Skip to content ↓ | Skip to navigation ↓

A municipality in Florida fired its IT director shortly after paying off bad actors who infected its computer systems with ransomware.

Joe Helfenberg, the city manager of Lake City, confirmed to WCJB that the municipality fired Brian Hawkins, who was its director of information technology.

This decision came shortly after Lake City suffered a ransomware attack on 10 June. At that time, the municipality said that an infection from a single crypto-ransomware program known as “Triple Threat” disrupted its email systems and landline phones. But as noted by ZDNet, the attack actually consisted of a multi-stage infection change. The attack began when an employee opened up a malicious email attachment and inadvertently downloaded Emotet onto the city’s network. This malware, in turn, downloaded Trickbot, which led to the deployment of Ryuk ransomware.

Not long thereafter, Lake City decided to meet the attackers’ demands and pay a ransom of $460,000. The municipality’s decision came just days after Riviera Beach, another Florida city, elected to pay $600,000 in ransom following its own ransomware attack.

According to WCJB, Helfenberg was scheduled to update Lake City about the ransomware attack during a city council meeting on the evening of 1 July. The city manager believed at the time of writing that Lake City would use the purchased decryption key to make a full recovery from the attack within a matter of two weeks.

Stephen Witt, mayor of Lake City, clarified that the firing of Hawkins was an important step for the municipality in its work to move forward following the infection. As he told WCJB:

Our city manager did make a decision to terminate one employee and he is revamping [our whole IT] department to comply with what we need to be able [to do] to overcome what happened this last week… so that it doesn’t happen again

The attacks against Lake City and Riviera Beach serve as a reminder for municipalities to defend themselves against ransomware attacks. The best way they can do this is by preventing a crypto-malware attack in the first place. Here are some tips towards that end.