Cyber Incident Victim: Champaign-Urbana Public Health District
Date:
Mar 2020
Location:
United States of America
Summary
A ransomware attack using NetWalker malware compromised the Champaign-Urbana Public Health District's website during a critical pandemic response period, locking staff out of files and disrupting access to vital information. The organization engaged federal authorities and cybersecurity consultants to investigate and restore services while relying on cloud-stored email, environmental health records, and electronic medical records unaffected by the attack. Public health communications shifted temporarily to Facebook, a dedicated email address, and a phone hotline, with staff emphasizing continued operational capacity despite website unavailability.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 10, 2020, during the early stages of the COVID-19 pandemic, the Champaign-Urbana Public Health District experienced a ransomware attack that compromised its website. Employees discovered the intrusion on Tuesday, March 10, when they lost access to critical files, prompting immediate action from the organization. Administrator Julie Pryde confirmed the attack involved NetWalker, a newly emerging ransomware variant that evades detection by hiding within essential Windows functions. The health district promptly notified federal authorities, including the FBI and Department of Homeland Security, while engaging global risk-consulting firm Kroll to investigate the breach and restore systems. Technical analysis revealed the ransomware encrypted local files but did not compromise cloud-hosted services, as environmental health records, patient medical records, and email accounts had been migrated to cloud storage six months prior to the incident. Staff maintained operations using laptops connected to secure Wi-Fi networks, relying on shared emails and alternative resources to access necessary information during the disruption.
The attack occurred during heightened public demand for COVID-19 information, forcing the health district to redirect communications to its Facebook page and telephone services. Pryde emphasized the organization's Facebook platform had gained 1,500 new followers in the preceding 28 days and historically received more traffic than the compromised website. A dedicated email address ([email protected]) and hotline (217-239-7877) were established, with staff monitoring these channels to respond to public inquiries. While restoration efforts targeted a one-week timeline for the website’s return, cybersecurity expert John Bambenek noted the particular vulnerability of public health agencies during pandemics, cautioning that reliance on social media created risks for misinformation through impersonation. The health district collaborated with the University of Illinois for additional support and maintained all clinical and environmental data integrity through its preemptive cloud migration strategy.