BOWLING GREEN — A ransomware attack has blocked the ability of Wood County offices to access the county’s servers, impacting functions at the sheriff’s office, jail, common pleas court, and other county offices.
According to Sheriff Mark Wasylyshyn, the attack was first detected around 6 a.m. Monday. The sheriff’s office is unable to access its crime reporting system and computer aided dispatch system — the system used to manage public safety calls for service across the county.
“Initially we went to paper and pencil, but we have migrated to an excel spreadsheet,” Mr. Wasylyshyn said, describing how the 911 call takers and dispatchers adjusted to the sudden loss of the computer system.
The county’s 911 call center answers around 36,000 phone calls a year, according to the sheriff.
“It has not affected our ability to respond to emergencies,” he stressed. “Anyone needing emergency services will receive them.”
At the jail, deputies are “doing the same thing, the old fashioned way,” he said. “They are processing everything with paper.”
On Tuesday, county officials were still assessing the impact of the attack. While it appears to have hit all county servers, the impact on the operations of various offices varies, according to Jeff Klein, director of the Wood County Emergency Management Agency.
“In the EMA it is not really a huge deal,” he said. “For day-to-day operations, it has not impacted us as much as other offices. We all interact with people in different ways.”
According to Mr. Klein, the attack became evident Monday morning. While the sheriff’s office noticed the effects around 6 a.m., other offices noticed something was amiss as people came to work later that morning.
“Individual users noticed things didn’t seem to be like they were on Friday when they left,” he said. Some employees had difficulty logging in or accessing certain applications and databases.
Each county office is addressing the attack differently, but they are working to limit the disruption residents experience.
“You will still get the same services, and things will still be able to happen,” Mr. Klein said.
Citing the ongoing criminal investigation, Mr. Klein was unable to discuss how officials think their servers were breached.
“Because it is a criminal investigation we are limited in what information we can provide,” he said. “We have no idea yet on how they got into the system. There are so many different places, servers, or ways to get in.”
How the attackers gained access to the county’s servers may not be immediately known, but at least one expert has a theory.
“I would assume this particular attack was caused by some user behavior,” said Jack Danahy, vice president of Strategy and Innovation for NuHarbor Security, a cybersecurity firm based in Colchester, Vt. “Someone would have accidentally clicked on something that looked good, or opened a message they shouldn’t have because it looked real.”
While he thought an email with a malicious attachment or message is the likely cause, Mr. Danahy was quick to minimize the blame.
“County government, city government, state government, they are all attractive” targets, he said. “They exist to serve their constituency. Their officials’ emails are on their sites, as is info on what is going on.”
Mr. Danahy described how attackers can “scrape” all of the pertinent information off of a website and then use it to craft very genuine looking emails that contain malicious code.
“What diligent county official doesn’t open a message from an angry constituent?” Mr. Danahy said. “That is why [government entities] get attacked so disproportionately.”
He lauded the apparent speed at which officials identified and addressed the matter.
“It sounds as though when they identified something bad was happening, they had a plan in place that allowed them to keep this thing from spreading,” he said. “From what I can read, the team in the county has done a pretty decent job in avoiding the calamity we see in these events elsewhere.”
The commissioners’ office contacted law enforcement as well as “nationally recognized third-party cybersecurity and data forensics consultants with whom the county is now working,” according to a statement released Monday.
“Bringing in someone from the outside who has seen a lot of these things is good. They will know what to look for and where,” Mr. Danahy said.
While it appears county officials have been able to mitigate the damage and are providing services nearly uninterrupted, Mr. Danahy said there is another phase of the attack for which the county needs to be prepared.
“The style of these attacks has really changed over the last four or five years,” he said. “Bringing down the system so people cannot work is half the attack. The other half is selling the data.”
He voiced his concerns over the possible sale of information gleaned from the criminal justice records, confidential law enforcement data, and other sensitive government documents.
“They may try to get the county to pay them not to release that into the wild,” he said.
Any monetary demand likely was for some form of cryptocurrency.
“It is almost always Bitcoin,” Mr. Danahy said. “About 2016-ish, as anonymous cryptocurrencies like Bitcoin came out … it completely changed the monetization of hacking.”
Even if the county meets the demands of the attackers, or if they are able to thwart the attack, officials should not expect things to return to normal.
“According to FBI data, a slight majority of the time, you get back enough to get back up to speed, but in many cases you don’t come back to full speed,” he said. “Even though [the hackers] may get thrown off the systems, they may still have exfiltrated passwords, or files, or credentials.”
“They have to increase their awareness. Be watching for things they are not expecting to see,” he said. “The county needs to think hard about how they do an even better job of watching what is happening on their system.”
Some offices were impacted more than others. The Wood County Recorder’s Office was nearly unscathed, having taken steps in 2022 to protect their systems.
“Email is running slowly, but everything else is functioning,” according to Chief Deputy Recorder L. Matthew Bartow.
In 2022 County Recorder Jim Matuszak had the system used by the office updated to run independently of the county servers.
“We are on five different servers across four states,” Mr. Bartow said. “They are spread out with each one of them backing up the other. We did that in 2022 in case we had another COVID issue.”
The attack has also impacted county systems in the engineer’s office and the clerk’s office.
This is not the first significant ransomware attack to hit northwest Ohio. In September, 2020, Toledo Public Schools was hit by an attack that caused a failure of online learning tools on the first day of classes. The attack subsequently culminated in the online dissemination of student and employee information.
First Published December 10, 2024, 2:53 p.m.
