The attack was on Virginia’s Division of Legislative Automated Services, or DLAS. It came as lawmakers and staff were in the middle of preparing for a legislative session slated to begin in January.
Gov. Ralph Northam’s spokeswoman, Alena Yarmosky, confirmed the attack on the General Assembly’s IT agency. Yarmosky said Northam has been informed about the incident and told executive branch agencies to offer help in “assessing and responding to this ongoing situation,” according to a statement given to The Associated Press.
Hackers using “extremely sophisticated malware” accessed the system late Friday, Davie Burhop, a top agency official, told Virginia legislative leaders in an email AP obtained. Burhop sent an email Monday afternoon saying a ransom note was sent with no specified amount or date.
The email said Burhop’s agency was working with law enforcement, like the FBI, on the matter. It also said cybersecurity firm Mandiant was retained since a “breach” during the summer that involved the use of an employee’s credential and was helping in the investigation.
“After upcoming meetings, we will provide additional information, including a course of action to this leadership group but please understand this likely will not be resolved quickly,” wrote Burhop.
The agency is collaborating with authorities to find “the scope of the issue and plan for possible remediation,” Burhop wrote. The email said all of the agency’s internal servers, like ones for bill drafting, the budget system, and the General Assembly voicemail system, were impacted.
“Anything to do with bill drafting or bill referrals — all of that has been impacted,” said Senate Clerk Susan Clarke Schaar.
The attack marks the latest in a ransomware scourge that has exploded over the past year, with attacks against governments, critical infrastructure and major corporations.
Cybersecurity researchers who track ransomware say there’s no previous record of a state legislature suffering an attack.
“It continues to show that no organization is safe form these ransomware attacks. Anybody anywhere can be hit,” said Allan Liska, an intelligence analyst at the cybersecurity firm Recorded Future.
Brett Callow, a threat analyst at the firm Emsisoft, said Virginia is the 74th state or local government hit by ransomware attacks this year, though the first legislature he’s ever seen attacked.
“Honestly, I’m surprised it hasn’t happened before,” Callow said.
Liska said it’s not uncommon for ransomware gangs to try to time their attacks to inflict maximum pain on the targets, like some hackers have done to school districts just at the start of a school year.
“They are smart enough to do that,” he said.
The website for the Division of Capitol Police was also down as a result of the attack. But a spokesperson said the agency was operational, with its critical communications functions unaffected.
Although DLAS does not fall within the purview of the Virginia Information Technologies Agency, which oversees IT for the state’s executive branch, a VITA spokesperson said the agency was also helping with the response effort.
There were so far no indications that the attack had affected any executive branch agencies, the spokesperson, Stephanie Benson, said.
The Associated Press contributed to this report.