A ransomware attack shut down Vermont Legal Aid’s computer network system, locking up all the data stored on it.

And it will be several weeks before the organization is back to being “fully operational.” 

Eric Avildsen, Vermont Legal Aid executive director, said Monday that the organization has brought in a network security consultant and a preliminary assessment of the damage shows that it does not appear any client or staff data has been compromised.

“My staff, they’ve been working from home under trying conditions trying to help Vermonters and then this happened to them,” Avildsen said.  

The attack took place May 10, he said, and affected the network computer system across all five of Legal Aid offices in Rutland, Montpelier, Springfield, Burlington and St. Johnsbury. 

To ensure that clients’ information had not been accessed in the attack, he said, Legal Aid is contracting with a company to conduct an audit. “But we’re being told that wasn’t the kind of hack that we had,” Avildsen said.  

The organization is now working to disinfect its computer files and is slowly getting that information back, with Avildsen hopeful that about 90% of it can be retrieved. According to Avildsen, it will be weeks before Legal Aid is “fully operational.” 

Also, recovering from the attack will prove costly as he said while he had no final figure it will be “tens of thousands of dollars.” 

Avildsen said he has contacted law enforcement authorities, including the Vermont State Police, the Vermont Attorney General’s Office, the Burlington Police Department, and the FBI.

He said he couldn’t publicly say what exactly the ransomware attack involved or how it occurred, as the matter involves a criminal investigation.

“I’m told I shouldn’t be specific about the ins and outs of the particular attack until they are finished investigating,” he said.

However, he said, it is expected the FBI will be the lead agency on the case and the chances don’t appear great the perpetrators will get caught. 

Sarah Ruane, a spokesperson for the FBI’s regional office in Albany, New York, said Monday she could neither confirm nor deny if an investigation was underway in the matter.

Asked if working from home and outside the office creates a greater danger of a ransomware attack, Ruane provided FBI information in an email on the topic. That email stated most companies have protocols in place to prevent that from occurring, such as employees using a VPN, or virtual private network for a secure connection.

“That said,” the email stated, “it’s imperative to have properly configured networks and security settings for those protocols to be effective.”

According to the FBI, ransomware is a kind of software that can lock up computer files and network while demanding a ransom payment to get them back. They can be caused a variety of ways, from  opening an email attachment to clicking on an ad, the website said. 

Most of the roughly 90 staff members at Vermont Legal Aid and its partner organization, Legal Services Vermont, have been working from home as a result of the Covid-19 pandemic, Avildsen said, logging onto the system remotely. 

“It’s an unfortunate reality that with 90 people working from home,” he said, “you don’t have the same level of controls over the security issues.” 

He said Legal Aid has contacted the courts, state agencies as well as worked to notify clients to let them know of the situation.

Luckily, he said, the attack did not affect the organization’s email, which is a cloud-based system. That allowed Legal Aid to have a record of the people they represent. “Every case starts with an email,” he said. 

Avildsen also said the attack did not affect the organization’s website, https://www.vtlegalaid.org/

Attorneys have done their best to go forward with court hearings, he said, though due to the judicial emergency resulting from the coronavirus pandemic there have far fewer of them than if the court system were functioning normally.

Also, he said, Legal Aid has been answering the phones and emails from people in need of legal service as they continue to come in.

“We did have to tell some people we couldn’t have done as much for them as we normally would have done,” Avildsen said. “It was hard to represent people without our online materials we usually have.” 

Legal Aid helps provide civil legal services for people living in poverty, with a disability, over age 60, or facing discrimination, according to the organization’s website.

The organization also plays an advocacy role, lobbying for issues during the Covid-19 crisis from a moratorium on evictions to increasing food benefits for people in need.

Avildsen said the organization quickly made the move to have its employees work from home to protect against the spread of Covid-19 and carry on representing Vermonters, and computer viruses were not at the top mind.

“We only had a few days to prepare,” he said. “Hindsight is often disappointing when you look back and say, ‘Maybe we should have done something differently.’”