Serious Cyber Breach In Rawlins Could Have Been Prelude To Ransomware Attack

A serious breach of the city of Rawlins’ computer systems last month may have been a prelude to a ransomware attack, but was caught and plugged before any sensitive information was compromised or technology compromised.

LW
Leo Wolfson

December 20, 20235 min read

City of Rawlins 12 20 23
(Cowboy State Daily Staff)

Although it took more than a month of analysis, investigation and system lockdowns, the city of Rawlins says there was no sensitive information or lasting harm caused by a cyber breach to the city’s computer servers last month.

The city was notified about the breach by the investigations branch of the U.S. Department of Homeland Security on Nov. 8, but didn’t let the public know about the event until putting out a Tuesday night in a press release.

Rawlins Police Chief Michael Ward told Cowboy State Daily the reason the city took more than a month to notify the public about the attack was because they were doing their due diligence in investigating and addressing the breach and making sure no sensitive information had been compromised.

Their biggest concern, Ward and Rawlins Mayor Terry Weickum said, would have been alerting those who committed the breach that the city knew about it before new software and other safeguards could be installed to close off any vulnerabilities. Ward said making it public before then could have alerted the malicious actor to set off malware.

“We didn’t want those folks to know we were on to them,” Weickum said, who was notified of the attack as soon as it happened. “We didn’t want to give them the heads up.”

Prelude To Ransom?

The investigation that was assisted by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Multi-State Information and Analysis Center, confirmed the breach, but found no information had been downloaded or malware installed on the city’s servers.

New software downloaded as a result of the event determined that there were no indications of ongoing malicious or suspicious activity.

Ward said they were told by cyber experts that there is often a delay between the time a malicious actor breaks into a system and does anything to it as they often become distracted breaking into other servers or need time to figure out the system.

Acts like these are usually done for the purpose of eventually locking agencies out of their servers and making them pay to release the locks. That can sometimes lead to a hefty ransom fee from the actors for return of information or access to services. That’s what happened in the city of Baltimore in 2019 when hackers successfully demanded $76,280 from the city in a cyber breach that ended up costing the city around $18 million.

These ransomware attacks often target government entities, school districts and hospitals. In 2019, an employee at Campbell County Health in Gillette opened a ransomware-infected email that locked the agency, including Campbell County Memorial Hospital, out of its computer systems for weeks. A similar event took place in Park County in 2018.

“These people are just criminals,” Weickum said. “They could spend the time and effort they do hacking toward building a really cool program that could help the world and them get rich, but they don’t.”

The police chief said they were notified by DHS the same day it discovered the breach and the city closed off the area of vulnerability within its servers no more than a day after being notified. He would not disclose when the actual breach happened because the event is still under criminal investigation by DHS.

What Could Have Been Compromised

Because the city of Rawlins, about 40 miles east of Wamsutter, outsources its utility services to a private company, no sensitive information belonging to the general public could have been compromised in the attack. What could have been lost was sensitive information belonging to Rawlins employees within the city’s payroll information.

A working class city with its fair share of financial hurdles, a breach that led to significant financial losses could have been devastating for Rawlins, said City Manager Tom Sarvey. Sarvey said the city is lucky to walk away from the breach without more lasting harm.

“We should consider ourselves very lucky,” Sarvey said. “We were a little nervous there for a time because we felt like (a) cyberattack was imminent.”

Ward and Sarvey commended Carbon County Emergency Management Coordinator Lenny Layman for quickly helping connect city officials with all the necessary state and federal agencies in response, which they said were invaluable in helping the city navigate the breach.

“The city of Rawlins is very appreciative of the support we received,” Sarvey said. “He (Layman) really organized a tremendous effort.”

Ward said it’s highly unlikely that the person or group who committed the attack will be found or prosecuted.

“It is unusual to identify a group or individual, it is most often they are operating on foreign soil,” he said. “Because they are hackers, they are well-versed on hiding their identity.”

He said most of the city’s costs related to the event will be covered under its technology insurance, although there will be some additional fees for extra employee time spent mitigating the situation and for new software that was purchased.

Leo Wolfson can be reached at leo@cowboystatedaily.com.

Authors

LW

Leo Wolfson

Politics and Government Reporter