Ransomware attack brings unknown for GT County and the city of TC

What was initially described as a “significant network disruption” and later confirmed as a ransomware attack hit Grand Traverse County and the city of Traverse City on Wednesday, disrupting services, halting court proceedings through Friday and affecting internal city and county functions.

Grand Traverse County, which manages IT for the county and city, shut down its network early Wednesday morning after a software application used by Grand Traverse County’s emergency dispatch center stopped working properly. After employees asked IT for help, a tech support evaluation identified a “potential threat,” according to county administrator Nate Alger. IT and administrative leaders agreed to take the county and city office network offline as a precautionary measure while they continued to investigate the incident. Several hours later, tech experts identified the incident as a ransomware attack.

Ransomware is a “type of malware that cyber actors use to deny access to systems or data,” according to the U.S. Department of Justice. “The malicious cyber actor holds systems or data hostage until the ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If demands are not met, the system or encrypted data remains unavailable or the data may be deleted.” Data can also be leaked or shared online after ransomware attacks. In April, a ransomware attack on Traverse City Area Public Schools (TCAPS) forced the school district to close school for two days and ultimately resulted in sensitive employee data being leaked online.

Alger says that after the incident, “Read Me” emails, folders and files began surfacing in the county with a ransom note linked to a URL. He says that to his knowledge, no one “touched the URL.” The county and city are currently working with law enforcement — including the FBI — on what is being treated as a criminal investigation, Alger says. Insurance adjusters, legal counsel and outside IT experts are also helping. Alger says no evidence has yet surfaced of a “bulk transfer of data” from the county and city’s network to an outside source, but says it’s too early to determine if any sensitive data was compromised.

The network shutdown meant most county and city employees were unable to use city internet on Wednesday. Instead, they had to use mobile hotspots or their own cellphone signals to check email and conduct business. IT will review each employee’s computer before they can be used again, Alger says. An internal memo from Deputy County Administrator Chris Forsyth advised employees “not to open or use their computer until IT staff has tested it and given them permission to use it.”

While essential services will continue to operate, those that rely on network connectivity will be impacted. Emergency services – including 911, police and fire – are fully operational. Grand Traverse 911 has created a new temporary number for non-urgent calls (231-480-0024). Authorities are asking residents to temporarily stop making in-person payments at the county and city treasurer’s offices, noting that any penalties for late payments will be waived. Online payments can still be processed, as these are routed through separate third-party platforms and the county and city websites remain online.

However, services such as those of the county and city governments and the land registry are affected. The 86th District Court and the 13th District Court are also affected, including some canceled court filings. However, Zoom is being used for other proceedings, and court filings submitted via email, mail or fax can still be received. According to City Manager Liz Vogel, Traverse City Light & Power runs on its own network and is not affected.

Both Alger and Vogel say it’s unclear how long the shutdown will last. Another IT briefing with administrators is scheduled for 9 a.m. today (Thursday). Alger notes that the ransomware attack has blocked the county and city’s access to some programs and services, while others may be too dangerous to access until the full extent of the attack is understood. “They’ve frozen certain data points unless we pay money,” Alger says, adding that the county is working with its liability provider on how best to proceed. Vogel and Alger say the county and city are addressing the incident together, with both municipal IT directors involved. “Because we work so well together, we were able to make key decisions early to prevent it from getting worse,” Vogel says.

The ransomware attack followed an April spear phishing attack on Grand Traverse County that was thwarted by security software and employees. That incident involved emails being sent to dozens of employees that looked like real internal emails from other employees but had an external URL attached. The advanced cybersecurity software the county purchased in 2022 — a $57,600 annual subscription — stripped the URL from the emails so “nothing could happen to our system,” Alger said at the time. Although IT staff had “their hands full,” the attack was successfully thwarted thanks to the county’s investment in security, Alger said.

Both Alger and Vogel credit multiyear major modernizations of the counties and their IT with making communities less vulnerable to cyberattacks — though they acknowledge that such incidents by increasingly sophisticated actors are becoming more common and are a reality that both public and private organizations must contend with. In 2016, an audit identified several critical security vulnerabilities in the county and city technology systems. Since then, officials have worked to continually modernize and improve government IT systems, including a nearly $4 million project to modernize the county’s software technology that was approved by county commissioners in 2021. “We’ve made great strides over the last five years to make sure our infrastructure is as robust as possible … because we know it’s not a matter of if something like this happens, but when it happens,” Alger says.

Vogel agrees, pointing to major cities and organizations that have been “extorted out of millions of dollars” by ransomware attacks, calling it a cycle that will likely “never end.” And while a post-attack debriefing might include conversations about whether the county and city should continue to use the same networks — which, while it brings vulnerabilities, also allows county and city employees to work in the same building and better collaborate to help citizens — the primary focus will likely be on improvements to better defend against the next attack.