Think Out Loud

Oregon’s Curry County determined to move forward after ransomware attack

By Allison Frost (OPB)
May 19, 2023 11:30 p.m.

Broadcast: Thursday, May 25

An emergency operations center has been set up in the Curry County Courthouse to address the recent ransomware attack.

An emergency operations center has been set up in the Curry County Courthouse to address the recent ransomware attack.

Courtesy of Courthouses.Co

00:00
 / 
12:58
THANKS TO OUR SPONSOR:

Curry County in Southern Oregon is still recovering from a ransomware attack in late April that left it unable to access any of its digital information. County officials say the ability to dispatch 911 calls and run the local special district election last week were unaffected. Commissioner Brad Alcorn says it’s impossible to put a definite timetable on getting the county’s systems up and running again, but he’s hopeful that will happen in the next few weeks. He says the FBI is investigating the entity known as Royal, which is responsible for the attack on Curry County and other local and county governments, including one which targeted Dallas, Texas. Alcorn joins us to tell us what he can about the effects of the attack and how the county is moving forward.

This transcript was created by a computer and edited by a volunteer.

Dave Miller: This is Think Out Loud on OPB. I’m Dave Miller, coming to you this week from Grant County in Eastern Oregon. In just a bit, we’re gonna take you to a cattle ranch in Seneca, but we start in Curry County on Oregon’s south coast. One month ago, county officials there realized something was very wrong. A ransomware attack completely shut off access to all of their computer systems. The FBI is investigating this attack and county officials have been scrambling to get their systems back up and running. Brad Alcorn is a Curry County commissioner. He joins us to talk about where things stand now. Brad Alcorn, welcome.

Brad Alcorn: Hey, good afternoon, Dave. How are you today? And yeah, I’d love to talk to you about this emergency.

Miller: Let’s do it. I’m doing fine, and I am eager to get to it. When did you first hear that something was wrong?

Alcorn: So this was first brought to our attention in the early morning hours of the 26th. When I say the 26th, I’m talking about last month, we’re 30 days in now. In the early morning hours, our dispatch operators tried to access some information and they couldn’t access it. They noticed that it appeared to be encrypted and it was very unusual. So they reached out to our IT folks and our IT folks responded and came down here and immediately recognized that this was likely to be a ransomware attack.

Miller: Can you give us a sense for the county functions that were most affected?

Alcorn: Well, let me try to put it in context this way for you. In the IT world, it’s a Cascadia event. It’s like a Cascadia earthquake here. It has impacted every function of this county and literally wiped away our digital footprint. There is still much we don’t know and we are problem solving and navigating through this every day and every day, we face new challenges, but we are still not up and running and still struggling through this.

We have declared a local state of emergency. If you were in Curry County today, Dave, you would see blue skies, 60-degree weather, a beautiful ocean, our forests here are amazing. We got lots of folks here enjoying our trails. You would never know that we’re having this type of emergency because this is something you can’t see.

Miller: I’m curious about some specifics. I mean, what does this mean for the sheriff’s office, the county jail, the county clerk’s office, people who wanted to buy a house, or sell a house or get a marriage license. Counties do a lot of different things. So, how much of that could actually function?

Alcorn: Very little. Our sheriff’s department is still capable of taking emergency calls. Our dispatchers are hand writing down information and keeping track of that information by hand. We are still struggling to access any of our historical records or documents related to our law enforcement personnel. If you are trying to purchase a home and you’re the buyer and you’ve got your interest rate locked in and you’re trying to close on your house, we can’t do that right now. We can’t record that deed. If you’re selling a house and you’re trying to get that recorded, we can’t close a marriage license.

Miller: So can those things happen? You just can’t actually process the paperwork or the housing deal, the sale literally cannot go through.

Alcorn: It can’t go through because we can’t record it and it’s having a major impact on our mortgage industries here, our title companies, everything. And we will eventually be able to do that, but right now we simply can’t. And we also are not able to access the historical documents that we need to access. We are hopeful to get some of this information back and we have a plan moving forward by hiring some additional personnel to reach out to some of the other organizations that will have that information that we can get it and then reload back into our system, if necessary. But it is a major problem here. I mean, we literally can’t plug in a computer and print a document right now. And we’ve become so reliant on our technology that the impacts are very vast.

Miller: I mean, I’m staring at a computer screen right now that is giving me a lot of information about connectivity to our studio in Portland. You’re connected right now, so how are you even on a computer right now?

Alcorn: I’m on my personal iPad and I’m using my personal hotspot to talk to you today.

Miller: So what about communication within all the different county departments? I imagine, to figure out where everything stands, how to just function even in a super bare bones way. How have you done that?

THANKS TO OUR SPONSOR:

Alcorn: Well, we’ve been doing it by telephone and we’ve been doing it by in person communications. We’ve literally been handwriting some documents, and we’ve been struggling through that. And I also want to point out right now, we are currently in budget and this is the time when all of our counties and municipalities are trying to balance their books and deal with the budget challenges that we face. So that has been problematic. We’ve reached out to the Department of Revenue to get some guidance and we are proceeding at their direction, but it is extremely, extremely difficult.

Miller: So we’ve been focusing on the gigantic challenges in terms of county functioning, but there’s another big issue here, which is the information, not that’s being withheld from you, but that the hackers got access to themselves. Can you give us a sense for the kind of information that’s most worrisome?

Alcorn: Typically, when an attack like this occurs, a ransomware attack - and this particular group refers to themselves as the Royal ransomware group. They are responsible for, I believe it was Dallas, Texas, San Bernardino, Oakland, they’re very active in their attacks. They will typically encrypt your information and then will ransom it with an encryption key. And then they will also tell you that they have taken information from you and then they will threaten to release that information if you don’t pay them. So that’s typically how they work. And then as you start to problem solve this, then you start to look at every server, look at every data file. And then you can kind of assess what actually was taken, what was encrypted, what they have access to. But these are very complicated processes and they’re very time consuming to navigate through.

Miller: There’s also no way to know that you can even trust people who are doing an obviously criminal activity to begin with.

Alcorn: No, absolutely.

Miller: Have they given you an actual ransom request with a dollar amount?

Alcorn: So yes, we did get a ransom request with a dollar amount. And I don’t want to comment right now on what that exact amount was because this is an active criminal investigation by the federal government and there are several other victims that are also dealing with the same issues. So I wanna be careful about that, but there’s a lot of things to consider when it comes to making a decision about paying a ransom. And you’ve got to consider, number one, you’re dealing with criminals. Number two, you may pay for the encryption key and it may not work or they may tell you, ‘well, we’ll give you some of your information back, but not everything. We need more money for that.’ And you don’t know who you’re dealing with.

Most likely these criminals are in another country, they are subject to other rules. We don’t know if they’re actually potentially a terrorist organization and you pay these folks and then, what if you find out a year or two later that your money was used to attack American soldiers or an embassy in another country?

Miller: These are all serious reasons why you might think twice about paying the ransom. I understand you have to be careful now in terms of what you can say. But has the county made a decision yet about whether or not to pay?

Alcorn: Again, I don’t want to comment on the specifics of that, but I will tell you that we are proceeding. We are proceeding as if we will never talk to these folks again. And we will have to rebuild our entire system and recover as much data and re-input that data as possible. And that’s what we’ve been focusing on. We have gotten a tremendous amount of assistance through mutual aid and through our partners at the state and federal level. And we’ve had to go in and start the rebuilding of our network, our servers, our individual computers, reimaging them and reloading our software and that’s why we’re at, I think, day 30 now. And we’re still not up and running; we’re getting close, but we’re still not completely functional at this time.

Miller: Assuming that you stay with this path of rebuilding yourselves, what’s your best guess for the timeline?

Alcorn: Well, right now the hold up is the network. I’m not an IT guy, but right now that’s the most complicated piece to this puzzle, getting that network functional and safe. We’ve also got to implement cybersecurity measures that we did not have in place before and make sure that those are sound and our protocols are solid and our network is stable and safe. And then we can start adding the servers and then once we do that, we can add the individual computers. I know that our…

Miller: If I may interrupt. So when you said adding in cybersecurity measures that weren’t in place before, we only have about a minute left, but it seems like you have identified some deficiencies in the armor in the past?

Alcorn: Yes. And we actually applied for two grants with the state and we were denied those grants and those grants were related to our cybersecurity. Cybersecurity is expensive. But I gotta tell you if you are in charge of any type of government or any type of large business, you should really be investing in your cybersecurity infrastructure for sure.

Miller: Has this made you think twice about our reliance on computers?

Alcorn: Oh 100%. And this is a topic that is ever changing, the technology changes literally every month. And it’s really important to make this a priority and to invest in it. When I woke up on the morning of the 26th, I was focusing on our housing issues. I was focusing on our homeless issues and our funding issues. The last thing on my mind was a cybersecurity attack, for sure.

Miller: Brad Alcorn, thanks very much and best of luck to you.

Alcorn: Thank you. Thank you for having me.

Miller: Brad Alcorn is a Curry County commissioner.

Contact “Think Out Loud®”

If you’d like to comment on any of the topics in this show, or suggest a topic of your own, please get in touch with us on Facebook, send an email to thinkoutloud@opb.org, or you can leave a voicemail for us at 503-293-1983. The call-in phone number during the noon hour is 888-665-5865.

THANKS TO OUR SPONSOR:

Become a Sustainer now at opb.org and help ensure OPB’s fact-based reporting, in-depth news and engaging programs thrive in 2025 and beyond.
We’ve gone to incredible places together this year. Support OPB’s essential coverage and exploration in 2025 and beyond. Join as a monthly Sustainer or with a special year-end contribution. 
THANKS TO OUR SPONSOR: