Kansas officials blame 5-week disruption of court system on 'sophisticated foreign cyberattack'

MISSION, Kan. (AP) — Cybercriminals hacked into the Kansas court system, stole sensitive data and threatened to post it on the dark web in a ransomware attack that has hobbled access to records for more than five weeks, officials said Tuesday.

The announcement of a “sophisticated foreign cyberattack” was confirmation of what computer security experts suspected after the state's Judicial Branch said Oct. 12 that it was pausing electronic filings. Until now, state officials had released few details, describing it simply as a “security incident.”

Upon learning about the attack, the state disconnected its court information system from external access and notified authorities, the Judicial Branch said in a statement. That disrupted daily operations of the state’s appellate courts and all but one county. Johnson County, the state’s most populous, operates its own computer systems and had not yet switched over to the state’s new online system.

In recent weeks many attorneys have been forced to file motions the old fashioned way — on paper.

“This assault on the Kansas system of justice is evil and criminal,” the statement said. “Today, we express our deep sorrow that Kansans will suffer at the hands of these cybercriminals.”

A preliminary review indicates that the stolen information includes district court case records on appeal and other potentially confidential data, and those affected will be notified once a full review is complete, the statement said.

Analyst Allan Liska of the cybersecurity firm Recorded Future said no ransomware group leak site has published any information yet.

Judicial Branch spokesperson Lisa Taylor declined to answer questions including whether the state paid a ransom or the name of the group behind the attack, saying the statement stands on its own.

If organizations don't pay a ransom, data usually begins to appear online within a few weeks, said analyst Brett Callow of the cybersecurity firm Emsisoft. Victims that pay get a “pinky promise" that stolen data will be destroyed, but some are extorted a second time, he said.

In the weeks since the Kansas attack, access to court records has only partially been restored. A public access service center with 10 computer terminals is operating at the Kansas Judicial Center in Topeka.

The Judicial Branch said it would take several weeks to return to normal operations, including electronic filing, and the effort involves “buttressing our systems to guard against future attacks.”

A risk assessment of the state’s court system, issued last year, is kept “permanently confidential” under state law. But two recent audits of other state agencies identified weaknesses. The most recent one, released in July, said “agency leaders don’t know or sufficiently prioritize their IT security responsibilities.”