Ransomware Attack Information Hub

Ransomware attac.png

The City of Sammamish is still in a state of emergency due to the ransomware attack we first became aware of on January 23, 2019.

We are committed to making sure that employees and the public are kept informed as our cross-functional team continues its work to assess what happened and how best to protect our city from not just this attack, but others we may face in the future.

While some customer applications are disabled, the City continues to operate and is open for business on behalf of our residents. City employees and residents are encouraged to visit this site regularly for updates.

Frequently Asked Questions (FAQs)

Updated February 1, 2019, at 2:30 p.m.

Q. What's the latest information you can share about the ransomware attack?

A. The City of Sammamish is still in a state of emergency due to the ransomware attack the city became aware of on January 23, 2019. As we continue to work with security specialists to investigate the full extent of the damage to computer files and systems, many city services are unavailable.

At this time the city is unable to issue any permits; we know this is inconvenient for our customers and appreciate their patience. Our staff is working on alternate methods to process and issue permits; we hope to have those in place late next week.

The City is still conducting building, mechanical, plumbing, and electrical inspections, and is taking requests for those inspections by phone. To request an inspection, please call: 425-295-0500.

Q. Why is this taking so long?

A. The City is moving forward with a phased approach to getting all of its systems back up. While this approach will take longer, it will help ensure a safe and secure rebuild that will improve our ability to protect against attacks in the future.

At the same time, specialists are working to assist the city with reimaging laptops so employees can continue to perform work that does not require access to possibly compromised files.

For perspective, in March 2018 the City of Atlanta had a ransomware attack that destabilized their municipal operations for months afterward.

Our focus is on improving our cyber defenses for the long term.

Q. Wouldn’t it have been easier/faster just to pay the ransom?

A. According to the FBI’s Ransomware Prevention and Response, the US Government “does not encourage paying a ransom to criminal actors.” They note that paying a ransom is “a serious decision, requiring the evaluation of all options…paying a ransom does not guarantee an organization will regain access to its data.”

Even if the hackers did decrypt the infected devices, the city's digital infrastructure could still have been weakened by the attack. 

Q. Who is helping the city with their recovery efforts?

A. We are still working with LMG Security. We’ve also received a lot of support from local specialists, and mutual aid from neighboring cities, public agencies and businesses including the cities of Bothell, Redmond, and Seattle; King County, Sammamish Plateau Water, and HomeStreet Bank.

Q. How is the city dealing with finances, like paying vendors, contractors, and employees?

A. Our employees are usually paid through direct deposit; for the upcoming pay period the City will be issuing paper checks. We are also working with vendors and contractors to determine what we can do to get them paid in a timely manner.


Updated January 28, 2019, at 4:55 p.m.

Q. What’s the current situation?

A. LMG Security, the firm we contracted with to assist with recovery, worked onsite through the weekend. They are still working on the forensics of this event, and we expect to have a full report from them later this week.

Q.  Has the City been able to recover all its information?

A. The city has backup servers and we are still verifying what has been preserved. This involves downloading the data from the back-up servers; this is a LOT of data – 20 years’ worth – which will take days to download.

Once the data is downloaded we will need to pull it up and check to make sure it’s all clean; then we will need to move it to a new, clean environment.

Q.Was customer or employee personal information compromised?

A. There’s still no indication that customer or employee data has been compromised as a result of this incident.

We are recommending that our employees who may have accessed personal accounts (email, Facebook, LinkedIn, etc.) using our network use their own home computers to go in and change their passwords.

Certainly this situation serves to remind us all to take steps to monitor our personal accounts and information regularly to protect against any and all types of identity theft.

The FBI and MS-ISAC (Multi-State Information Sharing & Analysis Center) shared this link for those who are concerned about their personal information:

And an additional source regarding identity theft published by US CERT:

Q. How long will it be before the city is back to normal operations?

A. It will be another 2-3 weeks before we’re fully back. In addition to restoring the backed-up information, we need to go through every computer to ensure there’s no remaining malware anywhere.

Q. How many computers does the city have?

A. We have about 120 networked computers.

Q. What are the next steps going forward?

A. Our department heads will sit down with their staff this week to codify how the city’s essential work will be handled. We will be using more traditional methods, which will take longer than our residents and businesses are used to, and we appreciate everyone’s patience and understanding.

At the same time, we will be investing in and upgrading our security systems, and setting up a new network system using best practices recommended by LMG. The City already had some money set aside for upgrading our security systems; setting up a new network system will be part of our emergency recovery efforts.

We’ll also be doing more training with staff about cyber-security awareness. As these types of criminals become more and more sophisticated, we all – cities, businesses, and individuals have  to do what we can stay up-to-date on the possible threats and what we can do to try to protect against them.

Q. Does the city’s insurance cover things affected by this ransomware attack?

A. Yes, if necessary, the city’s insurance does cover this situation.


Updated January 25, 2019

Q. What happened?

A. On Wednesday, January 23, the City of Sammamish experienced a ransomware attack that affected our computer systems. As a result, the city’s shared drives, where we store files used for a variety of city services, were shut down and employees and customers were not able to access information. Sammamish’s Information Technology (IT) team is working to restore service.

Q. How was the city made aware of the attack?

A. Our IT people became aware of the attack the morning of January 23, when staff reported having difficulty accessing files.

Q. What course of action was taken upon learning of the attack?

A. IT personnel shut down the city’s shared drives to try to contain the incident and notified city leadership about the situation. Shortly thereafter, Larry Patterson, the city’s Interim City Manager, declared an emergency – thus allowing the city to contract for assistance from outside security experts without having to go through the usual contracting processes. The City assembled a response team that includes not only City personnel, but law enforcement and independent forensic experts to help us assess what occurred and how best to protect our city from not just this attack, but others we may face in the future.

Q. Who is investigating the attack? What have you learned so far?

A. The city has contracted with LMG security to assist with recovery; they were recommended to us by the City of Issaquah. They are working with us on site and will assist the city with:

  • Assessing which systems have been affected.
  • The extent of the compromise
  • What will be required to release the data

 We are also working with law enforcement experts on cyber security.

 

Q. What are you doing to fix the problem? How long will it take?

 A. Our teams are working on this around the clock; while we expect to have a better idea of which systems have been affected and to what extent on Monday, we cannot speculate on when this matter will be fixed. We are committed to resolution, but there is still a lot of work to be done.

Q. What information may have been affected? Is there evidence of misuse?

A. We know that the city’s internal shared files have been affected. While we still are not sure if customer or employee data has been compromised as a result of this incident, residents and employees are encouraged to take precautionary measures to monitor and protect their personal information.

The FBI and MS-ISAC (Multi-State Information Sharing & Analysis Center) shared this link for those who are concerned about their personal information. 

Additionally, here's information that has been published by US CERT regarding identity theft:

Q. How is the city functioning?

A. While some customer applications are disabled as the City works to resolve this incident, business continuity measures have been implemented.  

Details on available city services are as follows:

Public Safety

  • The Sammamish Police Department and King County Sheriffs Office have not been impacted by the attack and 911 is still operational. 

Finance

  • As a precautionary measure we are cancelling all city credit cards

Front Counter

  • We are taking inspection requests by phone: 425-295-0500
    • This is for building, mechanical, plumbing, and electrical inspections.
  •  Not currently processing:
    • Passports
    • Pet licenses
    • Permits

 

 

 Staff Contact: Sharon Gavin, Communications Manager