How Yuba County Survived a Ransomware Attack and Lived to Tell the Tale

Overview

Yuba County is a rural county in Northern California. Within it are various departments concerned with health and public safety including the Sheriff’s office consisting of 911 dispatch for fire and ambulance. Another critical area is the health department which manages testing, contact tracing and vaccinations for COVID-19. All are vital services for the citizens of Yuba County.

Paul LaValley, former CIO for Yuba County, oversaw a team of 16 people who are responsible for providing a dependable, always-on infrastructure for the community’s safety and livelihood. Due in large part to the pandemic and an increased prevalence in remote work, ransomware attacks are on the rise and have become a lucrative business for cybercriminals.

“When we were hit by ransomware in February 2021, it could have been a debilitating disaster for the county; however, one of the few moments of satisfaction during weeks of discomfort was knowing that Rubrik was backing up our data and that we wouldn’t have to pay the ransom for data recovery,” LaValley remarked.

Challenges

DoppelPaymer, Dridex, IceID, Oh My!

Yuba County confirmed they were hit with ransomware when a DoppelPaymer ransomware note showed up on several servers and PCs. “By the time we got to it, it had encrypted roughly 50 PCs and 100 servers,” LaValley described. Prior to this, there were several indications that they were compromised. 

“First, we noticed there were Kerberos issues behind our active directory (AD) servers, which prevented them from communicating. Later that evening, a GPO push occurred and an enterprise AD admin account was created. We knew through forensic analysis that Dridex, Cobalt Strike, IcedID, as well as PowerShell scripts were all used for portions of the attack. Based on that, we realized our compromise was a Kerberos attack, traditionally called a Golden Ticket attack, which was used to compromise AD and enable and deploy ransomware encryption on multiple machines,” added LaValley.

Solution

Ransomware Survival Kit Fit for the County

How did Yuba County respond? In multiple phases: “In the initial 24 hours, we disconnected all servers, backed up files, disabled admin accounts, and reset passwords,” LaValley explained. “The next step was restarting the department and user notifications. We communicated to department heads, county management, and users what was going on. This included the FBI, various CA State Agencies, in particular the California Office of Emergency Services. Additionally, we blocked all inbound and outbound network traffic outside of the US.”

With Rubrik, Yuba County was able to accelerate its ransomware recovery with just a few clicks and restore to the most recent clean slate. “Backups are one of the most, if not the most, important defenses against ransomware. Rubrik’s file system was built to be immutable, meaning backups cannot be encrypted or deleted by ransomware. I am very fortunate to say that 100% of what we had on Rubrik we were able to recover with LiveMount since 90% of our servers are virtualized,” LaValley stated.

What initially drove Yuba County to adopt Rubrik was the need for a different type of DR. The DR strategy they had in place was for the typical flood or earthquake, unfit for modern-day threats, especially ransomware. “Rubrik saved our data during this sensitive time thanks to its immutability, MFA, and retention lock. Understanding the hackers were in control of AD, Rubrik ensured we cleared AD of anything tied to Rubrik, building an immutable protected vault,” explained LaValley.

“Needless to say, I learned a lot through this process. I can sleep better at night knowing we have systems in place to impede either a recurrence or another ransomware attack.” LaValley remarked.