[BreachExchange] City paid 'threat actor' $30K over breach

[Destry Winant]

https://www.paducahsun.com/news/local/city-paid-threat-actor-k-over-breach/article_e755dc70-9696-5000-a822-166dc023c013.html

The city of Paducah regained access to servers and records compromised
earlier this month by paying the "threat actor" responsible for the
data breach approximately $30,000, according to a news release.

The city does not know the identity of the third-party responsible for
the breach, spokeswoman Pam Spencer said. The $30,000 was paid out of
the city's cyber security insurance coverage, she said.

The city became aware Feb. 1 of the "intrusion" into its information
technology network. Malicious software was used to compromise the
city's systems and encrypt numerous data files.

When the incident was discovered, the impacted servers were
disconnected and help was sought from independent IT security and
forensic specialists. The city also coordinated with local and federal
law enforcement officials, and that effort is ongoing, according to
Spencer.

"After thoroughly investigating all options for restoring our IT
systems, the city team in consultation with outside security experts,
the Kentucky League of Cities, and our insurance provider ultimately
decided to pursue a multi-pronged approach of rebuilding certain
systems from scratch and unlocking others by purchasing decryption
keys from the threat actor for a payment of approximately $30,000,"
City Manager Jim Arndt said in Friday's news release.

"This was a carefully considered decision that we determined to be in
the best interest of our citizens and our ongoing data security.
Decryption not only was the most expeditious and cost-effective way to
restore access to our technology and important records but also
enabled the most thorough forensic review of our systems, so that we
could best understand the impact of this incident."

Arndt said the city identified and remediated the point of entry used
for the unauthorized access, and multiple security scans by outside
experts did not detect any active malicious activity within the
network.

A thorough forensic analysis did not find any evidence of efforts to
remove files or data from the city's systems, he said.

"I want to stress that there is no indication any information has been
misused as a result of this incident," Arndt said.

The city manager said the recovery included a methodical process of
restoring and performing security inspections on individual servers
before bringing them back online one-by-one. The city also reconfirmed
the security of its email system and is confident its mail server was
not compromised.

"We have already implemented measures to enhance security -- including
systemwide password resets and use of advanced active threat detection
-- and we are also using this as an opportunity to replace some of our
older IT equipment," Arndt said.

"We will continue working with outside experts to identify and
implement new security measures to strengthen our defenses and
protocols going forward.

"We are deeply sorry for any inconvenience this incident may have
caused citizens or our staff and are grateful for the resourcefulness
and resilience of our many dedicated employees, who continued to
provide city services at a high level and meet the needs of our
citizens throughout our recovery."