Ransomware affecting core services
Tax, permits, utility billing, and court scheduling encrypted on the same morning.
The scenario
On a Monday morning your finance, permitting, and utility billing systems all return errors. A ransom note is on an admin workstation. Residents are calling. Council meets Wednesday.
Who this is for: CAO, IT lead (or contracted MSP), department heads for finance, clerks, and public works.
First steps
- 1. Isolate, don't unplug indiscriminatelyFirst hour
Disconnect affected systems from the network at the switch — keep them powered on. Memory state matters for forensics. Do not wipe or reimage anything yet.
- 2. Convene a 4-person bridgeFirst hour
CAO, IT lead, clerk, and one council liaison. Anyone else slows decisions. Open a shared incident log in a non-affected location (paper, personal email, or Google Doc on a clean device).
- 3. Call your cyber insurance carrier firstFirst hour
Most policies require carrier-approved IR firms. Hiring your own first can void coverage. Get the claim number before anything else.
- 4. Engage incident-response counselFirst day
Privileged advice changes what's discoverable. Counsel briefs the carrier, the IR firm, and (later) the regulator.
- 5. Notify MS-ISAC (US) or CCCS (Canada)First day
Both are free for SLTT entities and bring threat intelligence, indicators of compromise, and a calm voice on the call. They do not replace your IR firm.
- 6. Stand up paper-based continuity for tax, permits, and utility billingFirst day
Pre-printed receipt books, manual permit logs, and a one-page resident notice at each counter. Most towns have these from the last storm — find them.
- 7. Draft the resident-facing messageFirst week
Plain language. What's down, what still works, where to call, when you'll update next. Council and the local paper will quote this verbatim.
Continuity of service
- Tax: accept payments at the counter with a paper receipt; deposit daily; reconcile when systems return.
- Permits: log applications in a numbered paper ledger; flag any safety-critical items (occupancy, fire) for manual department review.
- Utility billing: defer cut-off notices for one billing cycle; pre-draft a council resolution if needed.
- Court scheduling: coordinate with the clerk of court — most jurisdictions allow short adjournments for technical failure.
Communication
Plain-language status posted at every counter and on social media. State what works, what doesn't, and the next update time.
Closed-session briefing under the open-meeting exception for security matters. Confirm the exception applies in your jurisdiction before scheduling.
Single named spokesperson (usually CAO). Do not name the ransomware family or speculate on the threat actor.
If the attack came through Tyler Munis, OpenGov, Granicus, CivicPlus, or Accela, notify the vendor's security team in writing and request their incident report.
Regulator hand-off
- US: file with CISA under CIRCIA timelines; notify the state AG per breach-notification law; for police data, notify the CJIS Systems Officer.
- Canada: notify the provincial Information & Privacy Commissioner per provincial public-sector law; CCCS for federal threat coordination.
- Insurance carrier confirms which timelines apply under your policy — they are sometimes tighter than statute.
FAQ
That is a decision for the CAO, council, counsel, and insurance carrier together. US Treasury OFAC sanctions can apply if the threat actor is on the sanctions list — paying may be illegal. Most modern carriers will not authorize payment until decryptor viability and sanctions clearance are confirmed.
Yes, on paper-based continuity for tax, permits, and billing. Public safety dispatch, water treatment, and traffic systems usually run on isolated networks and are unaffected — confirm this with your IT lead before reassuring residents.
Within hours, not days. Residents will notice immediately when permits and billing are down. A short, honest statement (what's down, when you'll update next) buys more trust than silence.