Colorado has spent more than $1 million bailing out from ransomware attack

Since the SamSam software infected the state's transportation department in February, returning systems to normal has been costly.

Colorado has spent between $1 million and $1.5 million recovering from a February ransomware attack that took out thousands of computers at the state’s department of transportation (CDOT). The Colorado Office of Information Technology says CDOT’s systems are about 80 percent back to what officials are referring to as a “new normal,” spokeswoman Brandi Simmons told StateScoop.

More than 2,000 Windows-based computers at CDOT offices were knocked offline February 21 by a version of the ransomware virus known as SamSam. Similar software has also been identified as the culprit in a number of other ransomware attacks, including the one last month that crippled government systems in Atlanta.

While the Atlanta attack took down many of that city’s public-facing operations, such as court scheduling and online utility payments, Simmons said the ransomware that hit CDOT was limited to back-office systems. Traffic control operations and highway cameras were not affected.

The recovery has been slow and costly. It took about two weeks for systems administrators to contain the ransomware infection, and another two weeks after that until CDOT’s operations were brought back online, Simmons said. Rebuilding CDOT’s computer systems also required more than just experts from the IT office. The state also leaned on cybersecurity consultants and federal agencies to repair the damage. In total, Simmons said between 50 and 150 people have been working on repairing the fallout from ransomware attack at any given time. The $1 million-plus the state has already spent is more than half the $2 million Gov. John Hickenlooper authorized in an executive order after the hack was detected.


As in other ransomware incidents, the hackers demanded CDOT pay a bitcoin sum in exchange for getting its systems back online. Confident they could restore their data, state officials refused to pay the ransom. (Not all ransomware victims have been as resilient. Hancock Regional Hospital, in Indiana, paid a $45,000 bounty after it was attacked in January.) Simmons declined to say how much CDOT’s hackers asked for, or if state officials have been able to identify where the ransomware attack originated. The FBI has taken over the investigation, she said.

But the ransomware experience has left Deborah Blyth, Colorado’s chief information security officer, with some expertise to lend to other governments that find themselves on the receiving end of the SamSam bug. Blyth has been in communication with her counterparts in Atlanta, Simmons said, advising them on some of the lessons Colorado has gleaned during its ordeal.

One thing officials say the state had going for it was that agencies had thoroughly prepared for such an attack. Last year, the state completed a project called Backup Colorado that included what Simmons called a “segmentation strategy” — spreading critical data across multiple servers so that an entire system can’t be knocked out at once. Simmons said that because of the “comprehensive cybersecurity strategies” included in this project and past investments in security tools, the state was confident it could recover its data and never even considered paying the ransom.

“Out of an abundance of caution, we threw out a plan to do it agency-by-agency, and did it across the board,” Simmons said.

This story was updated on April 11, 2018 to clarify that the state’s segmentation strategy was implemented before the ransomware attack, not after.

Latest Podcasts