Outdated Software Resulted in $850,000 Ransomware Payment for Washington County’s 2022 Cyberattack

In November 2022, Washington County, Maryland, fell victim to a ransomware attack during the Thanksgiving holiday, exploiting vulnerabilities in outdated software. The attack disrupted government operations, resulted in significant financial losses, and prompted an overhaul of the county’s cybersecurity framework. The incident came a year after federal authorities warned about increased cyber threats during holidays, underscoring the risks faced by public institutions. Finally, after several years and multiple Public Information Act requests, what actually happened, and the total costs, is being disclosed to the public.

In November 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued an alert warning that cybercriminals were increasingly targeting holidays and weekends for attacks. Though no specific threats were identified, the warning proved prescient as 2021 saw a rise in major ransomware incidents. These trends culminated in the Washington County breach, where attackers gained internal access to IT systems by exploiting a vulnerability in the Log4j library of an remotely accessible, outdated server.

The legacy server was essential to maintaining older infrastructure and could not be easily upgraded or replaced due to business continuity concerns. Attackers used the Log4j vulnerability to escalate privileges, breach the server, and infiltrate the county’s backup systems, ultimately obtaining credentials to access broader systems.

The Log4j vulnerability, commonly referred to as Log4Shell, is a critical security flaw discovered a year prior in late 2021 in Apache Log4j, a widely used open-source logging library for Java-based applications. The vulnerability is officially designated as CVE-2021-44228. It allows attackers to execute arbitrary code remotely on systems using vulnerable versions of Log4j, potentially taking full control of affected systems.

Despite being behind a VMware security gateway, the server failed to prevent the intrusion. From there, the attackers exfiltrated sensitive files and encrypted the county’s network, including critical backups, disabling operations across multiple departments.

The attack forced the county into negotiations with attackers, culminating in an $850,000 ransomware payment by the County’s insurance provider to secure a decryption key. Critical systems were restored within three days, but full recovery across all systems took approximately a week.

To address the vulnerabilities exposed by the breach, Washington County decommissioned compromised systems, including the outdated server, and transitioned to a modern cloud-based infrastructure. Enhanced endpoint protection was deployed across all devices, and remote access methods were restricted to minimize exposure. The county also implemented stricter security policies, including device compliance checks and advanced anti-phishing email detection systems. Legacy software is being reevaluated for modernization or retirement to prevent similar exploits.

Financially, the attack left a lasting impact. The county submitted claims to its cyber insurance provider, Travelers, for the ransom and associated recovery expenses. While the insurer covered $1,155,308.91, including the ransom, only $56,704.91 of an additional $467,494.22 claim was reimbursed. Taxpayers bore the remaining $410,789.31 in unreimbursed costs, which included $84,069.28 for cloud migration, $80,802.99 for telecommunications, and $214,097.07 in miscellaneous expenses.

The incident also resulted in higher cyber insurance premiums and reduced coverage. During the 2022–2023 policy period, the county increased its aggregate limit from $2 million to $3 million, which helped during the recovery. However, for the 2023–2024 period, the county faced a $60,041 premium (up from $50,320) for just $1 million in coverage (down from $3 million), reflecting broader challenges in the cyber insurance market, as well as the county being classified as higher risk due to the 2022 incident.

The attack highlighted the importance of proactive measures to counter evolving cyber threats. Since the breach, Washington County has invested in a cyberattack detection platform designed to identify and mitigate threats in real-time. Endpoint protection and system monitoring have been enhanced, and plans are underway to modernize legacy infrastructure fully. These measures are intended to safeguard against future attacks while maintaining operational resilience.

On January 8, 2024, Washington County notified 15,928 individuals of the compromise of their personal information, and provided credit monitoring and identity theft protection services for impacted individuals. The cost of this service is not immediately available. Compromised information included names, contact details, Social Security numbers, driver’s license or state identification numbers, passport numbers, financial account information, medical details, and health insurance information.

Washington County’s experience serves as a stark reminder of the persistent threats posed by cybercriminals and the critical need for robust cybersecurity in public institutions. Hopefully, with enhanced cybersecurity measures now in place, the county’s risk of such a widespread attack impacting operations will be significantly reduced.

Article by multiple RFHC contributors.

Associated documents for this story are available in our Public Information Archive.

---