Cyber Incident Victim: Garfield County
Date:
Mar 2019
Location:
United States of America
Summary
A ransomware attack compromised Garfield County's government systems after an employee clicked a phishing email, encrypting data and disrupting operations across multiple offices including the Assessor and Recorder. The attackers demanded payment in Bitcoin to restore access, prompting involvement from the FBI and leading the state to sever system connections. County personnel resorted to manual processes like handwritten records during the weeks-long outage. Critical functions such as courts, elections, and the Sheriff’s Office remained unaffected. The county ultimately paid the ransom to regain control of its files, phones, and computer systems, restoring access approximately one month later.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2019, Garfield County, Utah, experienced a ransomware attack that severely disrupted government operations after an employee clicked on a malicious link within a phishing email. The attack encrypted data across multiple county offices, including the Assessor’s Office and Recorder’s Office, rendering systems inaccessible. County Attorney Barry Huntington confirmed that attackers exfiltrated and locked critical files, later sending an email demanding payment under the guise of a terrorist group. The breach forced county personnel to revert to manual processes, using pen and paper for routine tasks, as computers remained powered off during the investigation. While the courts, elections systems, and Sheriff’s Office were unaffected, the attack prompted the state to sever Garfield County’s access to centralized systems as a containment measure. The FBI initiated an investigation into the incident, though the perpetrators remained unidentified.
Garfield County ultimately paid an undisclosed ransom in Bitcoin to regain access to their encrypted data, phones, and systems. Restoration occurred in March 2019, weeks after the initial compromise, though the county did not disclose whether backups were used or if decryption keys fully recovered the data. The prolonged outage highlighted operational vulnerabilities, with Huntington noting the significant strain on workflows during the manual recovery phase. No resident data breaches or additional financial losses beyond the ransom were reported. The incident underscored reliance on digital systems, as critical functions stalled until the ransom facilitated system recovery.