How St. Paul, Minn., Recovered From a Ransomware Attack

Source Domain: www.govtech.com

When ransomware struck St. Paul, Minn., last July, Chief Information Officer Jaime Wascalus turned to the city’s Emergency Management Department as IT teams began shutting down portions of the network.

The response moved beyond City Hall, with a recovery effort that included Minnesota Information Technology Services (MNIT), federal and state investigators, private-sector cybersecurity specialists, and the Minnesota National Guard. Since the attack, officials have spoken to legislators, at conferences and at symposia, sharing their story in the hopes it can help other governments improve cybersecurity preparedness and response.

DETECTION AND DOWN TIME

Suspicious activity was first identified by the IT team at St. Paul’s water utility, Wascalus told Government Technology. The utility, which is part of the city, maintains its own technology staff and systems, while sharing one network with the local government. The utility was using endpoint detection and response technology deployed through MNIT, utilizing federal State and Local Cybersecurity Grant Program funds.

When the network was shut down, it took internal networks, online payments and public Wi-Fi offline. A ransomware gang called Interlock was the attacker, and it uses the double extortion model — first exfiltrating data, then demanding a ransom to decrypt the data and prevent data leaks. One of St. Paul’s processes, however, is to create nightly backups, and this played a part in the city’s decision not to pay a ransom.

As recovery got underway, the city prioritized 911, payroll and business services such as water delivery. Emergency services weren’t interrupted, while payment systems, the library, email and data storage were restored around the third week of August, with wider recovery taking several months.

During testimony before the state Legislature, CISO Stefanie Horvath credited “proactive investments” in cybersecurity…

Source