Hackers submitting faked invoices to local fire districts got at least one payoff, and taught local agencies a lesson in network security.
On Jan. 22, the city of Snoqualmie, which provides information technology services to King County Fire Protection District 45, paid a ransom of $750 to hackers who had taken control and encrypted files on a computer at the fire district. The ransom was required to unlock a computer on the district’s network, which was encrypted Jan. 7, when an employee clicked a link in a fake e-mail message.
The e-mail looked like an invoice from the fire district’s dispatch center, said Fire Chief David Burke. When an employee opened the email and clicked the link, a program started encrypting all the files on that computer.
Burke said the scam email was nearly identical to the real invoices the district receives for dispatch services.
The attack did not affect essential files.
“None of the financials, payroll, none of those things were accessible,” Burke said. “It was more of our daily documents, policies procedures, etc.”
Snoqualmie’s IT department helped the fire district handle the situation. Snoqualmie contacted the FBI which recommended that they pay the ransom. However, the hackers would accept payment only through bitcoin, a decentralized digital currency.
Burke said Snoqualmie IT went to Tacoma to get the money exchanged to bitcoin. Once the ransom was paid, the department received a decryption key and began to retrieve their files.
Both Burke and Snoqualmie Mayor Matt Larson said trying to recreate the files would have taken too much time and effort compared to the relatively small ransom.
“They had importance to the agency, trying to rebuild them would have been a considerably greater expense than paying the ransom,” Larson said.
Typically, Burke said, a backup system would have prevented the need to pay a ransom, but the fire district was in the process of modernizing their systems and backups had not been implemented yet.
“If our backup had been in place we would have been inconvenienced half a day or less,” he said. “The city of Snoqualmie stepped up and took care of everything and paid the decryption code. Snoqualmie went heads and shoulders above what our expectations were, they honored their part of the contract and more.”
With their files back, the fire district has a backup system up and running and is doing more training on Internet safety with employees. According to Burke, neighboring fire departments were also targeted, possibly through a mailing list containing information on the various fire chiefs in the region.
“The agency serves a lot of fire departments in the area and all of them got it. The email distribution for fire chiefs was compromised. Some of them caught it and were able to back up. Some of them handled it in house,” Burke said. “As soon as it started they were able to shut it down and restore it within a couple of hours.”
Burke doesn’t believe that the dispatch service was compromised and said the hackers could have gotten their information from any of the agencies working with the service.
After this incident the service has changed the formatting of invoices and moved to a PDF format.
“We have taken care of training and taking invoices in a new way,” Burke said. “We’ve done everything we believe we can, but the education will continue that we will give to all of our personnel.”
