Cyber Incident Victim: Tillamook County
Date:
Jan 2020
Location:
United States of America
Summary
Tillamook County experienced a ransomware attack disrupting all internal government computer systems relied upon by 250 employees, forcing operations offline including departmental websites and non-emergency network services. While emergency dispatch and 911 remained functional, the Sheriff's Office encountered phone and email disruptions. Initially mistaken for a storage system failure, the incident was later confirmed as ransomware, prompting engagement of a forensic firm. County commissioners authorized negotiations for an encryption key despite acknowledging payment risks. Recovery efforts involved reverting to paper-based workflows, such as manual library book checkouts, with phone services partially restored but no estimated timeline for full system restoration.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 22, 2020, Tillamook County in Oregon experienced a targeted ransomware attack that disrupted all internal computer systems relied upon by 250 county employees. The incident initially manifested as widespread system failures, which county officials first misinterpreted as a storage system technical issue before confirming it as a ransomware attack. Although no initial ransom demand was communicated by the attackers, the malware forced the shutdown of the county’s primary website—hosting multiple departmental services—and compelled officials to disable additional network connections to contain further spread. Critical emergency services, including 911 dispatch operated by the Emergency Communications District, remained operational, but the County Sheriff’s Office reported disruptions to its phone systems and email capabilities. By January 23, the county contracted cybersecurity firm Arete Incident Response to conduct forensic analysis and assist with recovery efforts.
The attack necessitated an immediate shift to non-digital workarounds across county operations, such as manual paper-based transactions at the Tillamook County Library. On January 27, five days after the attack began, county commissioners unanimously authorized negotiations with the attackers to obtain an encryption key for systems still compromised, signaling the emergence of a ransom demand. Information Technology Director Damian Laviolette confirmed Arete’s role in facilitating these negotiations, specifically for systems where data integrity could not be preserved. County Commissioner Mary Faith Bell publicly acknowledged the uncertainty surrounding ransom payments, noting they could not guarantee data recovery or security. Phone services were partially restored earlier that week, but nine days post-attack—as of January 31—no timeline existed for full restoration of computer systems. The incident highlighted operational vulnerabilities, with Bell emphasizing the necessity of comprehensive data backups amid rising ransomware threats.