St. Clair County IL targeted by hackers in ransomware attack

St. Clair County’s website is back online following an alleged ransomware attack that may have given a hacker group several gigabytes of sensitive data.

A ransomware group calling itself Grief claimed it targeted the county along with several other organizations demanding payment in cryptocurrencies such as Bitcoin and Monero, according to several publications specializing in cybersecurity.

In screenshots of the group’s website, obtained by the Belleville News-Democrat, the group claims it has 2.5 gigabytes of data including internal company documents, personal and customer information.

Several services provided by St. Clair County via the web were have been unavailable since May 28, when the county disabled its website out of “an abundance of caution” following the cybersecurity attack, county Information Technology Director Jeff Sandusky said.

In a statement Thursday, Sandusky said the county’s computer system was breached on May 28. While its website and some services have been restored, several services including access to court records and payment for court or ticket fees are still unavailable.

“The investigation is early in the process, and we are still working to understand how the incident may have impacted any data stored within our systems,” the statement read. “We have substantial resources dedicated to this process and we will provide relevant updates as the investigation progresses.”

Sandusky said the county notified law enforcement authorities of the cybersecurity attack and will work with those agencies as the investigation continues.

He added that the county has been working with third-party cybersecurity specialists to investigate the source of the attack and to confirm the impact on the county’s systems. He said a team has been working “around the clock” to restore full function to the county’s systems.

St. Clair County Chairman Mark Kern did not respond to a request for comment on the alleged ransomware attack.

How ransomware attacks work

In any ransomware attacks, hackers lift a small amount of data and offer to transfer it back when payment is confirmed. For larger amounts and sensitive data, hacker groups may encrypt the data within the network of a company or local government, only to decrypt it when payment is received.

While making payment restores access to the data, it doesn’t mean that data won’t also be sold on the dark web. It isn’t clear how much the group is demanding the county pay for the data.

The county was among several other organizations targeted by Grief and another ransomware group identified as Prometheus.

Government often targeted

Brett Callow, a threat analysis with antivirus software provider Emsisoft, said attacks like the one on St. Clair County have been increasing in recent years. He said In 2020 there were nearly 250,000 attacks on local governments, school districts, police departments, health providers and other organizations.

Callow said in similar situations, Emsisoft believes roughly 30% of similar government organizations end up paying the amount the hackers demand. He added that there are currently believed to be about 30 organizations that routinely steal data throughout the world.

On a security level, Callow said most attacks succeed because of “very basic” security failures but said that’s not always the case. It can be difficult for organizations to evade attacks, he said.

“It isn’t easy for organizations to get everything right all the time,” he said.

Callow said the county needs to worry about what the group might do with the data — if it truly has stolen the data. If the data is stolen and put online, it could be accessed by anyone.