Cyber Incident Victim: Matanuska-Susitna Borough
Date:
Jul 2018
Location:
United States of America
Summary
A ransomware attack severely disrupted operations for an Alaskan borough, encrypting email servers, internal systems, disaster recovery infrastructure, telephones, and door access controls. The malware, potentially dormant for months prior, evaded initial antivirus detection and compromised some backups. Staff resorted to manual workarounds like typewriters and handwritten receipts during recovery efforts. While shared drive data was partially restored, email systems remained irrecoverable. The organization rebuilt affected machines using outdated backups and retained encrypted data in hopes of future decryption assistance from law enforcement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The ransomware incident affecting the Matanuska-Susitna Borough government systems was first detected on July 17, 2018, when antivirus software identified one malicious component, though it failed to recognize other elements that enabled the attack to escalate. Forensic analysis later suggested the ransomware may have been dormant within borough systems since May 2018 before fully activating on July 24. The malware encrypted critical infrastructure including the email server, internal operational systems, disaster recovery servers, telephone network, and door entry card access systems. According to IT Director Eric Wyatt, the ransomware also compromised portions of backup data, though some shared drive information was eventually recovered. Initial assessments indicated potential total data loss, particularly for email communications which proved completely unrecoverable. The attack forced borough staff to implement manual workarounds, including using typewriters for documentation and handwriting receipts for transactions.
Recovery efforts focused on rebuilding each affected machine using year-old data archives while preserving encrypted files for potential future decryption by law enforcement. The borough stored encrypted data for extended periods in anticipation that the FBI might eventually obtain decryption keys through investigative means. While telephone and physical access systems required restoration, the most significant operational impact stemmed from the permanent loss of all email communications and partially compromised backups. IT teams prioritized system-by-system reconstruction rather than paying ransom demands, with Wyatt expressing cautious optimism about recovering additional data from unaffected backups. The incident revealed vulnerabilities in the disaster recovery infrastructure when ransomware targeted both primary systems and backup repositories simultaneously. Response measures included complete isolation of infected systems and establishment of temporary manual processes to maintain essential government services during the multi-phase restoration period.