Two small towns in Maryland appear to be the first local governments known to be affected by the REvil ransomware attack against the software publisher Kaseya, as the compromise of one the company’s products has spread downstream.
The towns of Leonardtown and North Beach, both located along the Chesapeake Bay, both confirmed this week their computers and networks had been disabled, with some municipal services disrupted. In North Beach, town staff said they became aware of network issues at around 12:30 p.m. last Friday, about the time news of the Kaseya incident was unfolding.
“After making contact with our IT service provider, town staff took immediate action and shut down the network server and all workstations,” read a town press release. “By Friday evening, it was determined that the Town of North Beach was impacted by a ransomware attack. The attack originated through a third-party software, known as Kaseya, installed on the town systems and used by our IT service provider to remotely manage computer systems.”
The notice told residents of the roughly 2,000-person community that its water system, phone system, backup server and website were unaffected. Officials there also said there’s no indication yet that any data was stolen, but that the incident is still being assessed. REvil, like many ransomware syndicates, often snatches its victims’ data and threatens to release it if a demand is not paid.
In Leonardtown, which experienced a network outage around the same time as North Beach, the ransomware attack delayed the distribution of quarterly utility bills to the town’s roughly 2,900 residents, according to a press release Tuesday from Laschelle McKay, the town administrator. Residents are also unable to access the town’s online payment site.
“Everything shut down,” McKay told the Washington Post.
Hackers behind the global ransomware strike went after Kaseya’s VSA platform, which is used around the world by managed service providers, which in turn support organizations — like small businesses and local governments — that outsource their IT functions. Ransomware attacks that go after MSPs can have downstream effects, as in August 2019, when nearly two dozen communities across Texas suffered a simultaneous cyberattack.
Neither Leonardtown nor North Beach have IT staff of their own, and officials at both towns said they have no direct vendor-client relationship with Kaseya.
Leonardtown gets its IT services from a company called JustTech, which is based in La Plata, Maryland, and claims about 3,000 clients for its managed IT and print services across the mid-Atlantic region.
North Beach officials said they expect their computer systems to be restored in about a week. McKay, the Leonardtown administrator, told StateScoop that JustTech restored the town government’s internet service Thursday morning, and that its systems, including utility billing, should be operational again within 24 hours of that.
McKay’s note Tuesday stated that “no ransom will be paid.” The REvil hackers demanded a global ransom of $70 million in cryptocurrency from the universe of victims, a group that also includes a Swedish supermarket chain and schools in New Zealand.
Kaseya said Tuesday that it believes about 1,500 organizations worldwide have been affected by the ransomware attack.