St. Clair County IL website restored after ransomware attack

St. Clair County’s online services are nearly fully restored after a cyber attack on the county disabled services used to pay taxes, search court records and more.

Information Technology Director Jeff Sandusky said Wednesday the county’s online services had been 90% restored by a team working on the issue. However, Sandusky said he “wasn’t at liberty” to discuss which services hadn’t been restored and that the investigation into the attack was still “ongoing.”

Services the county provides online include looking up and paying tax bills, searching court records, searching for parcel information, paying tickets or court fees, searching for information on inmates at the county jail, scheduling COVID-19 vaccination appointments and several other services. As of Wednesday, all of the previously listed services appeared to have been restored.

Last week, a ransomware group calling itself Grief claimed it targeted the county along with several other organizations demanding payment in cryptocurrencies such as Bitcoin and Monero.

The county has neither confirmed nor commented on the claims of such an attack.

In screenshots of the group’s website, obtained by the Belleville News-Democrat, the group claims it has 2.5 gigabytes of data including internal company documents, personal and customer information.

The initial attack occurred on May 28, Sandusky said, rendering several services provided by the county via the web unavailable. The county also disabled its website out of “an abundance of caution” following the attack, Sandusky said.

Last Thursday, Sandusky said the county is working with third-party cybersecurity specialists to investigate the source of the attack and to confirm the impact on the county’s systems. At the time, he said a team has been working “around the clock” to restore full function to the county’s systems.

“The investigation is early in the process, and we are still working to understand how the incident may have impacted any data stored within our systems,” Sandusky said in a statement. “We have substantial resources dedicated to this process and we will provide relevant updates as the investigation progresses.”

He added that the county notified law enforcement authorities of the cybersecurity attack and will work with those agencies as the investigation continues.

In any ransomware attacks, hackers lift a small amount of data and offer to transfer it back when payment is confirmed. For larger amounts and sensitive data, hacker groups may encrypt the data within the network of a company or local government, only to decrypt it when payment is received.

While making payment restores access to the data, it doesn’t mean that data won’t also be sold on the dark web. It isn’t clear how much the group is demanding the county pay for the data.

The county was among several other organizations targeted by Grief and another ransomware group identified as Prometheus.