A ransomware attack has forced the shutdown of computer systems and websites for Virginia legislative agencies and commissions, including the Division of Capitol Police and the Division of Legislative Services, which is drafting bills and resolutions for introduction in the upcoming General Assembly session.
The attack began on Sunday at the Department of Legislative Automated Systems and has spread to almost all legislative branch websites, except for the Legislative Information System on the General Assembly site. It has not affected executive branch agencies of state government.
“Currently the bad guys have most of our critical systems locked up except for LIS,” Dave Burhop, director of the legislative IT agency, notified the clerks of the Senate and House of Delegates early on Monday morning.
Capitol Police can’t operate its website, but spokesperson Joe Macenka said, “All of our critical communication systems are fine.”
Gov. Ralph Northam has been briefed on the ransomware attack and “has directed relevant executive branch agencies to work quickly to offer any help in assessing and responding to this ongoing situation,” spokesperson Alena Yarmosky said Monday.
Yarmosky said the Virginia State Police fusion center sent a notice of the attack just after 11 p.m. on Sunday. She said the Department of Legislative Automated Systems “is shutting down most of their servers to try and stop the spread and have engaged outside expertise to help.”
The attack involves ransomware that a criminal enterprise implants in critical computer systems to extort money. The governor’s office and Burhop confirmed that the state has received a ransom note, but did not specify its contents.
“The bad guys have left us a ransom note but details are scant and no amount of ransom has been specified yet,” Burhop said in the email to the House and Senate clerks.
Among the agencies affected by the attack was the Joint Legislative Audit and Review Commission, the General Assembly’s watchdog agency. JLARC conducted most of its monthly meeting live online on Monday, but the broadcast ended abruptly around noon as the state tried to limit the scope of the attack.
Senate Clerk Susan Schaar said the Department of Legislative Automated Services is working with the Virginia Information Technologies Agency to address the outage. VITA serves more than 60 agencies in the executive branch of state government.
The Department of Legislative Automated Systems manages the legislative IT sites separately from the executive branch sites, Yarmosky said in the governor’s office. “As such, VITA has very little knowledge of the system and security architecture or tools in place to address cyber-attacks.”
Lindsay LeGrand, a spokesperson for VITA, said, “While the commonwealth’s legislative branch systems are not part of the Virginia IT Agency’s technology infrastructure, the VITA team is aware of the legislative system outage and has been engaged to support the response effort.”
The response also includes the IT staffs of the House and Senate, Capitol Police and the Virginia State Police.
“We can’t get much done,” Schaar said Monday.
Mandiant, a cybersecurity firm hired by the state this year, also is involved in the response to the ransomware. A spokesperson for the company said its systems were not affected by the attack.
A ransomware attack on the Colonial Pipeline for almost a week in May shut down gasoline supplies for most of the East Coast and Southeastern United States. The pipeline paid more than $4.4 million to the criminal enterprise behind the attack in order to restore the operating systems for the pipeline.
“We will be considering alternatives such as restoring ... backups, but we believe our backup system may have been compromised as well,” Burhop said.