Eastside News

Investigation complete in Sammamish ransomware attack

The city of Sammamish said Tuesday that the firm investigating a January ransomware attack on the city has completed its investigation and concluded that no resident or employee data was compromised or stolen.

The firm hired to investigate the incident, LMG, also concluded that the hackers appeared to have accessed the system through phishing tactics.

“The most likely cause, and some of the indicators are pointing to it—it started with an email,” the city’s interim IT director Stephen Schommer said.

Every server that the city had running was encrypted and hackers demanded an amount “under $100,000,” according to Schommer, in return for a key to decrypt it. The city refused to pay.

Scroll down to continue reading

More news from KIRO 7


“The FBI statistically has said about half of the time, when you pay this ransom to get the ability to recover your data, it does not succeed,” Schommer, a cybersecurity expert who came out of retirement to help the city, said. “They take their money and they run.”

Schommer immediately purchased new, top-of-line hardware and software to secure the system, paid for with $200,000 the city had already set aside for cybersecurity. He said the system now scans every email that tries to come through, including its links and attachments, and blocks any dangerous ones. He’s also using geofencing to block any emails from certain foreign countries, including Russia and North Korea.

But when the city looked to restore its backup servers, it found another surprise.

“These bad guys know that cities have back-ups and companies have back-ups,” he said, “and so what they do is they plant these land mines there. So the unsuspecting city [thinks], ‘OK, this is over, we'll restore our servers, we'll get back in business,’ [and] these land mines pop up again two weeks later.”

They were able to quickly deal with and eliminate that malware, he said.

"So the city was able to avoid basically another catastrophic event," KIRO 7 reporter Linzi Sheldon said.
"In essence, yes," Schommer said.

The attack impacted nearly every part of the city's business, aside from police and 911.

“From email to telephones to the city issuing a permit, to a builder or someone who comes in and wants a copy of a plan because they want to modify their house, just everything that we do today,” Schommer said.

He said the city budgeted $40,000 for the investigation, but the city also has cyberinsurance and so some of the costs will be covered by the policy.

In addition to new software and equipment, the city has hired more IT employees and it's continuing special cybersecurity training for employees.

They're all steps Sammamish resident Kayla Bean appreciates.

“It is helpful to know that they're spending the time to make sure that all of our information is secure,” she said, “because we have children and I think that that's important.”

A full report by LMG is expected by the end of the month and City Council is scheduled to vote to take the city out of its state of emergency on May 7.

Sammamish city spokesperson Sharon Gavin said the community showed its support immediately by offering up its skills. When the attack occurred on Jan. 23, the city only had one person dedicated to IT, a number that has since increased to six. Employees from Homestreet Bank, Bothell, Renton, Microsoft, and students from the University of Washington all volunteered to help.

Schommer himself was a volunteer and the city recruited him for the interim IT director job to oversee the enhanced security steps.

Gavin said the city has made an offer to someone who can take on the position permanently.