Business

Cyberattack with ransom demand has disrupted public defenders for weeks

A cyberattack on the agency overseeing public defenders has caused a weekslong slowdown, disabling e-mail systems, delaying some hearings, and hanging up payments for the private attorneys who represent clients.

The Committee for Public Counsel Services has been cleaning up for two weeks after a ransomware attack locked up its servers, with the culprits demanding that a ransom be paid in bitcoin. The agency refused to pay, because it has backup files it can use to restore the system.

But the impact of the attack has nonetheless reverberated through the court system.

Advertisement

“It’s been a burden, but our staff has risen to the challenge, and we are in a day-to-day environment trying to represent our clients as zealously as we [always] strive to do,” Lisa M. Hewitt, general counsel of the committee, said in an interview.

Get Today's Headlines in your inbox:
The day's top stories delivered every morning.
Thank you for signing up! Sign up for more newsletters here

The agency said it does not believe any client data was taken in the attack, which began Feb. 27. But as part of the recovery, the CPCS has had to take its systems offline as it ensures that its servers are free of the viruses that delivered the ransomware. If left in place, the viruses could spread or activate the ransomware again.

On Tuesday, the agency said it could not yet give a timeline for full recovery. Hewitt said the agency has referred the matter to the attorney general’s office for investigation.

In the meantime, the agency is without access to e-mail and other connected services that are crucial in communicating about legal matters. The CPCS has also been unable to process payments for private attorneys representing indigent clients, though it says it is working on a temporary fix.

And a handful of court dates in cases handled by CPCS staff attorneys have had to be postponed, pending the recovery of files affected by the ransomware.

Advertisement

Randy Gioia, who oversees the approximately 300 attorneys on staff in the public defender division of the CPCS, said he believes the number of postponements has been fewer than 100. The unit, the agency’s largest, has about 15,000 cases at any given time, he said.

He said clients who cannot afford an attorney are still receiving the representation to which they are entitled under the law.

Such delays can have a real effect on the people involved in the cases. Jake Wark, spokesman for the Suffolk district attorney’s office, said one proceeding postponed because of the attack was a child rape case set for trial March 25. It will now begin in late May.

“It can be very difficult for any sex assault victim to psych themselves up to testify, only to find that date has been pushed back,” Wark said.

The ransomware attack is only the latest of its kind on a governmental entity:

Advertisement

 Leominster’s public schools paid $10,000 last year for hackers to release its files.

 Colorado’s Department of Transportation was also a victim in 2018.

 And in recent days, Georgia’s Jackson County paid $400,000 to cybercriminals who had used a similar attack to the one that hit the CPCS.

Allan Liska, an analyst who helps clients fend off ransomware attacks for the Somerville cybersecurity firm Recorded Future, said government agencies are attractive targets in part because they have less staffing and fewer protections than other organizations of their size.

“They just don’t have the budget that other types of targets do,” Liska said. “And because they have an obligation to respond to their constituents, they’re more likely to pay.”

To avoid encouraging hackers, Liska added, it’s best not to pay up if there’s any other way to restore affected systems.

The program that hit the CPCS, known as Ryuk, appears to have originated in Russia, Liska said. The CPCS believes it may have been installed using a pair of trojan virus programs that came in through a link or file contained in an e-mail.

Liska said he had not reviewed the attack, but hackers generally use trojan viruses to examine a system so they can figure out what parts to cripple in order to cause the most pain.

Then they activate the ransomware attack, using indecipherable encryption to scramble important files in the hope the victim will agree to pay. It’s like putting a padlock on someone’s door and charging them to use the key.

Because the CPCS had an external backup for its files, its IT team believes it can get practically all crucial data restored without paying.

But before it can do that, it needs to find and eliminate the trojan viruses — and that’s a pricey proposition in its own right.

The organization has hired two contractors to work on the problem, and though Hewitt declined to put a price tag on the work, she described it as a “very expensive unanticipated cost.”

Hewitt said she did not know the amount the hackers originally demanded, but the work being done to strip out any lingering viruses would have been necessary even if the agency had paid the ransom.

Andy Rosen can be reached at andrew.rosen@globe.com.