Cyberattack forces Arizona city offline for weeks, experts warn of growing trend

Investigation

KINGMAN, Ariz. (NewsNation Now) — With a population of about 30,000, Kingman, Arizona, is about as desolate as you can get in the United States. It’s 150 miles southeast of Las Vegas, along historic Route 66, and one of the last places someone could imagine would fall victim to a possible ransomware cyberattack.

On Feb. 26, 2021, Coleen Haines, the city’s public information officers, received a text from the city’s IT director.

“I need to talk to you immediately,” it read.

“When you get a text from your IT director immediately, you’re thinking, ‘This is going to be big. This is very damaging.”

The small southwestern city was experiencing a cyberattack. 

“All I know is that some really smart guys came in and saw the red flags,” Haines said, describing the IT department’s response. “They knew it was big. They knew it was a danger and started shutting things down.”

And just like that, the City of Kingman was offline.

The FBI and U.S. Department of Homeland Security responded immediately. And the Arizona National Guard Cyber Joint Task Force deployed a team on-site for days.

Two weeks later, when NewsNation visited Kingman, they were still shut down. Our crews saw a steady stream of residents filing in to physically pay their utility bills — unable to pay them online. 

“There are some really smart people out there with very bad intentions, and they happen to target us. We don’t know why. I don’t know if we’ll ever find out why or exactly who it was,” said Haines.

Adding to the confusion, she doesn’t know why the city of 30,000 was targeted.

“We learned from the National Guard is that this has happened to, I think, six other [cities] in the state of Arizona over the last two years,” Haines said.

She doesn’t know if there was any outreach to the IT professionals or anyone else about who may have been making demands.

“What I can say is no one has been paid, but we’re not categorizing this yet as ransomware because we just don’t know the level or the extent of this incident,” said Haines.

However, the National Guard is characterizing it as a “ransomware attack on the city’s information technology infrastructure.”

Last year, 2,354 U.S. government, health care facilities, and schools were affected by ransomware, according to the cybersecurity firm Emisoft.

FBI Special Agent Jonathan Holmes said these attacks are “essentially indiscriminate,” in that they don’t target a specific size business or even a particular industry.

“What we found when we look at that data is that there is no industry that is immune from these attacks,” Holmes said. “These actors are really just going after anyone that has an ability to pay.”

Michael McAndrews, a cybersecurity expert at PacketWatch, spent seven years in the FBI as a special agent focusing on cyber issues like ransomware.

“Sometimes, the criminals don’t even know who they’ve attacked. They’re simply casting a wide net and opportunity knocked when somebody clicked on a link or went to a bad website and got swept up in ransomware,” explained .

When PacketWatch parachutes into a company to help them digitally, they view the operation through their own dashboard as a way to trace the attack.

“Ransomware and malware, in general, is a huge problem for companies right now,” he said. “It puts jobs at risk. It puts livelihoods at risk. It costs companies millions of dollars a year.”

PacketWatch dashboard

NewsNation reached out to several companies and cities reportedly hit by ransomware attacks, but all declined to be interviewed on the record. However, one Silicon Valley executive, who didn’t want to be identified, agreed to speak with us.

The woman, who will be referred to as Susan, says the problem is more widespread than people think, and no one wants to talk about it.

“It’s a tough thing,” Susan said about choosing to remain anonymous. “As a business, you don’t want to create kind of a fear and spook, you know, your partners, but more importantly, you don’t want to be a target to more of those bad actors,” she said.

Several years ago during an ordinary day at work, something came to Susan’s attention.

“Basically, one of our production servers goes down, up pops a message: ‘This system has been locked down. You need to follow these instructions.’”

Susan described the instructions as, “Go to this site, we want Bitcoin. And we’ll unlock all your stuff. If you don’t do it, we’re going to sell your information on the black market.”

“In the end, we were lucky we paid, it unlocked. All of our systems came back up,” said Susan.

But she says her company experienced a second ransomware last year.

“And again, it’s a ransomware message. ‘We’ve locked this machine down. If you want to unlock it, you know, we have all your data, we have, you know, everything about you,’ very similar, right?”

It was a similar problem, but a different response.

Susan’s company called PacketWatch for help.

“We identified the way that they did access the server, we mitigated that risk for them, and we helped them upgrade their systems and apply additional protections,” said McAndrew.

McAndrew says he never encourages a company to pay a ransom and instead recommends companies have an incident response plan and get ahead of the game.

“You don’t have to spend $50,000, You don’t have to spend $10,000. Find a partner right now that’s free. Download a cybersecurity checklist — those are free,” said Susan. 

Meanwhile, the City of Kingman is still digging out and getting back online — but with very few answers.

“I think the question is ‘Who got what, what did they get? What do I need to do as a person? You know, what is my level of concern?’ And I think, too, that’s what we’ve been telling our external customers is. Look, ‘When we know, you’ll know.’ We have skin in this game too. We’re just as concerned as external customers as well.”

© 1998 - 2021 Nexstar Media Inc. | All Rights Reserved.

Trending on NewsNationNow.com