What was initially described as a “significant network disruption” and later confirmed as a ransomware attack hit Grand Traverse County and the City of Traverse City Wednesday, interrupting services, shutting down court proceedings through Friday, and impacting internal city and county functions.

Grand Traverse County, which manages IT for both the county and city, shut down its network early Wednesday morning after a software application used by Grand Traverse County 911/Central Dispatch stopped working correctly. After employees contacted IT for assistance, a tech support evaluation identified a “potential threat,” County Administrator Nate Alger says. IT and administrative leaders agreed to take the county-city offices network offline as a precautionary effort while continuing to evaluate the incident. Several hours later, tech professionals identified the incident as a ransomware attack.

Ransomware is a "type of malicious software cyber actors use to deny access to systems or data” according to the U.S. Department of Justice. “The malicious cyber actor holds systems or data hostage until the ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted." Data can also be leaked or shared online after ransomware attacks. In April, a ransomware attack on Traverse City Area Public Schools (TCAPS) forced the district to close school for two days and eventually led to sensitive employee data being leaked online.

Alger says “Read Me” emails, folders, and files started popping up after the county incident with a ransom demand linked to a URL. He says that as far as he knows, no one “touched the URL.” The county and city are now working with law enforcement – including the FBI – on what is being treated as a criminal investigation, Alger says. Insurance adjusters, legal counsel, and outside IT experts are also assisting. Alger says evidence has not surfaced yet of any “mass transfer of data” out from the county-city network to an external source, but says it’s too early to determine whether any sensitive data has been compromised.

The network shutdown down meant most county and city employees could not use the municipal Internet Wednesday, instead working off mobile hot spots or their own cell phone signals to check emails and conduct business. IT will be completing evaluations of individual employee computers before they can be used again, Alger says. An internal memo circulated by County Deputy Administrator Chris Forsyth advised employees to “not open or try to use your computer until IT staff tests it and gives you permission to use it.”

While essential services are continuing, those reliant on network connectivity have been impacted. Emergency services – including 911, law enforcement, and fire operations – are fully up and running. Grand Traverse 911 set up a new temporary number for non-emergency calls (231-480-0024). Officials are asking residents to temporarily halt in-person payments at the county and city treasurers’ offices, noting any late payment penalties will be waived. Online payments can still be processed, as those are routed through separate third-party platforms, and the county and city websites are still live.

However, services like those provided by the county and city clerks’ offices and register of deeds office are impacted. Both 86th District Court and 13th Circuit Court are also seeing impacts, included some cancelled court dockets. However, Zoom is being used for other proceedings, and emailed, mailed, and faxed court filings can still be received. Traverse City Light & Power runs on its own network and is not affected, according to City Manager Liz Vogel.

Both Alger and Vogel say it’s unclear how long the shutdown will continue. Another IT briefing is planned with administrators at 9am today (Thursday). Alger notes the ransomware attack has blocked county and city access to some programs and services, while others may be too dangerous to access until the full scope of the attack is understood. “They’ve frozen certain data points unless we pay money,” Alger says, adding the county is working with its liability provider on how best to proceed. Vogel and Alger say the county and city are collaboratively addressing the incident, with both municipal IT directors involved. “Because we work so well together, we were able to make critical decisions early on to prevent it from getting worse,” Vogel says.

The ransomware attack follows an April spear phishing attack on Grand Traverse County that was thwarted by security software and staff. In that incident, emails were sent to dozens of employees that appeared to be genuine internal emails from other staff but had an external URL attached. Advance cyber security software the county purchased in 2022 – a $57,600 annual subscription – stripped the emails of the URL so “nothing could happen to our system,” Alger said at the time. While it was an “all hands on deck moment” for IT staff, the attack was successfully thwarted because of the county’s investment in security, Alger said.

Both Alger and Vogel credit several years of significant county and IT upgrades in making the municipalities less vulnerable to cyber attacks – though they acknowledge such incidents remain on the rise from increasingly sophisticated actors and are a reality both public and private organizations must face. In 2016, an audit identified several critical security risks in the county and city technology systems. Since then, officials have worked to steadily modernize and enhance the governmental IT systems, including a nearly $4 million project approved by county commissioners in 2021 to upgrade the county’s software technology.  “We’ve taken strides the last five years to make sure our infrastructure is as robust as possible...because we know it’s not if something like this happens, it’s when it happens,” Alger says.

Vogel agrees, pointing to big cities and organizations that have been “blackmailed for millions of dollars” through ransomware attacks, calling it a cycle that likely “will never stop.” And while a post-attack debrief could include conversations about whether the county and city should continue to share the same networks – which poses vulnerability challenges but also allows county and city employees to work in the same building and better collaborate to serve residents – the primary focus will likely be on improvements to better defend against the next attack.