Henry, Lawrenceville cyberattack recovery will be slow, experts say

The Lawrenceville Police Department was hit with ransomware two weeks on July 13. Henry County announced four days later that it was taking down its computer systems because of a malware attack. Hyosub Shin, hshin@ajc.com
The Lawrenceville Police Department was hit with ransomware two weeks on July 13. Henry County announced four days later that it was taking down its computer systems because of a malware attack. Hyosub Shin, hshin@ajc.com

Henry County and Lawrenceville residents who are hoping the recent cyberattacks on their communities will be resolved anytime soon are in for an unwelcome surprise, experts in cybersecurity say.

Restoring computer networks after a malware infection can take weeks if not months because of the voluminous amount of software programs, passwords, stored data and servers that have to be inspected, cleaned and then re-inspected before a system can be brought back up.

Because computer systems are often linked, a virus will piggyback from one system to another once it has a pathway that allows it to spread — even if each department uses software unique to its tasks, the experts say.

“System A talks to system C and system C talks to system D and they are all tied together, which makes things really complicated,” said David Barton, a managing director at cyber firm UHY Advisors. “Now what [IT officials] are doing is trying to figure out why this system isn’t talking to this other one anymore. That will help them ascertain what can still work and what has to re-created from scratch.”

The Lawrenceville Police Department was hit with ransomware two weeks on July 13. Henry County announced four days later that it was taking down its computer systems because of a malware attack.

Those breaches follow an outbreak of ramsonware attacks around the country over the past two years, from Baltimore to Riviera Beach in Palm Beach, Fla., to last week in Collierville, Tenn.

Atlanta was attacked in March 2018 and it took the city's Municipal Court — one of the department's targeted — at least three months to restore its computer operations. The court, one of the busiest in the nation handling thousands of cases each day, was forced to use paper records and postpone cases because of the shutdown.

Atlanta’s attackers demanded the equivalent of $51,000 in bitcoins. The city refused to pay, but reportedly spent as much as $17 million restoring its system, according to a leaked document.

The Georgia Administrative Office of the Courts, which was hit with ransomware in late June, has been slowly restoring its network, but was still not fully operational.

Neither the Lawrenceville Police Department’s or Henry County’s system is back up and running and leaders have said more it will take more time, though neither knows how much time is needed to fix the systems. Both are working with the FBI, the Georgia Technology Authority and others to investigate the cyberattacks and to restore their networks.

“Our technology team in still in the process of systematically going through all the computers,” Henry spokeswoman Erika Richards said. “Right now, we don’t know when our website will be up and running.”

Those hit by the malware have a myriad of issues to address that can take weeks to untangle, the experts said

First, they generally will check to determine if sensitive information, such as social security numbers, birth dates and passwords to banks or credit unions, has been lost. They also will prioritize which systems are most vulnerable to another attack and tackle them first over those that don’t pose the biggest danger of data loss.

After that, they’ll inspect their back ups to see what information, if any, they can retrieve and hope that it has not been compromised. They’ll have to comb through thousands of emails for any more suspicious malware, clean servers department by department, re-establish critical links to system information, and pull all equipment — software and hardware — that has been exposed.

In some cases, municipalities that used old software because of budget constraints, say a version of Windows from the early 2000s, will have to upgrade everything because the software they used is no longer supported.

“People don’t invest in business continuity ideas and disaster recovery ideas as much as they probably should,” said Steve Akridge, CEO of BorderHawk Cybersecurity. “But you never know when something is going to hit you from behind, something you didn’t anticipate.”

Others said those hit must take their time because they never know if the malware is still lurking, even after new equipment and software has been installed. And if there has not been a ransom demand, it could mean the attackers are watching and waiting to gauge the reaction and determining if they can do more damage for a bigger payoff.

“It’s always a cat and mouse game,” said Andy Green, a lecturer of information security and assurance at the Coles College of Business at Kennesaw State University. “It’s a situation of act and response.”

That's especially important to remember when a municipality has been compromised. Politicians, feeling pressure from the public that is unhappy that they can no longer pay a traffic ticket online, may push to get the matter resolved quickly, he said. But doing so plays into the hands of the attackers.

“IT is concerned about re-infection,” Green said.

Henry Commissioner Bruce Holmes said the county still has not received a ransom demand from the attackers. He said his colleagues are willing to be patient because they know what's at stake and that he's sure there will be a lot of changes made when the county's systems are restored.

“If the IT department comes to us and wants upgrades, we always vote to support IT because we know we need to update,” he said. “I guess we just got caught behind the eight ball this time.”