It was just after 12:30 p.m. on the Friday before the Fourth of July holiday when a warning popped up on Laschelle McKay’s computer screen.
McKay learned later that day that the town had been a victim of the massive ransomware attack that breached a popular software made by the information technology company Kaseya. The attack reached Leonardtown through its IT management company, JustTech, which uses the affected Kaseya product, JustTech told McKay.
In emails sent to Leonardtown and shared with The Washington Post, JustTech wrote that neither its “servers nor your network were directly hacked or breached. The intrusion came through the remote monitoring and security software we utilize from an industry leading provider.”
The firm was part of what cybersecurity researchers are calling potentially the largest ransomware attack ever, affecting hundreds of businesses and other entities globally. In a ransomware attack, hackers break into a company’s systems, lock them and demand money for a key to unlock those systems.
Last week, hackers exploited a software vulnerability at the IT services provider Kaseya. The resulting hack infected about 60 of Kaseya’s customers like JustTech, customers that in turn provide IT services to small businesses. The attack then spread through the Kaseya software to affect as many as 1,500 U.S. businesses, Kaseya has said, and the full extent of the damage is not yet known.
The Russian-language hacking group REvil has taken responsibility for the attack and demanded a total ransom of $70 million to unlock the files of all of its victims. Hundreds of grocery stores in a cooperative chain in Sweden had to close temporarily because of the hack, and at least nine schools in New Zealand were affected.
JustTech owner Joshua Justice said in an email that his team is working around-the-clock to restore backups to its affected clients in five states. “We had plans to bring clients back and fully recover from situations such as this but never envisioned we would need to do everyone at once,” he said.
McKay said JustTech informed Leonardtown that the ransom demand was $45,000 per computer but that the town’s leaders never seriously considered paying. Instead, they are undertaking the painstaking work of restoring computer system backups. The town has 19 computers, and all but two were frozen. One was spared because the employee who uses it was on vacation and the machine was turned off, and the other was an older computer left at an employee’s home.
On Friday after the computers froze, McKay said, city staffers called JustTech, which told them to start turning off the devices.
“Shut down everything,” JustTech reportedly told the city staffers, noting that the problem was bigger than just their organization.
A JustTech employee showed up at the office Friday afternoon before the town had even been informed of the extent of the attack. The worker turned off the affected server, too. In its initial email to clients on Friday, JustTech wrote that it had “discovered the breach, disabled, and shut down the affected servers within 8 minutes.”
The IT firm said it has secure backups for the town’s systems that it will be able to restore. But it’s unclear how long that will take. Experts say it can take weeks or months to fully recover from a cyberattack.
JustTech also has been inundated in the attack, McKay said.
“We’re trying to be patient,” she said. “We were able to finally talk to one of the reps yesterday, and they’re just exhausted. I mean, it’s just been 24 hours a day since last Friday, working to try to recover, so I feel really bad for them.”
McKay and the city staff of 15 others are doing their best to work without computers in the near term; they’re helping residents in person and over the phone. Their electronic billing software and system to send utility bills has shut down, and the office doesn’t have any Internet access, except through individual cellphone plans.
Staffers need to run home to print documents, and even simple activities like scanning documents have become a chore.
“We can’t access any of our data right now, to be able to service our customers,” McKay said.
The staff had been preparing quarterly utility bills to send out to about 3,000 residents. The bills were being finalized Friday, but all of that data probably has been lost, McKay said, and the bills will be delayed.
“We have a lot of residents that are used to getting their bills on time,” she said.
She’s also trying to ensure the town’s payroll system is back online before paychecks need to go out next week, even if that means working with a different IT firm to get it running, something the town is considering.
Many residents have made contact by phone calls and texts to express their support for the small staff, McKay said. Several asked if any personal information had been accessed during the hack. JustTech told the town it doesn’t think any personal information was taken.
Kaseya is planning to release a software patch this weekend for its customers affected by the hack.
Another town in Maryland, North Beach, issued a news release confirming that it, too, had been a victim of the attack. The town’s water and phone systems were still working, it said.
“Resolution of this incident is expected to take approximately one week and your patience is appreciated while our IT service provider works to reinstate the network server and workstations,” it said in the release.
Ransomware attacks have surged in the past few years as hackers work together to extort as much money as possible from victims including health-care providers, schools, municipalities and businesses of all sizes.
High-profile cyberattacks on Colonial Pipeline, the meat supplier JBS and several health-care providers have highlighted the dangers and potential widespread fallout from the attacks. The attack on Colonial caused a panicked run on fuel at East Coast gas stations, leaving some empty. An attack at a hospital in Vermont delayed chemotherapy treatments for some patients.
The Kaseya attack has put further pressure on the Biden administration to address cybersecurity within the United States and to resume talks with Russia about cybersecurity, given that many cyberattacks appear to originate inside Russia.
REvil is believed to be based mostly in Russia.
“If the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own,” White House press secretary Jen Psaki said Tuesday when speaking about cybersecurity consultations between the two countries, discussions that the leaders agreed to begin when they met last month.