Full Report
Attacks on local governments in the last week caused disruptions in the capital of the Choctaw Nation and Puerto Rico, as well as others.
Analysis Summary
# Incident Report: Coordinated Ransomware Targeting US Local Governments and Puerto Rico Justice Department
## Executive Summary
Multiple US local government entities in Ohio and Oklahoma, along with the Justice Department in Puerto Rico, experienced significant cyber incidents over the past week, primarily involving ransomware. These attacks disrupted critical services, including municipal payments, county court systems, and the issuance of criminal record certificates. Response efforts across the affected entities involved engaging law enforcement, hiring cybersecurity experts, and temporarily suspending services to contain the threat while prioritizing emergency service continuity.
## Incident Details
- Discovery Date: Within the past week (Specific dates varied per entity)
- Incident Date: Over the past week
- Affected Organization: City of Durant (OK), Lorain County (OH), Puerto Rico Dept. of Justice (PR) (and implied related government entities in OK/OH)
- Sector: Government (Local/Municipal/Justice)
- Geography: Oklahoma, Ohio, Puerto Rico
## Timeline of Events
### Initial Access
- Date/Time: Over the past week (Specifics unknown)
- Vector: Not explicitly detailed, but implied by the final impact (Ransomware deployment).
- Details: Attacks successfully breached systems in Durant, Lorain County, and the PR Department of Justice.
### Lateral Movement
- Details: Not explicitly detailed, but necessary for system-wide impacts noted in Durant (website, payment systems down) and Lorain County (dozens of systems offline).
### Data Exfiltration/Impact
- Impact: Disruption of critical services including digital/credit card payments (Durant), several county court systems (Lorain County), and suspension of criminal record certificate issuance (PR DOJ). The City of Durant confirmed network outages affecting its communication center.
### Detection & Response
- Detection: Discovery varied; Lorain County commissioners "recently became aware," and Durant reported the ransomware on Sunday.
- Response Actions: Durant engaged law enforcement to contain the issue and restore operations. Lorain County took affected systems offline and hired cybersecurity experts. PR DOJ initiated protocols to "contain" the attack and temporarily suspended specific services pending security certification.
## Attack Methodology
- Initial Access: Unknown (Likely Phishing, Exploitation, or successful pre-compromise techniques given the scope).
- Persistence: Unknown (Implied via successful ransomware deployment across networks).
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Implied, resulting in widespread service disruption across multiple government systems.
- Collection: Unknown (Data exfiltration is a common component of modern ransomware, though not confirmed for these specific attacks, previous related attacks suggest this risk).
- Exfiltration: Unknown.
- Impact: Ransomware deployed, leading to service paralysis and operational shutdowns.
## Impact Assessment
- Financial: Costs associated with recovery, hiring external cybersecurity experts, and potential ransom negotiations (though not paid by Abilene in a related case, suggesting a possible tactic).
- Data Breach: Not explicitly detailed for Durant or Lorain County in this report, but PR DOJ suspended issuance of records due to integrity concerns. (Note: Other Ohio/Texas government ransomware incidents cited historical data exposure).
- Operational: Significant disruption across municipal services (payments, IT infrastructure) and court operations. Emergency services remained operational but faced potential slowdowns (Durant).
- Reputational: Negative attention due to widespread service outages in multiple jurisdictions.
## Indicators of Compromise
- Network indicators: None provided (URLs/IPs defanged).
- File indicators: None provided.
- Behavioral indicators: Widespread network outages coinciding with ransomware deployment.
## Response Actions
- Containment measures: Taking affected systems offline (Lorain County); initiating containment protocols (PR DOJ).
- Eradication steps: City of Durant working with law enforcement to contain and restore operations. Lorain County hired cybersecurity experts for investigation.
- Recovery actions: Durant restoring operations; PR DOJ waiting for environment security certification before restoration.
## Lessons Learned
- Municipalities remain attractive targets for financially motivated threat actors (Ransomware gangs often target smaller governments).
- Reliance on legacy or vulnerable systems leaves critical municipal infrastructure highly susceptible to wide-scale impact.
- Continuous management of essential records (like criminal certificates) is vulnerable when systems are compromised.
## Recommendations
- Implement multi-factor authentication across all remote access points and critical internal systems.
- Accelerate network segmentation to minimize lateral movement capabilities following initial compromise.
- Develop and rigorously test comprehensive offline backups to facilitate rapid recovery without ransom payment dependency.
- Conduct targeted security awareness training for government employees across all agencies, focusing on recognizing potential initial access vectors (e.g., phishing).