HackFirstAidMunicipal
Case study

A 12,000-population town's first 90 minutes.

Ransomware across permitting, tax, and utility billing — handled before lunch.

Size
≈12,000 residents
Vector
Ransomware (known family, decryptor available)
Jurisdiction
US municipality (state undisclosed)
Outcome
Recovered to a 3-week-old backup; lost intervening data; no ransom paid.

Illustrative composite. Names, jurisdiction, and identifying details changed; timeline and decision points drawn from real small-city engagements.

8:14am, Monday. The deputy clerk can't get into the permitting system. Within fifteen minutes, the tax software, the utility billing portal, and one workstation in the treasurer's office all show the same kind of errors — and the workstation has a ransom note on the desktop.

8:30am. The CAO walks to IT (a single contracted MSP technician, on-site Mondays). They pull the affected machines off the network at the switch — powered on, isolated. The CAO calls the cyber insurance carrier from her cell phone before doing anything else. The carrier opens a claim and routes her to an insurance-approved IR firm.

8:55am. A four-person bridge: CAO, MSP technician, town clerk, and one council member (the mayor pro tem, who happens to be a retired IT director). Shared incident log opened on the mayor pro tem's personal Google account, on a clean Chromebook.

9:10am. The clerk locates the paper continuity binder from a 2019 tabletop. Counter staff are given pre-printed receipt books and a one-page resident notice: "Our payment system is temporarily offline. We are accepting cash and check today. Online payments resume soon — no late fees apply during the outage."

9:25am. MS-ISAC is on the line. They confirm the ransomware family from the note (a known one, with an active decryptor on NoMoreRansom). They share indicators of compromise for the MSP to hunt for.

9:40am. A resident calls the local paper. The CAO is ready: one sentence, no speculation, the next update time. The reporter quotes it verbatim and moves on.

What went right. The carrier call before the IR firm call. Isolation, not power-off. Paper continuity binder current within five years. A council member with technical literacy on the bridge. No public speculation about the threat actor.

What didn't. Backups were on a NAS reachable from the encrypted network — most were encrypted too. The town recovered tax and billing from a three-week-old offline backup and lost the intervening data. MFA was not enforced on the treasurer's email; the entry point turned out to be a months-old credential stuffing event.

What council asked first. Not "should we have paid more for cybersecurity" — that came later. The first question, from the council member who wasn't on the bridge, was "what do we tell people whose tax payments today might be lost?" The CAO had an answer ready by 10:30 because the bridge had drafted it at 9:45.

Lessons

Things every small municipality can copy.

  • Post the insurance claim number at the CAO's desk. The first call goes there.
  • Refresh the paper continuity binder every council term. Five years is the limit.
  • Get one council member on the bridge — and only one. A bridge of seven slows decisions.
More case studies

Other mornings worth rehearsing.

Business email compromise (BEC) targeting accounts payable

The wire that almost left on a Friday afternoon.

A treasurer's mailbox compromise caught by a paper countersign rule — with eleven minutes to spare.

Credential stuffing on a municipal CMS admin account

The defaced library homepage at 11pm on a long weekend.

A CivicPlus credential-stuffing hit, a public-facing page rewritten, and a 19-minute response that kept residents informed.