procedures, as the specific entry vector remains unknown.