The Investigators: Collierville ransomware attack cost over $100,000; town now considering legal action

The Town of Collierville is still feeling the effects from a crippling ransomware attack 7 months ago
Updated: Feb. 19, 2020 at 9:54 PM CST
Email This Link
Share on Pinterest
Share on LinkedIn

MEMPHIS, Tenn. (WMC) - The simple task of opening an email could end with hackers holding your digital life hostage. That is what happened to the Town of Collierville last summer.

On July 18, 2019, town employees found they couldn’t log on to the Collierville network.

One of those employees immediately called internet technology manager Don Petrowski.

“The call came in around 5 a.m. or 6 a.m.," said Petrowski. “We started immediately checking all our systems to see how widespread it was and it was pretty much all the way across town.”

Petrowski quickly realized that Collierville had fallen victim to a ransomware attack.

A ransomware attack happens when a person opens an email and either downloads a malicious attachment or clicks a link to a bad website. A virus then infects that machine and spreads through the computer’s network. Finally, the virus locks a victim’s files and the hackers demand a ransom for their release.

Petrowski found the ransom note after he shut down the town’s servers and got into the system through a digital back door.

“It wasn’t like anything I’d seen or heard of on the internet,” said Petrowski. “It was just the file named Ryuk and all that was in it was an email address.”

Cyber security experts say Ryuk is a popular virus with hackers because of its effectiveness.

“This virus in particular is good at taking control of a lot of servers,” said Jeff Horton with One Point Solutions Group. “And governments can be an easy target because they can be underfunded or understaffed.”

In December, Ryuk disabled computer systems in the City of New Orleans and city officials there declared a state of emergency.

According to reports, Ryuk is also blamed for attacks around the country against hospitals, nursing homes and even the U.S. Coast Guard.

Collierville didn’t reach out to the email addresses on the message and Town officials didn’t pay a ransom. Instead, Collierville police contacted the Secret Service and the FBI. Those federal agencies are now investigating and trying to find the attackers.

The FBI agreed to speak with the Investigators in general terms about ransomware attacks but wouldn’t comment on the Collierville case because it is an open investigation.

"A lot of time, the people who are doing this are not friendly to the United States. They're foreign. There could be state-sponsored activity there or they're trans-national organized criminals," said Special Agent Jeremy Baker. "Nobody is beyond the reach of the FBI. We're going to go after them."

Petrowski said it took his team about a week to rebuild the infected servers and recover locked files.

Town accounting manager Kate Watkins estimates the ransomware attack cost about $120,000.

The costs included reconnecting police mobile units to the network, rebuilding Dispatch and Records Management servers and rebuilding the financial system servers. I.T. also had to buy new storage devices.

While most of the Town’s files were recovered, electronic copies of police reports filed from 2017 to July 2019 were lost. However, Collierville police believe the loss will not impact the prosecution or investigation of cases.

“From what we can tell because we always have a lot of paper back ups,” said Lt. David Townsend. “Detectives have their case files, citations are all written out by hand. So pretty much anything involving a criminal charge, we have a paper copy of it somewhere.”

However, the Town will potentially seek legal action.

A Town spokesperson wrote in an email that the “Town attorney is still looking into the situation to see if there is a case” against the software company Collierville hired to keep its network and files safe.

Petrowski said he’s adding additional cyber security measures and will soon offer more employee training.

He believes a Collierville employee opened a malicious email and unwittingly let the virus in.

Petrowski wants other municipalities to learn from their attack.

“I would suggest having good backup systems on-site and keeping copies of that off-site as well,” he said.

The Investigators called other municipalities to see if they had taken extra precautions since the Collierville attack. Germantown and DeSoto County both said they analyzed their security systems after hearing what happened to Collierville.

Copyright 2020 WMC. All rights reserved.