Cyber Incident Victim: The City of Lafayette, CO
Date:
Jul 2020
Location:
United States of America
Summary
A Colorado municipality experienced a ransomware attack that encrypted its computer networks, disrupting phone services, email, and online payment systems. The intrusion likely originated from a phishing or brute-force attack targeting vulnerable infrastructure. After evaluating recovery options, officials paid a $45,000 ransom to obtain decryption keys, deeming it more expedient and cost-effective than rebuilding systems despite initial reluctance. Service restoration remained ongoing post-payment. The incident prompted implementation of enhanced network security measures, including updated backups, expanded cybersecurity deployments, and regular vulnerability assessments to mitigate future threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 27, 2020, the city of Lafayette, Colorado, experienced a ransomware attack that encrypted its computer networks, disrupting municipal operations. The attack rendered phone services, email systems, and online payment and reservation platforms inoperable. Investigators determined the ransomware likely infiltrated the network through a phishing email or brute force attack, characterizing it as an opportunistic exploitation of vulnerabilities rather than a targeted campaign. Facing widespread service outages, city officials conducted a thorough assessment of recovery options, weighing the time and financial costs of rebuilding systems from backups against negotiating with the attackers. After determining that payment would enable faster restoration of critical services for residents, Lafayette authorized a $45,000 ransom payment to obtain the decryption key. Mayor Jamie Harkins emphasized the decision was made reluctantly after exhausting alternatives, citing the need to minimize prolonged disruptions to public services as the primary factor.
The city began restoring encrypted data using the decryption tool following the payment, though many systems remained offline at the time of the August 12, 2020, report. Lafayette collaborated with regional partners to manage the attack's aftermath and initiated cybersecurity improvements to prevent future incidents. These measures included implementing new backup systems, deploying enhanced network security protocols, and scheduling regular vulnerability assessments. The incident highlighted budgetary challenges common to municipal governments, where constrained resources often delay cybersecurity upgrades. While federal authorities typically advise against ransom payments, Lafayette's leadership maintained that the exigent circumstances—prioritizing swift service restoration for citizens—necessitated this exception. Recovery efforts continued as the city worked to fully reinstate affected systems and reinforce its defenses against evolving cyber threats.