When Ransomware Attacks

How three libraries handled cyberextortion

June 1, 2018

Your files have been encrypted

On the morning of January 29, a library technician at Spartanburg County (S.C.) Public Library (SCPL) encountered a notice on the library website announcing that its computers had been encrypted with ransomware. The library immediately shut down all computer-related services to quarantine the malware.

County Librarian Todd Stephens says that he and his colleagues suspect the attack came through an infected email message opened by a staff member, though the exact mechanism is uncertain. The anonymous attacker demanded 3.6 to 3.8 bitcoins in payment—then valued at about $36,000.

Ransomware, a form of computer malware that encrypts a victim’s data to extort payment, is one of the fastest-growing computer security threats. In 2017, such attacks cost businesses, individuals, and other organizations an estimated $5 billion, up from $325 million in 2015, according to research firm Cybersecurity Ventures.

And while libraries haven’t been singled out as targets, libraries like SCPL can attest to the logistical headaches that can follow. Much of the library’s day-to-day functioning was seriously affected. SCPL took down its website, public catalog, digital collections, and intranet. Circulation was interrupted, although staff began manually checking out materials with handwritten barcode numbers within a couple of days.

SCPL Coordinator of Systems Chris McSwain says the library had 23 servers that were encrypted to some extent, and many of its client computers were affected as well. The attackers did not capture any sensitive user data: Credit card information used to pay fines is kept by a third-party vendor and wasn’t encrypted, and the library doesn’t keep other sensitive data like Social Security or driver’s license numbers.

The library refused to pay the ransom. “You have no guarantee that what you’re getting back is clean data or hasn’t been replicated,” Stephens explains.

Trouble elsewhere

After losing computer access during a ransomware attack, Brownsburg (Ind.) Public Library processed book checkouts and returns manually.
After losing computer access during a ransomware attack, Brownsburg (Ind.) Public Library processed book checkouts and returns manually.

Brownsburg (Ind.) Public Library was similarly resourceful when it suffered a ransomware attack on June 26. Director Denise Robinson was attending the American Library Association’s Annual Conference when she received a call from staff members who couldn’t log in to their computers. “We think that when the server rebooted to do a Windows update, our SQL database got infected,” Robinson says.  The SQL database operates the library’s integrated system, so patrons couldn’t search the catalog or check books out.

As a stop-gap solution, “we did a lot of creative searching to find books, like using Indianapolis Public Library’s catalog to determine where a requested book would likely be,” and manually circulating books, Robinson says.

After attempting to restore the encrypted systems, the library ultimately paid the attackers’ ransom demands—half a bitcoin, worth about $1,500 at the time. Robinson says the library’s decision to pay the attackers came about because its most recent full backup was three months old. Fortunately, the library received the unlock code only a few hours after it made the payment. Systems were back online within three weeks.

At Hardin County (Tenn.) Schools, which suffered an attack on its library computer network over the 2016–2017 winter break, hackers demanded 1.5 bitcoins—then worth $1,341—with an increase to $1,788 if the demand wasn’t immediately met. “After much research, it was decided that we would not pay the ransom,” says Technology Coordinator Levin Edwards. Instead, the school was able to decrypt some backup files.

That success was only partial, however, as the “backup files were two years old. The librarians had to do their best to update the missing information,” Edwards says. As a result of the attack, students were unable to check out books from the school library for about four weeks.

Lessons learned

It’s likely not possible to prevent ransomware incidents completely. “The attacks are sophisticated and will continue to morph,” Stephens observes.

There are, however, ways to defeat some attacks or mitigate their impact. “Have backups and test them fully—not just that you can restore files,” McSwain advises. Keeping a virtual backup also works, he adds.

SCPL is strengthening its password policies, limiting the use of third-party apps by staff, and auditing its security systems, but it’s also addressing the human side of the equation. “We’re working with staff to be very thoughtful about the emails that come in,” Stephens says. The library intentionally sent a phishing email to staff to learn how they interact with potentially dangerous messages.

In Brownsburg, Robinson says that the library now has enhanced the security precautions in place and that “we do backups every night now” with an offsite backup every 30 days. The library also installed Cylance, an antivirus package that identifies and prevents patterns of activity related to malware.

Robinson says patrons have been understanding and sympathetic, thanks in part to the library’s transparency about the situation. “Sharing as much information as we could really put people at ease,” she says. In particular, the library confirmed that the only personal data it retained were patron names, phone numbers, and addresses—no credit card or Social Security information. And, while the manual checkouts could have provided an opening for unscrupulous patrons to steal library materials, an end-of-year inventory found fewer than 2,000 items unaccounted for—some of which had been weeded anyhow—out of a collection of 100,000.

SCPL also put a priority on communications. The day of the attack, the library posted signs about the shutdown of computers while it assessed the situation. The next day, when it was clear what was happening, the library notified trustees, the county council, media outlets, and its social media outlets. Stephens also used the library’s emergency text notification to provide updates to staff at least once a day for the next week and a half.

Library administration and IT staff also need to be in regular communication, Stephens advises. He and McSwain met three times a day for three weeks during the recovery. One additional piece of advice he offers for the long days that IT staff will face bringing systems back online: “Make sure you buy their lunch.”


digital privacy

How to Protect Patrons’ Digital Privacy

As broadband privacy rules are rolled back, what can libraries do to respond?