Cybercriminals are taking credit for the cyber hack on Suffolk County government, Suffolk County Executive Steve Bellone said Friday, referring to a threat they would publish county documents until the county cooperates with them.
Bellone in a statement confirmed someone had claimed responsibility on the "dark web" and said the county was working to protect sensitive information.
The dark web is an anonymized portion of the internet where criminal activity can occur.
“Information posted yesterday on the dark web indicates that a threat actor has claimed responsibility for the current cyber incident in Suffolk County,” Bellone said.
“The County’s incident response team is assessing this information and working closely with law enforcement agencies,” Bellone said.
County officials referred to postings attributing the attack to the BlackCat or ALPHV strain of ransomware.
The blogsite DataBreaches.net shared screenshots of the ransomware postings, which included images of what the ransomware said were Suffolk County documents.
According to DataBreaches.net the ransomware said:
"The Suffolk County Government was attacked. Along with the government network, the networks of several contractors were encrypted as well.
"Due to the fact that Suffolk County Government and the aforementioned companies are not communicating with us, we are publishing sample documents extracted from the government and contractor network.
"The total volume of extracted files exceeds 4TB.
"Extracted files include Suffolk County Court records, sheriff’s office records, contracts with the State of New York and other personal data of Suffolk County citizens. We also have huge databases of Suffolk County citizens extracted from the clerk.county.suf. domain in the county administration."
DataBreaches said the ransomware included screenshots of "various files that appear to have been exfiltrated from county systems."
Suffolk County websites and web-based applications were taken down last Thursday after discovery of what turned out to be malware in county systems.
Bellone said in his statement Friday that the county probe so far has shown county systems to be intact.
“The County’s Information Technology Department has spearheaded an enterprise-wide effort to evaluate the impact of this cyber-incident to proceed with the safe and secure restoration of servers,” Bellone said.
Bellone did not say if the ransomware demanded a dollar amount.
Steve Morgan, founder of Cybersecurity Ventures in Northport, which provides data and research to the information technology industry, said the hackers were operating in a manner common to ransomware attacks.
“This is typically what happens. They wait a little while. And then suddenly, they'll make an announcement like they did on the dark web saying, ‘We are responsible, we are the ones who did this,’” Morgan told Newsday.
He said hackers then will typically provide some evidence to prove they have the data and make a demand.
Morgan noted the risk in making ransom payments because the attackers still could abuse the county’s data.
“It’s not like a kidnapping where you're exchanging money and you get a person back,” he said. “This is all virtual. There is no guarantee ever that when you pay a ransom, that you're actually going to get your data back.”
John Bandler, an attorney and former prosecutor who has written two books on cyber security, said cyber victims also need to consider the ramification of paying the attacker, which can be operating on behalf of a nation state.
“Whenever you pay a ransom, you are making the crime profitable,” Bandler told Newsday. “We want to avoid rewarding criminals for criminal conduct.”
Both Bandler and Morgan said cybercriminals make their demands almost exclusively in virtual or cryptocurrency because it allows them to be anonymous.