Edcouch server hit by ransomware

Shown is a portion of the ransom note seen on Edcouch city computers after a recent data breach. Courtesy photo

EDCOUCH — City officials confirmed last week that the city’s computer server was infi ltrated by hackers and held for ransom in the form of a cryptocurrency known as Bitcoin.

The data breach, known as ransomware, occurred approximately two weeks ago, City Manager Hugo de la Cruz explained during a city council meeting last Thursday. He added the incident may be connected to an ongoing investigation into billing irregularities at the city’s water department.

“Somebody hacked into our system and they encrypted all the data and it looks like they went after the water files, from what I gather, and from what the IT gentleman that comes and works for us gathered,” de la Cruz told the council.

“They were asking for eight bitcoins, which comes out to about $40,000,” he continued.

The attack began over a weekend, when the city’s phone lines went down, the city manager explained after the meeting.

The city’s computers and telephone systems 

are all connected to one central server. Phone service was restored, but when city staff showed up for work the following Monday, their computer screens were filled by a ransom note, de la Cruz said.

The note warned against resetting or shutting down the computers, or attempting to use recovery software. Instead, it directed the reader to follow a link to install a Tor browser and access a site where payment could be remitted and where the city could obtain decryption instructions.

Originally developed by the U.S. military, Tor — or “the onion network” — is part of what is called the darknet. It allows users to browse the internet anonymously.

Today, Tor networks are used both by people who want online privacy, but also by those who wish to conduct clandestine business. Such networks have been used for drug and human trafficking, and also for ransomware, such as that targeted at the city of Edcouch.

De la Cruz contacted investigators at the Hidalgo County Sheriff’s Department, who advised him to contact federal law enforcement.

“We made a phone call to the sheriff’s office, who led us to the FBI, who led us to Homeland Security,” he said. The hack is currently under investigation, he said.

The FBI advised de la Cruz to format the city’s computer systems, which involved every individual work station at city hall.

Though the city has a state-of-the-art central server — what de la Cruz called “overkill” for the needs of a small community like Edcouch — it was not equipped with any safeguards, such as a backup system or data security software.

As a result, when staff purged the server, a signifi cant amount data was lost, particularly the water department files.

Earlier this spring, de la Cruz — who was hired as city manager in January — uncovered a staggering discrepancy in the water department’s billing: some $650,000 in lostcollections stemming from nearly half of the city’s 1,000 water accounts being improperly billed, as well as from delinquent accounts.

Too, approximately half of the water meters were working improperly, de la Cruz said.

The problem stretched back four years, to when the city’s water meters were replaced with smart meters in 2015.

As de la Cruz continued to delve into the water department irregularities this spring, he discovered a “ghost meter” that was not registered on the city’s meter system or its billing system.

The discovery ultimately led to the arrest of former City Manager Eduardo Gonzalez and former water department supervisor Erica Saenz last month.

At the time, de la Cruz said he was continuing to investigate the faulty meters and billing issues. Just a few weeks into that investigation, the ransomware attack occurred.

The city manager said it’s too coincidental that the primary target of the data breach appears to be the water department.

“I can’t really rule out that this computer breach had something to do with the actual investigation that we are currently conducting,” de la Cruz told the council.

He wondered at the timing of the attack. “Why Edcouch? Why now? So those are the questions that really come up,” de La Cruz said after the meeting.

Though the server had to be reset, all was not lost, the city manager said. The city still has hard copies of water department records from before the breach. “This is the data that I believe is important to us,” he said.