Cyber Incident Victim: Borough of Duncannon
Date:
Apr 2020
Location:
United States of America
Summary
The City of Duncannon experienced a ransomware attack that rendered municipal computer systems inoperable, disrupting operations for electric, water, sewer, and trash services. Attackers initially demanded $50,000, later negotiating payments totaling over $40,000 after the borough’s contracted IT provider failed to restore systems from compromised backups. Officials withheld public disclosure initially, citing legal and security concerns, but internal communications revealed awareness of the attack and payment plans. No personal data was exposed as such information was not stored on affected systems. The incident prompted enhanced cybersecurity measures, including cloud-based backups and additional security layers, while investigations involved state police and the FBI. The breach’s origin and perpetrator remain unidentified.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The City of Duncannon, Pennsylvania, experienced a ransomware attack on April 10, 2020, which was discovered by Borough Treasurer Robert Kroboth on April 11 when he attempted to access municipal computer systems to prepare financial reports. The attack rendered critical systems inoperable, disrupting operations related to electric supply, trash collection, water supply, sewer services, and general municipal administration. The borough’s IT provider, Splashwire, notified officials of the breach on April 13. Hackers initially demanded a $50,000 ransom, later reducing it to $35,000 with a payment deadline of April 23. Faced with an inability to restore systems from compromised backups managed by Splashwire, the borough paid $35,000 on April 21 prior to a council meeting. Attackers provided decryption keys that day but withheld access to files on a virtual server, demanding an additional $10,000, later lowered to $5,780, which the borough paid to regain full system control. Total payments exceeded $40,000.
Internal text communications obtained through a right-to-know request revealed council members and staff knew of the ransomware attack by April 21 but withheld public disclosure, citing legal advice and concerns about provoking further hacker retaliation. Splashwire engaged Coveware, a ransomware recovery specialist, to assist restoration efforts. The borough reported the incident to Pennsylvania State Police, while Splashwire contacted the FBI. No resident or employee personal data was compromised, as such information was not stored on affected systems. Post-incident investigations confirmed the attackers breached both borough systems and Splashwire’s backup server, though the intrusion method remained unidentified. On June 16, the borough council approved enhanced cybersecurity measures costing $1,700 upfront and up to $14,000 annually, including Microsoft Azure cloud backups, additional security software, email archiving, and plans for onsite backup redundancy. Officials noted existing contracts with Splashwire would be reviewed in the future. Insurance coverage for technical recovery costs was being pursued.