Cyber Incident Victim: La Salle County
Date:
Feb 2020
Location:
United States of America
Summary
A ransomware attack targeted La Salle County's computer network, blocking access to local systems but showing no evidence of data compromise beyond encryption. The incident involved a newly identified ransomware variant that bypassed existing protections, prompting collaboration with law enforcement, federal agencies, and state technology departments for forensic analysis and recovery. The county declined ransom demands based on experiences suggesting incomplete data recovery even after payment, instead restoring operations using off-site backups through vendor assistance. Impacts included prolonged email system outages—requiring temporary alternatives for public communications—while internet-isolated systems like election tabulators remained unaffected. Recovery efforts shifted from investigation to data restoration within three days of the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 23, 2020, at approximately 2:30 a.m., La Salle County’s IT department detected a ransomware infection affecting its computer network. The malicious software blocked access to systems connected to the internet, though officials confirmed no evidence of data compromise beyond the encryption preventing local access. The ransomware variant was identified as a new strain released just four days prior to the attack, rendering the county’s existing cybersecurity protections ineffective. County IT staff immediately initiated response protocols, working overtime to investigate the breach. They collaborated with law enforcement agencies, including the FBI and the Department of Homeland Security, as well as the Illinois Department of Innovation and Technology, to gather forensic data and assess the scope of the incident. By the third day following the attack, the county transitioned from investigation and data collection to active recovery efforts. Officials emphasized that regular off-site data backups were maintained, enabling restoration efforts without capitulating to ransom demands. A vendor was deployed on-site to facilitate data recovery across affected systems.
The county publicly stated it would not pay the ransom, citing precedents where victims failed to recover all data despite payment. Critical services experienced disruptions, including the complete outage of county email systems, which remained nonfunctional days after the attack. A temporary email account ([email protected]) was established to handle Freedom of Information Act requests during the outage. Systems isolated from the internet, such as early voting tabulators, were unaffected, ensuring continuity in election operations. Restoration efforts focused on rebuilding infected systems using offline backups, with no reported exfiltration or secondary exploitation of county data. The incident underscored the operational challenges posed by novel ransomware variants and the reliance on offline backups for recovery.