Tribe pays ransom as work continues in rebuilding of the network

by Jan 10, 2020Front Page, NEWS ka-no-he-da





The Tribal IT Department of the Eastern Band of Cherokee Indians (EBCI) and the many tribal programs are still dealing with the aftermath of a network cyber-attack that occurred on Dec. 7, 2019. 

Principal Chief Richard G. Sneed and EBCI Information Technology Director Bill Travitz provided insight into the ongoing rebuild of the network, clean up and retrieval of program data in a recent One Feather interview. 

Both Chief Sneed and Travitz were reluctant about discussing timelines for a return to “normal” IT operations. Travitz stated that the IT staff is working long hours and outside experts and outside technology suppliers are being consulted and engaged. 

Due to the need for protecting the network from further attack and to preserve potential evidence in tracking down the source of the attack, tribal administration is not releasing specifics with regard to what was done to the network, except to say that it was a very specific type of ransomware with a distinct signature or way of operating to encrypt files. 

The One Feather asked Chief Sneed to re-clarify who within the tribal organization was impacted by the ransomware. He spoke about the Cherokee Indian Hospital being one of the safe areas. “The hospital is completely unaffected because they are not on our network at all. They are stand alone,” Chief Sneed stated. 

The EBCI Office of Budget & Finance was impacted; however, they had a crisis protocol in conjunction with Tyler Munis that allowed for a back-up to be available to expedite the continued access to certain data. While things were being put in place to continue operations at Finance, there was little to no disruption on the client end of Finance. 

Travitz said, regarding the tribal network, “We’re starting from the ground up.” 

All the servers and other devices that the network services, the “core infrastructure”, have been “detached” from the fiber optic highway that interconnects the tribal computers and those computers with the outside world. 

Travitz stated that a new core infrastructure is being created from scratch because any hardware affected or infected by the ransomware cannot be trusted and the Tribe does not want to put questionable elements from the old infrastructure onto the new. 

Travitz concurred with Chief Sneed’s previous statement concerning the Tribe’s data. He said that it is a fact that the data that was on the old infrastructure is “safe”. 

“When you have ransomware attach, what it does is run around and encrypt the data,” Travitz noted.  “If you are using the right encryption, it is like the NSA did it. Without the keys, you’re not getting (the data) back. And, it was a very sophisticated attack. Each machine was encrypted with a different key. And, that key was sent back to a command and control structure that the hackers have. Each computer has a public key and a private key. They had a database of every computer – our workstations, our servers, everything that was on our network that says this key belongs to that computer. So, they can build you what is called a universal decrypt tool, which is what we paid the ransom for. So, we went around to all of our machines and decrypted all the machines, which gets our data back.”

The United States Department of Homeland Security says that ransomware “is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.” 

The ransom amount paid by the Tribe was not discussed; however, Travitz did indicate that the ransom was paid by insurance. Chief Sneed did not refer to payment of ransom. He did indicate costs related to the recovery from the cyber-attack were being paid from a cyber-attack insurance policy. 

While the Tribal IT department has all the data, it is not available to the Tribe, yet. Travitz was not able to say when that data will be available. Between preserving evidence, creation of the new core infrastructure, spinning up new devices for the server farm, synchronizing accounts to ensure that critical connections to certain cloud storage and email accounts are not broken, Travitz said it would be difficult to tell. 

Some of the processes moving forward include extracting the data from the old hardware and environment, scanning it for safety, then getting it onto the new network. He says he basically has three teams working three key areas of recovery. “I have a team working on the workloads. I have a team working on the documents. And, I have a team working on the PCs (personal computers or workstations). And, they are moving forward simultaneously.”

While there is a planned order of getting tribal programs back in working order, it is not detailed out to a prioritized list of individual programs. Travitz says that life safety is number one (Emergency Medical, Fire, Police, and Justice). 

He said he wouldn’t discuss the current status and structure of the new network. Travitz said that bad guys look for information on systems to be released in a place where they can find the weaknesses and find their way in. 

He said, “Rest assured that the way that the old network was is not how it is going to be.”

Chief Sneed said that this could have been worse. “We were very fortunate that this was caught in a timely manner. We were very fortunate that our Secretary of the Treasury Cory Blankenship, had the foresight two years ago to buy a cyber-security insurance policy, which prior to two years ago, we never carried that type of insurance. So, all of the costs that have been incurred or will be incurred as a result of this are all covered by insurance. We are going to emerge from this in much better shape as far as cyber security goes, network efficiencies, and best practices. Things that were in planning for the next six months to a year are happening very rapidly now.”