Investigators work to determine scope of ransomware attack that hit Virginia IT agency

Posted: Dec 24, 2021 / 01:30 PM EST
/ Updated: Dec 24, 2021 / 01:30 PM EST

RICHMOND, Va. (WRIC) – Investigators looking into the ransomware attack on the Virginia legislature’s information technology agency won’t know more about its scope until just after the new year — or at least that’s the hope.

A law enforcement investigation led by Virginia State Police is underway and the agency hit with the attack, the Division of Legislative Automated Systems (DLAS), is performing a forensic analysis.

DLAS teams working to fix the issue are conducting a “meticulous, around-the-clock forensic analysis” of the agency’s systems, servers and all connection points, according to its director Dave Burhop.

“A full forensic analysis generally takes several weeks to complete for a digital footprint that’s the size of our legislative systems and we are hoping to have the initial analysis completed just after the new year,” Burhop wrote in an email to 8News.  

The attack affected the computer systems for Virginia’s legislative agencies and commissions, including the Division of Legislative Services and the Division of Capitol Police. DLAS’ internal servers, including the system lawmakers use to draft and modify bills, were impacted as well.

With the 2022 legislative session set to begin Jan. 12, concern has grown over how the attack may affect operations for state lawmakers. Despite this, legislators have been able to file their bills for the upcoming session.

In a ransomware cyberattack, hackers typically infiltrate a computer network to hold the user’s data hostage by encrypting it and demanding they pay a ransom for the hackers to decrypt the data.  

The cybercriminals who hit DLAS provided a note “but details are scant” and no payment amount was specified, Burhop wrote in an email to the clerks of the Virginia House of Delegates and Senate.

“We will be considering alternatives such as restoring off backups but we believe our backup system may have been compromised as well,” Burhop wrote.  

A cybersecurity firm, Mandiant, worked with DLAS after a “breach this past summer” and is working with the agency on the ongoing investigation. But one expert said it may be too late if the agency’s backups have been compromised by the attack.  

“That’s really the worst-case scenario,” Brett Callow, a threat analyst at the firm Emsisoft, said in an interview.

Callow said ransomware attacks have become more widespread but that he hadn’t heard about ones targeting legislatures. He explained that if a hacker has successfully encrypted a user’s data and their backups, paying the ransom is likely the only option to get the information.