Cyber Incident Victim: Curry County

On the early morning of April 26, 2023, Curry County, Oregon, began experiencing a significant technology disruption. The initial detection occurred when county dispatch operators attempted to access digital information and found it was inaccessible and appeared to be encrypted. The unusual nature of this event prompted immediate contact with the county's IT department. IT personnel responded on-site and quickly recognized the signs of a ransomware attack. The county's server network was rendered generally inaccessible, impacting all county departments. Prompt action was taken to secure the network environment and prevent further spread of the attack.

The county engaged leading independent cybersecurity and digital forensics experts to assist with the response and investigation into the breach. The investigation confirmed that the affected servers had been impacted by a ransomware attack. This attack was officially attributed to the Royal ransomware group, an entity also responsible for attacks on other local governments, including Dallas, Texas, and San Bernardino. The incident was reported to relevant state and federal agencies, including the FBI, which opened an active criminal investigation. A coordinated response team including state and federal experts was assembled to assist Curry County with its effort to securely restore its network.

The Royal ransomware group followed a typical attack methodology. They encrypted the county's information and then provided a ransom demand, which included a specific dollar amount, in exchange for an encryption key. The group also claimed to have exfiltrated data from the county's systems and threatened to release it publicly if the ransom was not paid. County officials, however, noted the inherent untrustworthiness of dealing with criminal actors and the potential for funds to be used for purposes against U.S. interests. The county did not publicly disclose the specific ransom amount or its final decision regarding payment, citing the ongoing federal investigation and the presence of other victims.

The impact of the attack on county operations was immediate and severe. Commissioner Brad Alcorn described it as a "Cascadia event" for the county's IT infrastructure, effectively wiping out its digital footprint. The inability to access any digital information crippled nearly every government function. Law enforcement agencies were severely affected; while the 911 dispatch system remained operational and could receive emergency calls, dispatchers were forced to hand-write all incident information and could not access any historical records or documents related to law enforcement personnel. The county jail's operations were also impacted, though specific details were not elaborated upon.

Critical services provided by the county clerk's office were completely halted. The recording of property deeds became impossible, preventing real estate transactions from closing and causing a major disruption for local mortgage and title companies. The county was also unable to process marriage licenses. All internal county communications were disrupted as email systems became unavailable. County staff resorted to using personal devices on personal cellular hotspots and relied on telephones and in-person meetings to coordinate their response. The ability to print documents from any county computer was lost. The timing of the attack coincided with the county's budget season, creating significant additional challenges for officials trying to balance the books without access to their digital financial systems.

Despite the widespread disruption, the county confirmed that two key functions were unaffected. The ability for 911 dispatchers to receive and triage emergency calls remained intact throughout the incident. Furthermore, the integrity of the upcoming special district election was not compromised, as the vote counting process was isolated from the affected network infrastructure.

The county's response focused on rebuilding its entire IT system from the ground up rather than relying on the attackers. The recovery process was described as complicated and time-consuming, requiring officials to assess every server and data file to determine what was encrypted and what might have been taken. The county declared a local state of emergency due to the incident. The restoration strategy involved a meticulous, phased approach. The first and most complicated step was rebuilding the core network infrastructure and implementing new cybersecurity measures that had not been in place prior to the attack. Once the network was deemed functional and secure, the plan was to add servers and then finally individual computers, reimaging them and reloading necessary software.

The financial burden of both the attack and the recovery was significant. County officials noted that cybersecurity is expensive and revealed that Curry County had previously applied for two state grants specifically related to cybersecurity, but both applications had been denied. The county received a tremendous amount of assistance through mutual aid and from partners at the state and federal level to help with the recovery effort. Thirty days after the initial attack, the county was still not fully operational. Officials were hopeful that systems would be restored within the next few weeks but emphasized that putting a definite timetable on the complete recovery was impossible due to the complexity of the task. The county prioritized restoring services to public safety and other public-facing departments first. Updates on the recovery progress were provided to the public via the county's official website, co.curry.or.us, as email communications remained offline. The long-term consequence of the incident was a profound recognition of the critical importance of investing in robust cybersecurity infrastructure for government entities.