LOCAL

Russia-linked cybercrime syndicate shuts down Indiana county for a week

Portrait of Boris Ladwig Boris Ladwig
The Herald-Times

A Russia-linked cyber crime syndicate breached Monroe County, Indiana's computer systems last week, crippling all county offices and local courts.

The Blacksuit syndicate, which has been a key focus of ransomware attack advisories by the federal cybersecurity agency, also was responsible for paralyzing the U.S. car industry in June.

County officials previously had said only that their computers were down because of a “technological event,” but on Monday afternoon released a statement acknowledging the breach.

According to the Cybersecurity and Infrastructure Security Agency, Blacksuit is likely a spinoff or rebranding of Royal ransomware, which, between September 2022 and November 2023 compromised 350 U.S. and international organizations.

“Ransomware demands have exceeded 275 million USD,” the federal agency said.

The county’s statement, sent by Angela Purdie, the commissioners’ administrator, said the county did not yet know the extent of the breach and what data was accessed.

“If you are concerned,” the county officials wrote, “it is always best practice to lock your credit down.”

The release provided contact information for:

County officials said the evidence suggests no sensitive information from employees has been misused, but “we yet do not know if vendor or public users personally identifiable information (PII) has been subjected to unauthorized access.”

Monroe County Assessor Judy Sharp last week said she worried about the security of court data and all the data kept in her office, which includes information about everyone who owns property in Monroe County.

The statement shared by Purdie stated as the investigation was ongoing, county leaders were “limited in our communications.”

Purdie said by phone Monday she could not provide more information. She said she did not know whether a state-issued Blacksuit-related Cyber Threat Advisory issued Tuesday — the second day of Monroe County’s shutdown — was related to the Monroe County breach.

That advisory, issued by the Indiana Information Sharing and Analysis Center, which includes the Indiana Department of Homeland Security, warned, “An Indiana government agency experienced a cybersecurity attack that utilized BlackSuit ransomware and may be linked to the Royal Spider cybercriminal organization, which operates from the Russian Federation.”

“BlackSuit Ransomware is categorized as a Royal Ransomware. Royal Ransomware is often delivered via email as a .zip attachment and can affect servers, virtual servers and workstations,” the advisory read.

The analysis center and homeland security did not immediately reply to phone messages Monday.

Monroe County Treasurer Catherine Smith said the cyberattack has prevented the county from doing any kind of banking online, but she hoped to have the connection restored on Wednesday. The next payday for county employees is Friday.

If the attack had happened during a week with a payday, Smith said, “It could have been infinitely worse.”

“I hope nobody else has to go through this,” she said. “This is terrible.”

Smith said Monday afternoon that she had not been asked to pay any ransom, but a cybersecurity expert at Indiana University said the county likely will incur significant costs related to the attack, regardless of whether it pays the ransom.

Scott Shackelford, executive director of Center for Applied Cybersecurity Research at IU, said when agencies suffer a ransomware attack, they have two main options: pay the ransom or, if they have their data backed up, pay third parties to restore their data.

Scott Shackelford

“None of that comes cheap,” he said.

Shackelford said some agencies are loathe to pay a ransom because it encourages hackers, but refusing to pay can get much more costly than the ransom payment.

The city of Baltimore suffered a ransom attack in 2019, but refused to pay the roughly $76,000 ransom. Instead it ended up paying about $18 million in recovery services, according to the Baltimore Sun.

Shackelford said the increasing number of attacks have prompted more agencies to carry insurance against cyber criminals. He said consumers, too, increasingly carry such policies. Some have them through their homeowners insurance.

Shackelford said the county’s advice to people, to lock down their credit, makes sense. In fact, he said, it may make sense for consumers to lock down their credit all the time unless they need to access it, such as when taking out a car or mortgage loan.

If people don’t want to lock down their credit, Shackelford said they should put a fraud alert on their credit, which requires institutions to check with the account holder when they receive a credit inquiry.

He also suggested people use a password manager or, if they don’t, to frequently change their passwords, and back up their data, preferably on a device that’s not connected to the internet.

Boris Ladwig can be reached at bladwig@heraldt.com.