On May 31, 2023, the Illinois Department of Innovation & Technology (DoIT) announced that it had been the victim of a ransomware attack. The attack affected DoIT's systems for file sharing, email, and voicemail. As a result of the attack, some personal information of DoIT employees and contractors was potentially exposed.
What Happened
The ransomware attack on DoIT was carried out by a group known as CL0P. CL0P is a Russian-speaking ransomware group that has been active since 2019. The group is known for targeting government agencies, healthcare organizations, and educational institutions.
In the DoIT attack, CL0P exploited a vulnerability in a third-party file transfer system called MoveIT. MoveIT is a popular file transfer system used by many organizations. The vulnerability in MoveIT allowed CL0P to gain access to DoIT's systems and encrypt files.
How It Happened
The CL0P ransomware attack on DoIT is believed to have originated when an employee clicked on a malicious link in an email. The link contained a malicious attachment that infected the employee's computer with the CL0P ransomware. Once the ransomware was installed, it spread to other computers on DoIT's network.
The CL0P ransomware encrypts files and then demands a ransom payment in order to decrypt them. In the DoIT attack, the ransom demand was for 100 bitcoins, which is worth approximately $2.5 million. DoIT did not pay the ransom.
Impact of the Attack
The CL0P ransomware attack on DoIT had a significant impact on the agency. DoIT's systems for file sharing, email, and voicemail were all affected by the attack. As a result, DoIT employees and contractors were unable to access their files or email.
In addition, the attack also exposed some personal information of DoIT employees and contractors. This information included names, addresses, Social Security numbers, and dates of birth.
The attack resulted in the unauthorized access and exfiltration of a significant amount of data from DoIT's systems. The data that was leaked included the following:
Names, addresses, and Social Security numbers of state employees
Personal information of state residents, including driver's license numbers, birthdates, and health insurance information
Sensitive financial information, such as taxpayer identification numbers and credit card numbers
The total number of people affected by the data breach is still unknown, but it is estimated to be in the millions.
Investigation and Response
DoIT immediately began investigating the ransomware attack. The agency also engaged a third-party cybersecurity firm to help with the investigation.
DoIT took steps to contain the attack and prevent it from spreading further. The agency also worked to restore its systems.
Conclusion
The DoIT data breach is a serious incident that has had a significant impact on the state of Illinois. The attack has raised concerns about the security of state government data and the ability of state agencies to protect the privacy of their citizens.
In the wake of the breach, DoIT has made a number of changes to its security policies and procedures. These changes are designed to improve the security of DoIT's systems and prevent future attacks.
DoIT is still investigating the attack and working to improve its cybersecurity posture. The agency is also working to help those who were affected by the attack.
Recommendations
The CL0P ransomware attack on DoIT is a reminder of the importance of cybersecurity. Organizations should take steps to protect their systems from ransomware attacks. These steps include:
Using strong passwords and multi-factor authentication
Keeping software up to date
Training employees on cybersecurity best practices
Having a plan in place to respond to a ransomware attack
By taking these steps, organizations can help to protect themselves from ransomware attacks.
