The initial cyberattack on Delaware County’s information systems came Sept. 10 from a phishing e-mail to a county employee, reported the county’s Chief Information Officer, Frank Bilotta.

He updated county council Jan. 6 on the attack and follow up steps to secure the county system from future attacks.

The phishing e-mail contained malware3 that was downloaded.

Once in the system, it captured credentials and infiltrated the network, Bilotta reported.

Between Sept. 10 and Nov. 21, it was stealing credentials, identifying sensitive data and removing information.

Between Sept. 10 and Nov. 21, the threat actor who inserted the malware activated a ransomware4 application.

On Nov. 21, an IT staff member spotted abnormalities in the network and servers and computers were disconnected.

Department of Homeland Security and the county’s insurance agent were notified and a cyber forensics team brought in, along with outside legal counsel.

The county’s IT staff reclaimed the system. It installed software to protect each computer and to keep the threat actor from accessing the system.

The intent was to hold the county’s system for ransom, threatening to release data, including personal information, unless the ransom was paid.

The Executive Director recommended to council that the ransom payment be made since the county’s exposure was limited to the deductible amount of $25,000 on its insurance policy.

The belief was that working with the threat actor would restore the system faster and prevent any information from being published.

Once the undisclosed ransom amount was paid, the threat actor provided the decryption tool to unlock the county’s system.

All key systems have been restored.

The county IT staff is improving security going forward by:

· Rebuilding clean versions of the County’s server infrastructure.

· Updating old versions of operating systems and apply security patches

· Removing old hardware and software solutions that are threat vectors.

 · Remediating vulnerabilities that outside support agencies have identified.

· Assessing whether or not personally identifiable information was compromised and taking  appropriate steps to comply with all required laws and requirements.

· Establish and enforce rigorous and centralized system security and data quality standards for all county systems.

· Move data storage to more secure, off-site environments.

· Systematically upgrade security applications, scheduling system down-time as necessary.

· Continually evaluate the effectiveness of back-up systems.

· Use the Capital Improvement Program to upgrade and replace computer hardware and software

· Create a single County domain and review access and operating protocols for externally-required systems.