The calls came in on the personal cell phones of Monterey Bay Air Resources District staff, from a spoofed phone number and with no attempt made by the caller to disguise their voice: Pay what we're demanding and we'll give you your data back. Don't pay, and we're going to sell it.
On Nov. 24, the Air Resources District found out that someone had invaded their servers in what's known as a ransomware attack, in which hackers take over data, encrypt it and then demand payment for its safe return.
The district began notifying 2,000 customers via mail this week, but they're still not sure if the hackers managed to steal anything. The district was able to restore all of its systems and didn't pay the ransom demand.
"They were in our systems for a few hours, and we don't think they had enough time to make copies of our data. They had encrypted it and we weren't able to access it except for the things we had in the cloud," says Air Pollution Control Officer Richard Stedman. "They say they copied everything and we were told to go to a website to get the key to unlock the encryption, and 'if you fail, we will sell the data.'"
In the letter to affected customers, a copy of which was sent by a recipient to the Weekly, the District states, "it's our understanding that the disclosed personal information includes, but isn't limited to, social security numbers, driver's license numbers, email addresses, District account login credentials, tax identification numbers and financial information." The District is providing LifeLock Advantage identity theft protection, at no cost to customers, and recommends impacted individuals review their credit reports and accounts to look for any evidence of identity theft.
Stedman says the District reported the ransomware attack to the FBI, which told them, in an ironic moment, to make a report online. "It's like the police saying, 'Your car was stolen, bring it by so we can look at it,'" he says.
The Monterey County Sheriff's Office stepped in, Stedman says, and got the Northern California Regional Intelligence Center—a joint federal, state and local public safety organization—involved. The FBI's Boston office, which deals with national ransomware investigations, is now involved.
"We've provided them a copy of our drives so they can look into it and investigate further," he says.
According to the Sunnyvale-based cybersecurity company CrowdStrike, 2020 saw a "merciless ransomware epidemic" that will worsen as long as the practice remains lucrative. There was no single destructive incident, the company states in its 2020 Global Threat Report; rather, "it was plagued by sustained operations targeting the underpinnings of our society."
Among the trends noted, the report says ransomware purveyors have begun targeting municipalities and local governments, starting in Spring 2019.
"It's a good way to usher out 2020," Stedman says.
