Six-Figure Ransomware Attack Hits Washington County, PA

Learn more about the Washington County, PA ransomware attack and key security controls that can help prevent similar cyber-attacks. 

On January 19, 2024, a cyber-attack was identified by Washington County officials which eventually became a full-blown ransomware attack by January 24. The attack created major problems for the county’s network and computer systems and resulted in a ransomware payment of nearly $350,000.

The county’s information technology department worked with federal investigators and third-party cyber experts to combat the attack and prevent the malware from spreading to other systems while trying to understand the logistics surrounding various aspects of the breach.

On February 5, digital forensic consultant Sylint confirmed to the county officials that threat actors had obtained “large amounts of data” from the county’s network that could be “injurious to the county and its residents” if it were to be released on the dark web.

The deadline to pay the ransom was set for 3:30 pm on February 6. On February 6, county officials held an emergency meeting to vote on paying the ransom. In a 2-1 vote by the commissioners, a payment was authorized of up to $400,000, to be paid through cryptocurrency firm DigitalMint.

A payment of $346,687 was sent to the threat actor(s) in exchange for the “digital encryption key” that was to unlock the county’s system with an understanding that none of the private information would be shared on the dark web.

Best Practices to Mitigate Cyber-attacks

Cyber criminals are continuously working on ways to exploit both public and private organizational information technology systems for monetary gain.

Accordingly, businesses and government organizations are working to identify appropriate investments in protective, detective and responsive capabilities to mitigate the risk of a breach. The following list identifies important recommendations for any organization looking to improve their cyber hygiene:

• Conduct annual audits such as penetration tests and security audits, utilizing leading cyber frameworks such as NIST, CIS, ISO, etc.
• Overall, organizations should prioritize protective, detective and response/recovery controls such as those identified through leading cyber frameworks (NIST, CIS, ISO). Examples include:

• Disaster Recovery Plan – Formalize systems and exercises to ensure that systems can be recovered to their recovery objective states; and test system recovery capability regularly based on system criticality.
• Establish Remediation Thresholds – Formal thresholds facilitate vulnerability fixes within risk-tolerable timeframes.
• Use Geo-Blocking – The process of limiting user access to the internet based on a user’s physical location.
• Immutable and Offsite Backups – Encrypt backups and store them remotely.
• IT General Controls – Implement controls such as limiting administrators, disallowing account sharing, implementing strong password settings, limiting access to programs and data, and limiting change management and development procedures to the appropriate personnel.
• Incident Response Plan – Formalize roles, responsibilities and response processes/playbooks to ensure organizational readiness in the event of a cyber incident. 
• Multifactor Authentication (MFA) – MFA is crucial for helping to prevent cyber-attacks. Anne Neuberger, U.S. Deputy National Security Advisor for Cyber and Emerging Technology, believes—based on evidence presented by key tech industry executives—that 80–90% of cyberattacks could be prevented by properly utilizing MFA.
• Network Segregation – Segment networks and services to separate network domains with controls designed to block improper access/traffic and restrict content.
• On-Premise Firewalls - Monitor and filter all incoming and outgoing network traffic. The firewalls block unwanted traffic and allow authorized traffic to pass through.
• Vulnerability Scans – Perform regular and frequent vulnerability scanning to identify high-priority areas of risk.
• Security Information and Event Management (SIEM) – Consider enhancing detective controls through a SIEM tool to provide threat detection, event analysis and incident investigation.

These are just some of the high-priority capabilities that organizations should be looking to implement with regularity to ensure that they are maintaining proper cyber hygiene and readiness to avoid becoming the victim of a breach. 

There will always be the risk of a cyberattack, but knowing the proper precautions to take will help to mitigate the impact if or when a breach does occur.

About Schneider Downs Cybersecurity Team

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind. 

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe. 

To learn more, visit our dedicated Cybersecurity page.