The Howard County government is juggling the effects this week of a malware attack that has left employees without Wi-Fi after a virus targeting personal financial information spread throughout the county system.
County officials say there were not any breaches into the county’s financial or banking records during the attack, which has been contained but is still being investigated and has yet to be fully understood by those within county government.
A statement released by the Howard County Board of Commissioners Wednesday said the county’s information systems department was first alerted on Monday “to suspicious activity on several machines.”
An investigation determined that malware was spreading to PCs across the county network, including the Howard County Courthouse, the Government Building and the Administration Center. All three buildings are located in downtown Kokomo.
The commissioners said “isolation procedures were deployed as a response to contain the virus.” One precaution taken was to shut off Wi-Fi for county departments across the three buildings.
Howard County Board of Commissioners President Paul Wyman told the Tribune today he is hopeful the county’s internet capabilities will return “within the next day or so.”
Officials contacted the county’s antivirus vendor, Sophos, after discovering the malware, according to the statement. A sample of the malware was given so Sophos and identified as TrickBot, which was described by the commissioners as “a fast spreading worm that infects PCs looking for banking and online shopping credentials to compromise.”
The U.S. Department of Homeland Security said on its website last month that TrickBot is “a modular banking Trojan that targets users’ financial information and acts as a dropper for other malware. An attacker can leverage TrickBot’s modules to steal banking information, conduct system and network reconnaissance, harvest credentials, and achieve network propagation.”
Wyman said no county banking or financial records were compromised in the attack. In conjunction, he said the county is not aware “at this time” of any employees who had their personal information compromised through the attack.
He said the county will send a message to employees urging them to change their computer passwords and take other protective steps.
The county, remarked Wyman, is not sure how the malware got started in the county system, but acknowledged that many malware attacks start with someone clicking on a fraudulent phishing email that gives the recipient fake information in an attempt to get them to click on an attachment or link.
Wyman said county efforts are currently focused on stopping the attack and cleaning up its system. Once that is complete, he noted, information system workers will begin to narrow down where the attack started and exactly where it traveled.
“Once you realize you are infected like that, you want to prevent it from spreading through the system,” Wyman explained.
The commissioners’ statement noted: “Working with the antivirus vendor, a response plan was created to address any PCs and servers that may have been affected. Additional outside IT vendor support is being utilized to implement the response plan to speed the county’s recovery efforts.”
“They have been working on it day and night to try to get it fixed,” added Howard County Auditor Martha Lake, who said her staff is not accessing any online program that could put county finances in jeopardy.
And while the precaution is necessary and certainly needed, said Lake, it does make the her office’s work more onerous. The auditor’s department handles county payroll, among other responsibilities.
“It is difficult because of the possibility that something can happen to the files where we do our management of our county money. We’ve had to stay out of certain things on the computer that are through the internet, which means that we can’t get our work done because of the threat of the possibility of something happening to the money or any other records we have.”
Lake said the auditor’s office is not using their computers “as we usually would.” She noted that her staff is trying to keep copies of everything by hand so employees can input information as soon as the computers “are a go again.”
“We are doing the due diligence to make sure we are not making anything worse … to make sure we are not losing anything that would hurt the county or the taxpayers,” remarked Lake.
Another department head trying to keep up is Howard County Treasurer Wes Reed, who said his office has taken even more precautions to guard against the malware attack.
“Right now, we’ve just had to revert back to paper processes. Our computers are completely off just because of the virus issue and what it is and what it does. Just for safety concerns. To make sure it has no access to any of our stuff,” said Reed.
“We are completely down with anything technologically driven. … We are taking every step of precaution necessary.”
Reed said he’s been told the treasurer’s office will be fully operational again by 10 a.m. Thursday. Without the internet, his office has accepted payments from people that come in with the necessary paperwork.
“We can still function, it’s just really old-school. ... We are kind of in the stone ages for the moment,” he remarked, saying the county is “being more safe than sorry.”
The office’s online payment options were not affected by the issue and were “100 percent safe,” noted Reed, who said the attack affected “only anything in-house.”
Reed, in conjunction with Wyman, said that through the malware attack “the county hasn’t lost a penny” and that the treasurer’s office has ensured no county finances were breached and that all passwords were changed “immediately.”
But the timing of the attack, in the midst of tax season, was “horrible,” Reed acknowledged.
Meanwhile, Howard County Clerk Debbie Stewart said that the clerk’s office is still open throughout the internet interruption, although everything is made more difficult because of the inability to access certain computer systems.
And with the clerk's office heading to an E-filing system set to begin on Friday, Stewart said this week's internet interruption has actually been a little nerve-wracking.
“When you can’t get on the Case Management System to process your daily work, you’re basically at a stand-still,” she said. “But there are other things that we can get caught up on that don’t involve the internet, so the office can still keep busy. And these workers know their job well, so we’ll manage. We’ll also do what we can to help the customers however possible if they come in.”
But while the clerk’s office has been affected, areas like voter registration have still been business as usual, Stewart said.
“The poll books and the voting at the government center has not been affected,” Stewart said. “We’re on our own Wi-Fi with that, and the main requests that we’re getting for people to vote by mail, we are still able to process those.”
Stewart said she is also using her own cell phone to access the Indiana Voters website if the need arises.
The inability to use the internet and other computer systems has also heavily impacted the way business has been conducted throughout the Howard County courts.
Superior Court 1 Judge William Menges said that with the internet down, programs like Odyssey and Jail Tracker are currently out of service.
“It (lack of internet) creates a substantial obstacle to getting business conducted,” he said. “But that being said with the nature of a court proceeding, we can still do things that don’t involve processing paperwork.”
Menges said that due to the internet interruption, court staff have been taking written notes and recording the court proceedings. It’s just not happening that efficiently, he said.
“I’ve stated before when we’re talking about technology that a court can function with a quill pen, a piece of parchment, a judge and a court reporter,” he said. “But because no one can open Odyssey or the Internet that we’re all dependent on, it’s just slowing us down.”
And once the internet is back up and running, that’s where the tedious work of moving the written court notes onto the computer systems begins, Menges said.
“This is eventually going to mean more work for somebody when everything is up and running again,” he said. “Because the notes will be handwritten and recorded, somebody is going to have to go back and put those in as opposed to normally just doing it simultaneously with the hearings.”
This is not the first time Howard County’s government has been the target of a malicious virus.
In November 2016, the county system was attacked by ransomware on two separate days. Officials in the information systems department initially thought around 33,000 files had been encrypted but later discovered the number was actually more than 76,000.
Two emails, disguised as the same FedEx message, had been opened by county employees two days apart, one in a work email, the other a personal account.
The emails told recipients that a package was undeliverable and provided an attachment for an invoice or certificate. Encryption of county files began once the attachment was clicked.
Fortunately for Howard County, the attack did not cost the hundreds of thousands of dollars paid by other governments and businesses after similar ransomware attacks.
The ransomware that hit Howard County was a form of malware that encrypts files on infected systems and forces users to pay a ransom, usually with the hard-to-trace cryptocurrency Bitcoin, to obtain a decrypt key, or password, for the undamaged files.
County officials credited its extensive backup system as keeping government files safe and allowing a nearly 100 percent recovery after the 2016 attacks.