Nearly three months after a ransomware attack disrupted phone lines, computer services and WiFi across Solano County's public libraries, systems are still down with no recovery in sight - an all-too-common plight for vulnerable government agencies, experts say.

Patrons who depend on using library computers haven't had access to them since the April 5 attack, and some workers have had to find other ways to print papers or connect with other libraries, most of which still do not have working phones, library staff said.

Such ransomware attacks against government agencies and the public infrastructure they host are extremely common, said Nick Merrill, director of the Daylight Lab at UC Berkeley's Center for Long-Term Cybersecurity.

In the attacks, criminals encrypt computer systems with malware, then threaten to withhold or leak data unless a ransom is paid. Their duration depends on the severity of the attack and the victim's cyber preparedness, Merrill said.

Successful cyberattacks on public-facing infrastructure worldwide happen several times a week - and attempted attacks occur tens of thousands of times per second, Merrill said in an email. Hackers released data of thousands of Oakland city workers last year following a cyberattack.

"Unfortunately, state and local government bodies like libraries and school districts have tight budgets to begin with. Little money is left for cyber preparedness," Merrill said. "That makes these organisations vulnerable."

'Unexpected activity' in library network

Solano County officials still have not publicly confirmed that a cyberattack occurred. The county's chief information officer, Tim Flanagan, told the Chronicle in mid-April only that officials had found "unexpected activity" within the library's IT network and "responded quickly to confirm the security of our systems and to work toward restoring full functionality as soon as possible."

However, the incident was acknowledged by officials in St Helena, in neighbouring Napa County - a member of the Solano Partner Libraries and St Helena network, known as SPLASH.

In an April 19 news release, St Helena officials said that hackers had targeted the SPLASH network on April 5. They demanded a US$100,000 (RM471,990) ransom, and threatened to release data they claimed to have stolen from the system if their demands were not met, St Helena officials said

St Helena library services were not directly impacted because it uses a separate cloud-based system to house library data, and a review by a data services company found no indication that library card holder data was compromised, city officials said.

Solano officials have not provided details of any possible impact on user data in the county's library system.

Flanagan told the Chronicle in mid-June that the investigation was ongoing, and that the county library will provide more information once the investigation concludes. No indication was given when that would happen.

Solano County's libraries have remained open, and patrons have been able to check out books and other material, both physical and digital. But as of July 1, computer services and WiFi remained down across the nine branches in Dixon, Fairfield, Suisun City, Rio Vista, Vacaville and Vallejo.

"We don't know yet when computers will be restored," reads a service disruption message on the Solano County Library website.

Another municipal cyberattack

Computers at the St Helena Public Library are also down - but not because of the April 5 attack, city officials said.

The city suffered another ransomware attack on May 13, according to a news release. All city servers and computers were taken offline, and the library was closed for the day. Library services have since been restored except for desktop computers, officials said.

Up to 20 city computers and at least one server appeared to have been affected by a virus, officials said. "The City has over 25 different systems some of which house sensitive data for employees, businesses, and residents," the release said.

The city is working with third-party experts to identify individuals whose data may have been exposed, and will inform them after the review is complete "as required by law," St Helena officials said.

Compared to other kinds of cyberattacks, such ransomware attacks are actually on the decline after peaking during the pandemic in 2021 when many employers adapted to remote work and moved online without cyber-readiness, said Merrill of UC Berkeley.

"On top of that, many had cyber insurance, and those insurers frequently paid ransom," which incentivised potential attackers, he said.

Now, "The ransomware attacks we do see tend to focus on state and local government agencies, which attackers perceive as ill-prepared and thus more likely to pay the ransom," Merrill said.

Government agencies should not pay ransoms, Merrill said. "Ransomware crews do ransomware attacks because it pays; if no one pays, the attacks stop," he said.

Data breaches are among the most serious attacks, especially against governments, said Jason Hong, professor of School of Computer Science at Carnegie Mellon University in Pittsburgh.

More than 12,200 data breach incidents – 1,085 of which had confirmed data disclosure – against public administration were reported in the last year, according to Verizon's 2024 Data Breach Investigations Report, which tracks security incidents and breaches.

To minimise the likelihood of data breaches, government agencies should keep their software up to date, require two-factor authentication and have a full-time team dedicated to computer security, Hong said.

"It's also worth mentioning that data breaches also happen not just because your network is breached, sometimes it's because someone lost their laptop," Hong said.

Merrill said he conjectures that the Solano County library system was either hit severely, was not adequately prepared to recover from a cyberattack, or both.

'It has impacted the community a lot'

The service disruption in Solano County also impacted some services at the Benicia library, which like St Helena is city-operated but is part of the SPLASH network. Computers, printing services and the self-checkout machines were down as of last week, but the public WiFi was working. Library staff have been using secure connections via Internet hot spots.

"It has impacted the community a lot," said library assistant Adrianna Murray, adding that staff have to regularly redirect patrons to other places in town for printing services.

"We have regulars that come in quite often that may have housing issues or this is the only way of getting work done or anything like that, and they rely on us a lot for that," she said.

Diana Walsh was browsing through the shelves in the library's "Ron's Book Nook" section on last week. A library patron for about 20 years, Walsh said she mostly goes to the library for books but noticed that the computers had been out for a couple of weeks. She assumed the library didn't have enough money to fix them.

"That's disappointing," Walsh said after a Chronicle reporter informed her about the cyberattack.

"Anybody that would attack a library is a total jerk. I just hope that they find the culprit," she added.

Reyna Dueñas also was unaware of the cyberattack. But as a college student who depends on the library's WiFi to study for her exams, she empathised with those who need to use the library's computers.

A "library is supposed to be a resource for people," Dueñas said.

Murray said the disruption has affected library staff as well: They've had a harder time getting hold of other libraries because their phone lines have been down.

"Why would you hack a library?" Murray said. "Libraries are already having trouble enough for funding... so for them to just try and hack a library seems not useful." – San Francisco Chronicle/Tribune News Service