The potential threat of a ransomware attack became a reality for the St. Louis Public Library on Jan. 19. Hackers took down approximately 700 computers used by both staff and the public in the library system’s central location and 15 branches.
The particular strain of ransomware is unknown, but SLPL staff reported that the attackers demanded a ransom of 38 bitcoins ($34,020 at time of writing) to restore data and software functionality. The attack disabled both circulation and computer booking software, which meant that the public could neither check out materials nor use computers. Libraries were eerily quiet and the SLPL website declared, “Check out and computer services at all Library locations have been suspended.”
When staff arrived to work on Thursday, Jan. 19, their computer desktops were blank except for the recycle bin. One staff member found a ransom note in her computer’s download folder that requested 38 bitcoins to restore all functionality. The same note conveyed that for less money, individual computers could be restored. Internet Explorer was the only software that the attack left usable. Presumably, this was to ensure that library management had a way to pay the exorbitant ransom demand.
Ransomware is a malicious type of computer software that encrypts a computer’s files so that they are unusable until the victim pays a ransom for a decryption key. Depending on the extent of the attack, drives that are mapped to the target can also be compromised. The attack on SLPL encrypted all data on their hard drives and rendered their circulation and computer-booking systems unusable.
The library decided not to pay the ransom when they learned of the attack. Jen Hatton, a spokeswoman for the library, told the St. Louis Post-Dispatch that the library’s IT department would be able to fix the damage. Businesses and other organizations often pay out of desperation. Fortunately, public libraries have the luxury of shutting down services without the fear of losing out to competitors.
Libraries in the SLPL system were sparsely populated Thursday as most services were rendered inoperable due to the attack. Because staff computers still had access to Internet Explorer, librarians were able to address reference questions on their computers. Patrons still had access to Wi-Fi as well.
By Friday morning, SLPL reported that they had regained control of their server, but still had not restored functionality to material circulation and computer booking services. An SLPL employee reported that IT had to work through the problem “computer by computer” for each of the 700 affected machines.
SLPL is one of the highest-profile targets of a ransomware attack. Experts believe that the library was targeted rather than the victim of random phishing emails because of the extent of the damage. SLPL may be one of the largest, but they are not the first high-profile target to be successfully hacked.
The San Francisco Municipal Transportation Agency fell victim to a ransomware scheme that forced them to freeze their ticket kiosks and give free rides. They chose not to pay the ransom and voluntarily shut down public kiosks to minimize potential damage. The SFMTA maintains that no customer or staff data was compromised, though 900 office computers were impacted.
Other large institutions have chosen to pay ransoms to minimize the impact of attacks. Hollywood Presbyterian Medical Center, The University of Calgary, Carleton University, and The Melrose Police Department all suffered attacks and chose to pay the ransom to restore their data and operability. Experts warn that paying attackers can embolden them to make more attacks.
The major attacks of the last year have proven that ransomware is a very real threat to organizations big and small. Backing up data, not clicking on suspicious links and attachments, and updating software are good ways to avoid falling victim. For the time being, ransomware attacks appear to be the price of doing business on an open internet.