Collierville experienced a cyber-security incident last week that has disrupted the town’s information technology systems.
The town first received reports of the disruption on July 18. After assessing the situation, the town’s Information Technology staff determined that it is the Ryuk ransomware virus.
Staff has worked to minimize impacts and restore system functionality. All impacted servers have been isolated and shut down. Staff is rebuilding servers with priority given to public safety.
All town employees are currently at work but have limited functionality, which may have temporary impacts on service to the public, such as permits, public records requests, and business services. Town Departments are developing alternative solutions to continue serving Collierville residents; emergency services are operating as normal.
Jennifer Casey, who works with the town’s Public Information Office, said on Monday that “there is a list of priorities that IT employees are tackling.”
“First, our IT Department worked throughout the weekend to rebuild our servers,” she said.
Casey would not divulge too much information for security reasons.
“As a general overview, we have multiple servers that support various programs,” she said. “Right now, they are making sure that finance and accounting are squared away.”
Staff is also working on programs like Granicus, which records and houses the town’s public meetings. Another top priority is regaining access to all town employee shared files and drives.
“It’s going to be a long recovery to rebuild all of our servers and reload our software,” Casey said. “However, our departments have adapted their processes to continue serving residents - you can still even check out library books. We are also reaching out to our IT and software vendors asking for their support and resources.”
Ryuk first appeared in August 2018, and while not incredibly active across the globe, at least three organizations were hit with Ryuk infections over the course of the first two months of its operations, landing the attackers about $640,000 in ransom for their efforts.
Despite a successful infection run, Ryuk itself possesses functionality that you would see in a few other modern ransomware families. This includes the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By doing this, the attackers could disable the Windows System Restore option for users, and therefore make it impossible to recover from the attack without external backups.