Full Report
Adams County government offices have been unable to conduct any online business for over a week due to a reported cyber attack. Officials said Wednesday that they expect to be back online Thursday after a costly system overhaul worth over $250,000. Since the server crash on Friday, April 17, officials determined the cause was a type of "ransomware." However, "We never actually got a ransom note," Adams County Supervisor Kevin Wilson said on Wednesday. Adams County Emergency Management sent out a countywide alert on Monday, April 20, via HyperReach to alert residents of an outage affecting all county government offices.
Analysis Summary
# Incident Report: Adams County Ransomware Attack
## Executive Summary
Adams County government offices experienced a total operational shutdown following a ransomware attack that targeted an obsolete workstation. The incident crippled digital services for over a week, necessitating a complete $250,000 system overhaul and network infrastructure replacement. While the organization refused to pay a ransom, they were forced to migrate to modern operating systems and implement 24/7 monitoring to recover.
## Incident Details
- **Discovery Date:** Friday, April 17
- **Incident Date:** Friday, April 17 (Approximate)
- **Affected Organization:** Adams County Government
- **Sector:** Government / Public Sector
- **Geography:** Natchez, Mississippi, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Friday, April 17
- **Vector:** Exploitation of unpatched legacy software (Windows 7).
- **Details:** The attack originated on a computer in the sanitation department running Windows 7, which officials described as "obsolete" and "extremely vulnerable."
### Lateral Movement
- **Details:** The malware autonomously identified vulnerabilities to propagate from the initial sanitation department workstation to the county’s central servers.
### Data Exfiltration/Impact
- **Details:** Digital civil and circuit records were locked; the ability to process payments for car tags or public records was completely disabled. No ransom note was ever formally received despite the "ransomware" classification.
### Detection & Response
- **Discovery:** IT Director identified a server crash on Friday, April 17.
- **Response Actions:** A countywide alert was sent via HyperReach on April 20. The Board of Supervisors held an emergency meeting on April 24 to authorize an infrastructure overhaul.
## Attack Methodology
- **Initial Access:** Vulnerability Research/Exploitation (likely EternalBlue or similar SMB exploit given the Windows 7 vector).
- **Persistence:** Not specified, but impacted all central servers.
- **Lateral Movement:** Automated propagation through the network via identified vulnerabilities.
- **Impact:** Data Encrypt for Impact; Denial of Service (System Shutdown).
## Impact Assessment
- **Financial:** Over $262,000 total (including $227,000 for infrastructure overhaul/monitoring and $35,000 for data recovery).
- **Data Breach:** Unknown volume; potential permanent loss of some digital files, though hard copies remained available for many records.
- **Operational:** "Total lockout" for over 10 days; inability to conduct online business or collect revenue.
- **Reputational:** High; countywide emergency alerts were required to notify citizens of the service failure.
## Indicators of Compromise
- **Network indicators:** Activity originating from internal sanitation department workstation.
- **File indicators:** Encrypted digital civil and circuit records.
- **Behavioral indicators:** Server crashes and inability for employees to log into county systems.
## Response Actions
- **Containment:** Isolation of the Sheriff's Office servers (pre-emptive design) prevented the spread to emergency services.
- **Eradication:** Complete removal of obsolete Windows 7/Windows 10 hardware.
- **Recovery:** Mass migration to Windows 11; restoration of data from backups; hiring of third-party firm (Netlink) for 24/7 Managed Detection and Response (MDR).
## Lessons Learned
- **Legacy Risk:** Running end-of-life (EOL) software like Windows 7 on a production network created a single point of failure.
- **Segmented Networks:** The Sheriff’s Office remained operational because their servers were independent, highlighting the value of network segmentation.
- **Insurance:** The lack of cybersecurity insurance left the county solely responsible for the $250k+ recovery cost.
## Recommendations
- **Asset Lifecycles:** Implement a strict policy to decommission and replace any hardware/software reaching EOL status.
- **Network Segmentation:** Further segment internal departments (like Sanitation) from core administrative servers containing civil records.
- **Proactive Monitoring:** Ensure 24/7 Security Operations Center (SOC) coverage to detect "vulnerability-working" lateral movement before it reaches the domain controller/central servers.
- **Cyber Insurance:** Secure a policy to mitigate the financial impact of future recovery efforts.