A ransomware attack struck Coweta County’s computer servers around 6:30 Sunday morning.
By Tuesday afternoon, most of the county’s systems were back online, with the exception of external email and department servers.
All of the county’s servers and computer systems were shut down once the issue was discovered to prevent the spread of the ransomware, a variant of Bitpaymer, said Patricia Palmer, Coweta’s director of community and human resources.
“This thing found a soft spot to come in,” Palmer said. Bitpaymer works its way through servers and locks data down with encryption, she said.
“It kind of snakes its way through, locking down your data,” she said.
The ransom demand was $250,000 to provide a way to unlock the encryption, Palmer said.
The county has not paid the ransom, and won’t need to, according to Palmer.
The entire system is backed up regularly, and the county’s IT staff are using those backups to reload and rebuild the system. A backup was done late last week, according to Palmer.
The most severe impacts were to the county’s public safety operations. At Coweta 911, phone systems weren’t affected, but computer aided dispatch wasn’t operational.
“So an ambulance call reverted to pen and paper records,” Palmer said. Operators pulled out map books. They were no longer able to send computer-based info directly to ambulances, fire trucks and patrol cars, or to track locations of vehicles responding to calls.
“It forced them to go to their backup systems – which of course we have and we keep,” Palmer said.
All public safety computer operations were restored overnight Monday, Palmer said Tuesday afternoon.
“They started with the highest-priority systems, which of course are the public safety systems,” Palmer said. “Today we’re about 50 percent complete in the rebuild."
The attack didn’t affect county systems that are externally hosted, including Coweta Superior Court, the Coweta Tag Office and library checkout. It also didn’t affect the county’s payroll system.
It did affect Coweta Magistrate Court and some parts of Coweta Juvenile Court and Coweta State Court, according to Palmer.
Palmer said IT crews were working on court systems Tuesday afternoon.
Palmer said the county’s IT Director, Phillip Dingler, and his IT staff have been working almost nonstop since Sunday morning.
The attack was discovered when the on-call IT worker started receiving notice from public safety that there were issues with the system.
Local and federal law enforcement agencies are already aware of the attack and investigating, Palmer said.
“Once are systems are restored and rebuilt, we will be doing a complete forensic analysis,” Palmer said, to determine how the attack happened and how to prevent a future one.
The county has insurance for cyber attacks, which includes an analysis to help ensure it doesn’t happen again, Palmer said. The insurance can also cover the work it will take to recover from the ransomware attack.
Bitpaymer has been active since June 2017, according to the New Jersey Cybersecurity and Communications Integration Cell. On Aug. 1, a suburb of Anchorage, Alaska, was attacked by Bitpaymer, and its believed that the PGA was infected on Aug. 8.
Because county employees can’t receive email from outside the county’s email system, the best way for Cowetans to contact government officials is the old-fashioned way – by phone. The main line to the county administration building is 770-254-2601. Other phone numbers are available on the county’s website, www.coweta.ga.us .
The county’s website was operational at 4:40 p.m. Tuesday after being down for a time. But that problem was apparently not related to the ransomware. Instead, according to the Coweta County Facebook page, the problem was with the web provider, Vision Internet, which is based in California. The company informed the county that it was having data issues affecting a large number of clients.