Amid coronavirus scare, ransomware targets public health agency in Illinois

The Champaign-Urbana Public Health District has retreated to social media to update its public about the ongoing pandemic after an attack with a new variety of ransomware.
The University of Illinois Urbana-Champaign (Getty Images)

A public-health agency in central Illinois has had to retreat to social media to update residents about the ongoing spread of the new coronavirus after a ransomware attack disabled its main website and briefly cut off employees from medical files.

Workers at the Champaign-Urbana Public Health District discovered Tuesday that they were victims of a cyberattack, which was confirmed as ransomware the following day. While the website has been disabled, the agency’s email accounts, environmental health records and patient records were not impacted, having been moved to a cloud-based backup storage system, according to the local News-Gazette newspaper.

The ransomware has been identified as NetWalker, a relatively new form of malware that targets enterprises running on Microsoft Windows 10.

Since the attack, the health district has moved most announcements related to the coronavirus to its Facebook page, and has also established a backup website with alerts about the pandemic while it restores its main page, a process that Julie Pryde, the agency’s director, told the News-Gazette will take about one week.


“The public needs to know it’s being taken care of, and we’re still functioning,” she told the paper.

According to the Illinois Department of Public Health, 25 people in the state have tested positive for COVID-19, though most appear to be located in and around Chicago. There are no reported cases in Champaign-Urbana, which is home to the University of Illinois, one of dozens of colleges around the United States that have canceled in-person classes due to concerns about community spread of the new virus.

Reached by phone Thursday, an employee of the Champaign-Urbana Public Health District told StateScoop the agency is not commenting further on the incident, which has also been reported to state authorities and the FBI.

The NetWalker ransomware also sometimes appears as “Mailto” or “Kazakavkovkiz,” according to the Australian Cyber Security Centre, which sent out an alert last month after the malware was used to attack the Toll Group, a shipping and logistics firm. According to the ACSC, the actors behind NetWalker use phishing or password spraying attacks to gain access to a network, and then uses compromised email accounts to send more phishing emails internally. It’s also known to disguise itself within Windows as “Sticky Password,” the name of a real and well-reviewed piece of credential-management software, according to security firm Carbon Black.

Brett Callow of the antivirus company Emsisoft told StateScoop that Netwalker has likely spread quickly because the actors behind it have used compromised email accounts in one targeted enterprise to hit other targets.


“This creates a bad situation because we’ve assessed there’s a very high probability the actors are using data stolen from one company to spear phish others,” he said.

This is part of StateScoop and EdScoop’s special report on coronavirus response. Read the rest of the report.

This story was featured in StateScoop Special Report: Coronavirus Response (2020)

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts