Turks and Caicos recovering from pre-Christmas ransomware attack

The government of Turks and Caicos said it is making progress in its recovery from a recent ransomware attack that has caused widespread issues on the islands over the last month. 

Everything from government welfare payments to tax collection and the island’s department of motor vehicles have been impacted by the ransomware attack.

But in a statement on Friday, the government said it has been able to restore some systems while it calls in experts from the U.K. and other islands to help with others. 

The island, located north of Haiti and Cuba, is a British Overseas Territory with about 50,000 residents.

The government initially warned residents of the ransomware attack on December 19 and said it was working with U.K. government officials to address the attack. The attackers gained access to the government’s revenue collection and payment systems, impacting numerous business operations on the islands. 

The impact of the attack caused outrage locally as the Ministry of Finance said there would be a delay in payments provided to people participating in several welfare programs. 

The delays took place just days before Christmas, and by Christmas Eve the government confirmed that “several segments of [the government’s] network has been compromised.” 

“To mitigate against the cyber breach, a number of digital applications have been temporarily shut down to contain the threat and reduce further exposure,” the government said on December 24. 

Most departments had to revert to manual operations while the Ministry of Finance had to extend the due date for tax payments and explore other ways to issue checks to residents and businesses. 

The islands’ customs department also issued guidance for businesses that needed clearances for customs. Many applications for government licenses had to be suspended until the new year, when manual processes could be implemented. 

There were significant delays for those seeking new driver’s licenses, with the government able to resume printing them by December 30. 

Continuity plans were enacted in order to focus on prioritizing urgent payments related to social welfare, scholarships, healthcare payments, cost of living programs, financial assistance efforts, utility payments and employee salaries. 

During a cabinet meeting on December 30, the government confirmed that the cyberattack was a ransomware incident and noted that the U.K. government was covering the cost of external forensic investigators. 

“TCIG has engaged external cyber security specialists who are taking forward the technical recovery, which is focused on the restoration of essential services. This has included deploying a capability that will manage the detection and response of any malicious activity within the network,” the government’s cabinet said after the security briefing.

“In order to accelerate the restoration of critical services, the relevant business continuity plans are being activated [and] initially focused on the TCIG financial systems to enable payments. In parallel, work is underway to build alternative systems whilst work is ongoing to restore systems. Additional resources are being sought to accelerate this further and to enhance security measures in the coming weeks.”

The payment system the government uses for many of these programs was restored on January 6 and several other platforms were put back into operation by January 8. 

The government did not respond to requests for comment about what systems still have not been restored and when they would be. 

Several statements since January 8 have said the government is now deep into a forensic investigation that will “provide an in-depth analysis of the incident to inform corrective measures and mitigation strategies to prevent similar occurrences in the future.” 

“Additionally, technical oversight for the recovery and restoration efforts will be received from a key cybersecurity expert from a fellow overseas territory,” the government said. “The TCIG is committed to building more resilience into our systems, and is seizing this opportunity to upgrade legacy software and implement enhanced policies and protocols across the enterprise, including for end-user.”

The incident has become a political football on the islands, with opposition parties slamming the government for not having firewalls in place and not having cyber insurance. 

“Where was the accountability from the Cabinet? Which minister or anyone came before the Turks and Caicos Islands and before the people and told them what was going on?” one opposition leader said. The government has only released statements online and has not held a press conference about the ransomware attack. 

No ransomware gang has taken credit for the attack as of Monday, but multiple Caribbean islands have dealt with ransomware attacks in recent years. 

Bermuda was battered by a ransomware gang that targeted the island’s government and another unnamed Caribbean island in 2023. 

Martinique, Trinidad and Tobago, the Dominican Republic and Guadeloupe have all dealt with ransomware attacks in the last year while Costa Rica — a Central American country along the Caribbean Sea — faced a wide-ranging incident affecting several parts of its government.

Costa Rica was attacked again in December, with ransomware actors taking down systems used by a state-owned energy provider for the country.