300 computers must be replaced in wake of Johnson City ransomware attack


JOHNSON CITY, Tenn. (WJHL) – The City of Johnson City must replace about 300 desktop computers following a ransomware attack that was discovered Oct. 21, the city’s director of information technology said today. The replacement will cost $215,100, which is $50,000 more than the city’s normal annual replacement budget.

City IT staff spent last week “methodically bringing operations back online” to avoid lingering effects, IT Director Lisa Sagona said. Employees have been sharing available computers including 118 unaffected laptops and another 170 desktops the city was able to “reimage.” Employees charged with so-called “mission critical” operations have been provided reimaged machines.

Johnson City IT Director Lisa Sagona works on new computers Wednesday.

Sagona said the city will never know exactly what caused the attack to be successful, but most likely an employee inadvertently clicked a malicious link, responded to an email or somehow gave the hacker a doorway into the city’s system.

“I’m guessing it was something that looked legitimate and probably looked like it was from a regular city account … and someone didn’t give it another thought,” Sagona said. “It usually starts with a password.

“Given that password that’s legitimate on our active directory, they (hackers) can escalate their privileges and get on something stronger, and write their scripts and then deploy those.”

MORE: What is “ransomware” and how can you protect yourself from it?

Sagona said a new “hyper-converged Storage Area Network” meant the city lost fewer files than it would have. That “SAN” became operational just a few weeks before the attack and kept the city from losing a week’s worth of files, Sagona said. Files saved to individual desktops or on hard drives and not backed up to the city server were lost. The city also lost one weekend day’s worth of data, which was mostly fire and police-related, but Sagona said 911 logs allowed that information to be retrieved.

New replacement computers began arriving Tuesday.

Some new computers have arrived and are being set up. Sagona said they’ll come in multiple shipments and be distributed to staff within the next several weeks. She said most employees should have new or reimaged desktops by early next week.

The IT department will work with a partner agency to determine if more security measures are needed, and that agency will help IT staff provide additional training to city employees, Sagona said.

Changes in procedure ahead
In addition to more training, employees will see new procedures. Password restriction policies will get more stringent. Only IT will be able to install new apps on employees’ computers. Sagona said that’s all about minimizing risk.

Minimal data was lost because the city invested more than $600,000 in the new secure storage. Sagona said that protection was similar to putting protective padding around a bathroom to minimize injury if someone falls — it doesn’t prevent someone from carelessly leaving something on the floor that might be tripped over.

“People say, ‘don’t sweat the small stuff.’ We have to. We have to assume that every possibility of what could happen, will.

“It’s not about trusting our employees, it’s about closing the gap, the hole, the door that somebody can get through,” she said. “There’s a careful balance between the proper amount of security, and usability for the tools our staff need to do their jobs.”

PREVIOUS STORY: Apparent ransomware attack impacting Johnson City municipal computers

Copyright 2021 Nexstar Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Trending Stories

Don't Miss

More Don't Miss