The cyberattack that has hobbled Maryland’s health department since last month was ransomware designed to prevent health workers from accessing critical systems until an extortion was paid, officials publicly acknowledged for the first time Wednesday.

       Wp Get the full experience.Choose your plan ArrowRight

       “We have paid no extortion demand, and my recommendation after consulting with our vendors, state and federal law enforcement, continues to be that we do not pay any such demands,” the state’s chief information security officer, Chip Stewart, said during a call with reporters.

       He would not detail any demands or say whether officials have communicated with the attackers. “Details like that are still investigatively valuable, and as a result, we’re unable to share that at this time,” Stewart said.

       Story continues below advertisement

       Stewart said that he could not “speak to the motives or motive of the threat actor,” and that paying a ransom would offer no guarantee of fixing the problems.

       Advertisement

       “You still need to canvass the environment, make sure that everything is clear of any potential remnants or malware that’s left behind,” he said. “The simple payment just doesn’t make the problem go away.”

       Instead of paying, he said, security officials quickly took steps to contain any damage, isolating sites on the health department’s network from one another and from the Internet. “Our containment activity was focused on limiting any potential further spread of the malware,” Stewart said. “As we go through and we make sure everything’s clear and clean, we can restore data and services as quickly as possible.”

       Cyber world is starting 2022 in crisis mode with the log4j bug

       The disruptions have hampered not only pandemic response, but also routine matters such as caring for people in state mental hospitals, licensing health-care workers and providing Medicaid benefits to some recipients, The Washington Post reported Saturday. Since the attack, security workers have restored various systems, including those reporting coronavirus data, and have developed workarounds for others.

       Advertisement

       Story continues below advertisement

       But many systems remain unusable, and officials on Wednesday’s call said they were too numerous to immediately list. Lance Schine, the state’s chief technology officer, said they are working methodically to restore them.

       “It’s a lot of effort to bring a system up when you have an investigation because you have to make sure you don’t trample any evidence — that you’re maintaining the ability for the investigators to do their job,” Schine said. It will take weeks, if not longer, to restore all of them, he said.

       “We do foresee that in the fairly near future, when that investigation is complete, that some large groupings of systems will come up quickly,” Schine said. “While it appears we’re starting slowly, we’re doing a lot of the work in the background to make sure that when the investigation is done, lots of systems will come up quickly.”

       Advertisement

       Story continues below advertisement

       He said one of the services health workers have said is most needed is access to their files on the state network. “About 85 percent of those network files will come back, probably — I don’t want to give a time — but in the very near future, and we may be able to get those back while investigations are still proceeding. ”

       Officials have said the health department’s network team noticed “unusual behavior” during the early morning of Dec. 4. A server was not working properly, and they initially assumed it was a malfunction or hardware failure. By later that morning they suspected a cyberattack, but officials have declined to say what led the network team to believe that.

       “Through the routine troubleshooting, they identified activities that they felt warranted escalation to the [health department’s] internal IT security team,” Stewart said, which soon notified other officials they suspected a ransomware attack. He said the department “was able to isolate and contain its systems within several hours of first detecting the incident.”

       Advertisement

       Story continues below advertisement

       The next day, health department employees were ordered to stay off their state-issued computers, many or all of which have remained off limits since. Some employees have used their personal computers to keep working, while the department has begun issuing new computers.

       Atif Chaudhry, the health department’s deputy secretary of operations, said the state first ordered 2,400 new laptops for employees, and this week ordered an additional 3,000. The department “also ordered MiFi devices, printers and wireless access points to other hardware to ensure employees have the equipment to do their jobs and continue to provide services,” he said.