The Kokomo-Howard Public Library fell victim to a ransomware attack last year, costing the government entity nearly $5,000.

According to a report obtained through a public records request, a ransomware attack occurred on Sept. 25, and the situation was reported to the FBI. Kroll, a division of the consulting firm Duff and Phelps, was retained to resolve the situation, which shut down the library and its services for a few days in late September.

According to the report, the investigation determined a “bad actor” gained access to the library’s computer systems and deployed a computer code known as ransomware. Ransomware, according to Dr. M. Abdullah Canbaz, an assistant professor of computer science at IU Kokomo, is a piece of code that is deployed to a computer system that, as its name suggests, holds the program for ransom.

The system’s data is collected and decrypted, he said, until the original owner pays the attacker, usually through an online currency system like Bitcoin. According to Canbaz, the user of the program must trigger the “execution” of the ransomware attack, sometimes without the user even realizing what they are doing.

An example, Canbaz said, would be a user receiving an email with an attachment, and that attachment has ransomware embedded into it. Activating that attachment could trigger the attack.

“So somehow the user triggers these executions. Then after that point, you most of the time don’t know that until that code takes over your entire machine,” Canbaz said. “It works behind. It collects the data. Most of the time it decrypts your data so you’re not able to access it all, and then it gives you a warning on your window saying that your system is hacked. And if you want to get your data back, you follow these steps and pay us.”

Based on investigations by the consulting firm, the ransomware the library experienced had “historically and typically been interested in revenue accumulation through ransom payments,” instead of collecting sensitive information, like personal or business data that the library may have in its system.

The firm reported that no personal data, such as patron information, was accessed or acquired by the threat actor.

A negotiation team from the cybersecurity firm Coveware initiated contact with the threat actor, whose initial ransom requested four bitcoin, or approximately $43,000. Coveware was successful in negotiating the number down to 3.36 bitcoin, or $36,000, in exchange for the decryption of the library’s software. The team was able to successfully decrypt the library’s system and fully restore operations.

The report said the KHCPL used its cyber insurance policy to cover costs for the incident. In total, the incident cost the KHCPL $4,848, which was paid out of the library’s operating fund.

Support Local Journalism Now, more than ever, the world needs trustworthy reporting—but good journalism isn’t free. Please support us by making a contribution. Contribute

After restoring services after the incident, the KHCPL implemented a variety of preventative measures, including contracting with a third-party vendor for 24/7 network monitoring.

KHCPL director Faith Brautigam declined to comment on the incident.

House Bill 1169

A new bill, authored by District 30 State Representative Mike Karickhoff, aims to give state agencies and political subdivisions, like cities and counties, a fighting chance against cybersecurity threats like the one that attacked the KHCPL.

House Bill 1169, in essence, would require the Indiana Office of Technology (IOT) to maintain a repository of cybersecurity incidents and require state agencies to report cybersecurity incidents to the IOT through a designated reporting officer. The IOT would develop a list of reputable third-party vendors to work with the offices.

“The layman’s explanation is this,” said Karickhoff. “Somebody tries to break into your neighbor’s house, and you don’t know about it. And the next day, somebody tries to break into your neighbor’s house on the other side of you. Then on night number three, they break into your house. But your neighbor to your right and the neighbor to your left never told you that they had an attempted break-in. You would be bothered by that.

“So the goal here is not to embarrass everybody, whether the security breach is successful or unsuccessful. We’re going to share with those designated security professionals who are reporting the information, what their political subdivisions around them are experiencing. It’s really a first step. It’s a very preliminary first step and what will happen in the coming months and years.”

Karickhoff also referenced a cybersecurity attack that occurred last year in Harrison County. According to the state representative, a threat actor hacked into the county’s phone system and made $6,371 worth of long-distance phone calls. Although the county eventually was refunded the majority of the money through insurance, the threat remained stressful for those involved.

“We’re trying to strike a balance here,” Karickhoff. “Look, every piece of spam email that somebody gets, I don’t care about your spam email. We’re looking for the types of attacks that get into operating systems. We’re looking at the types of malicious attacks that hold systems ransom. We’re looking for, not the nuisances, but the bad actors.”

HB 1169 passed third reading in the Indiana House of Representatives unanimously and has been referred to the Senate.