Cyberattackers hit Travis appraisal district's site

The Travis Central Appraisal District is working with cybersecurity experts to determine who or what is behind a cyberattack that shut down access to the district's website for a week, Travis Chief Appraiser Marya Crigler said Thursday.

Crigler said there is no evidence that any data, confidential or otherwise, was breached during the attack, which involved a ransomware virus. She also said there is no evidence that the virus "propagated to other systems."

The attacked occurred about 9:30 p.m. Sept. 11, she said. As of Thursday morning, most of the website's functions had been restored, Crigler said. Secondary computer systems will be restored in the next day or two, she said, and the district is working with cybersecurity experts and state agencies to identify the parties responsible for the attack.

"The sole purpose of the cyber-attack was to encrypt and lock district files to hold them hostage for ransom," Crigler said in a written statement. "The district did not pay any funds to decrypt our files."

Crigler said the district is continuing to work with cybersecurity experts "to identify the parties responsible for the cyber-attack and to implement future preventative measures."

In a phone interview, Crigler said a ransom amount was not specified in the initial request. The ransom demand came in the form of a "pop up" — a window that opened on a computer screen as the district's information technology staff worked on the cyberattack issue.

"It said 'your files have been encrypted,' and told us to send an email to an email address using a code to (unlock) our files, and we would have to pay for it in bitcoin," Crigler said. Cybersecurity experts say bitcoin — a type of cryptocurrency — is a preferred method of payment in ransomware attacks.

"Confidential property owner information was not at risk during this incident,” Crigler said. The district's data in some cases might include property owners' dates of birth, driver's license numbers, phone numbers and email addresses, she said.

She said daily operations, including appraisal protests and customer service, are not being affected.

Crigler said the district "maintains comprehensive backup data at secure off-site locations that were used to restore files and computer system services."

The incident comes after a cyberattack last month in which computer systems in 22 mainly rural Texas towns were infiltrated by hackers who demanded a collective ransom of $2.5 million to unlock files.

Crigler said it's unclear if the appraisal district's hack is related to that attack.

"While the district cannot say what variant of ransomware the other local government entities were infected with, the two incidents are similar in that they are both ransomware attacks on local government entitles where funds were demanded for a decryption key to release the government data," Crigler said.

Texas Department of Information Resources spokeswoman Christi Koenig Brisky said her agency is working with the appraisal district on its incident "by providing subject matter guidance and contract resources" but could not comment further "because this is an ongoing event."

She said ransomware attacks are becoming more frequent.

"These are typically financially motivated crimes," Brisky said in an email. "Paying the ransom incentivizes bad actors to attack other entities. Ransomware attacks are likely to continue so long as they remain profitable for attackers."

Recorded Future, a cyberthreat intelligence research firm, has found that the number of ransomware attacks targeting local and state government are growing. According to Recorded Future, there have been at least 169 examples of hackers infiltrating government computers since 2013, and more than 60 instances this year.

Michael Shultz, president and CEO of Austin-based Cybernance Corp., said the attack on the appraisal district "is an indicator of how serious this situation is for every organization that has embarked on digitalization of records" along with internet access to internal business systems — a combination that has created "a fertile area for criminals."

"Imagine if the local school district was a victim. The records of 12 years of academic experience for 84,000-plus students could be lost, maybe forever," Shultz said. "The school district is just a small example of the havoc that could befall many, many companies and organizations."

Brian Calkin is chief technology officer for the Center for Internet Security Inc., a nonprofit that works to protect private and public organizations against cyberthreats and has developed best practices for securing IT systems and data.

"Most, but not all, ransomware attacks are opportunistic in that the attackers are essentially casting as wide a net as possible and catching whomever they can. ... Nearly all can be mitigated by following good cyber hygiene such as keeping your systems securely configured and up-to-date, providing user awareness training, and performing regular system backups to restore from, should you need them," Calkin said.