After U.S. Conference of Mayors takes stance against paying ransom to cyber-attackers, City of Elk Grove's email system appears hacked

UPDATED 9 p.m. July 17 |
See statement from City of Elk Grove's I.T. department |

At their annual meeting in Honolulu, the U.S Conference of Mayors adopted a resolution against municipalities paying ransom to cyber attackers. The stance was unanimously approved by the conference with over 225 mayors signing the resolution.

In the last several months, American cities of varying sizes have been attacked by criminal organizations that seized control of the municipalities' computer and phone systems. The attackers have demanded ransoms  - usually to be paid in cyber currencies like Bitcoin - for the release of the virtual hostages.

The most notable cases included Baltimore and Atlanta who refused to comply with ransom demands. As a result, their systems were disabled for extended periods, and the recovery is expected to cost millions of dollars.

While Baltimore and Atlanta refused, a small city in Florida was not as resolute. Lake City, Florida decided to pay ransomware attackers 26 Bitcoins with an estimated value at the time of $426,000.

According to a CBS News report, the Lake City attack, population 12,000, was initiated by a so-called phishing attack. The report said, "the hackers apparently got into the city's system when an employee clicked on an email link that allowed them to upload malware."

The mayor's conference resolution in part states "paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit."

Elk Grove Mayor Steve Ly attended the Honolulu conference and during the city council meeting following the conference he provided no report on his activities. An email inquiry to Ly and as well as phone calls to the U.S. Conference of Mayor's office in Washington DC to see if he was one of the 225 mayors signing the resolution have gone unanswered.

An email inquiry was sent to Ly, councilmembers Steve Detrick, Pat Hume, Stephanie Nguyen, and Darren Suen, and members of the city's executive staff regarding what the city's policy on ransomware. In an email, city manager Jason Behrmann promised to respond to the inquiry by sometime later today.

Interestingly, earlier this week several email users, including Elk Grove News, received an unusual email from a member of the city's executive staff. The email can be viewed above. (For security considerations, the identity of the executive staff member or the department will not be disclosed).

Several people, including Elk Grove News, trusted the email and clicked the link. This is a typical phishing attack tactic.

In a telephone conversation yesterday, the executive staff member acknowledged they heard from several people about receiving the same correspondence. The official claimed their email account was hacked.

In a further development, another email from a different city staff member (see image below) was sent this morning, almost exactly 48 hours after Monday's transmittal. It was acknowledged that the person whose account today's email came from is not on duty.

As of this posting, the city has not formally released information on the apparent attack on the city's email accounts.  

Statement from City of Elk Grove I.T. department  - released at 6:15 p.m. July 17

“Our Cyber Security plan relies on a multi-layer defense that includes software, hardware and user-based education. At the hardware level, our next-generation firewall “detonates” all unknown file attachments in a sandbox environment to ensure they do not carry a malicious payload.  All network traffic is scrutinized at a layer 7 (Application) level to validate a specific application is authorized before its allowed to pass.  We also block known threats via DNS, URL and geolocation filtering.  As a failsafe, we routinely monitor reports and logs searching for anomalies in traffic and usage.

With software, we utilize protection that doesn’t rely on threat signatures.  Instead it blocks exploits and ransomware by employing behavior-based protection.  Daily workstation software inventories are used to verify active and updated protection is installed.  Backups for on-premise and off-premise data assets are replicated to the cloud within 8 hours.  We have further hardened our backup stores by ensuring all administrator accounts are protected with multi-factor authentication.  We also have a responsive patching program to ensure our workstations and servers are current on the latest security patches released by operating system and application vendors.

We routinely educate our users with regards to current threats and methods.  Our helpdesk is also very accessible and eager to answer any question relating to an email’s authenticity.  Hoping to prevent the malicious emails from ever reaching our users, we utilize a best in class email security partner.  In the last 30 days we have blocked over 225,000 malicious or spam laden email messages headed to City email boxes.

Of course, it only takes one well-crafted email to get through. In response to the recent comprised account, we are accelerating our adoption of multi-factor authentication to provide another layer of security for our accounts.  Our cloud-based monitoring automatically disabled the account when the activity was discovered.  

Many of the recent news articles regarding Cities that paid ransomware were impacted because they had old outdated software, or didn’t have a good back-up strategy so they could restore their own data. The City of Elk Grove is proactive on installing software and patches by testing them as they are released, and then rolling them out to our various desktops and systems. We also have a high level of back-up protections so that in the event something should occur, we can correct the issue ourselves. The goal is to be prepared and prevent the situation from occurring. We also have a Cyber Security insurance policy that is reviewed as technology changes.

These same phishing activities happen every day, in every email system whether it’s public or private, including Yahoo, Gmail, and other free email programs. Teaching people to be cautious and aware is extremely important in both the workplace and at home. We also subscribe to multiple IT forums, from Homeland Security groups to local State of California IT groups, to ensure we are getting as much information as possible to help prevent these types of attacks.”

Copyright by Elk Grove News © 2019. All right reserved.


Post a Comment Default Comments


D.J. Blutarsky said...

The statement from the City tries its damnedest to reassure the citizens that they are on top of everything ("move along, nothing to see here").

What about the computers of the recipients who attempted to open these e-mails sent from the City? Apology, tough luck, go get your own security systems? What?

Maybe next year the Mayors will get together in Hawaii and sign a resolution to inform citizens when their viruses may have been infected.

Connie said...

I got two of these emails, one from Jon Hobbs and one from Brenda Haggard. When I got the first one, I immediately emailed Hobbs for the security code and got no response to alert me that the email was fake.

I did the same when I got Haggard's email this afternoon. So as a citizen, I feel I did my part to alert the city; not to mention, contacting other active citizens to see if they got the emails as well and warn them. Some did.

I agree D.J., the city did have a responsibility to respond, but nothing from Hobbs. . . or maybe "they" wanted the "usual suspects" to get a virus and keep us down and out for a while. Nice try!

Spoons and Forks said...

The statement reads like it was written by the legal department or public affairs, not the I.T. people.

Neo Elk Grove said...

The statement from the City of Elk Grove's department is hokum.

If the city's incompetent i.t. department had a handle on the situation, there would have been only one email sent on one day. Given people received the second email indicated either the problem had not been addressed, or, the patch was so weak the hackers were able to penetrate whatever patch was used after Monday's attack.

Either scenario is bad. Of course given the collective incompetence of the city council, should we expect anything less? Failures starts and the top and rolls downhill like you know what.

Connie said...

I wanted to post an update to my above comment. I received an email from City Attorney Jon Hobbs this morning stating he never got my email regarding the first illegitimate email. As I have no reason to doubt Jon here, I will take him at this word.

However, when I got the second emails a few days later and emailed the city again, I did get a response from City Manager Jason Behrmann.

Follow Us



Elk Grove News Minute

All previous Elk Grove News Minutes, interviews, and Dan Schmitt's Ya' Gotta be Schmittin' Me podcasts are now available on iTunes

Elk Grove News Podcast