When the virus came, Cindy Hamilton rooted it out, isolated it, sought outside help, and stopped the infection from spreading at her small co-op in Wyoming.

This isn’t a story about COVID-19.

It’s about Conti—a vicious computer ransomware virus that’s racked up hundreds of successful attacks around the world, forcing some companies to pay huge sums to criminal hackers who held stolen sensitive data hostage.

But that’s not how it went down at Carbon Power and Light in Saratoga, Wyoming, where Hamilton serves as the lone IT professional.

The attack came on July 22 at 10:49 p.m. Hamilton had logged into the system from home to make sure everything was working properly.

“All of a sudden, this banner pops up saying the administrator wants access to the system. Well, I am the administrator, so I knew immediately it was some sort of breach,” she recalls. “My first thoughts were to protect the system, the members’ and the employees’ data.”

She could see it was a massive hack, compromising every component and computer in the network and locking out access to crucial data files.

She didn’t panic. She reached out. Hamilton, 59, is well-known in the co-op IT community and has trained in NRECA’s Rural Cooperative Cybersecurity Capabilities (RC3) Program. At one meeting, she became friends with Mike Hyde, IT manager at Northern Neck Electric Co-op in Virginia.

That night she texted Hyde. He reached out to his friend Alan Harrington, an IT consultant and cybersecurity expert who runs ARX Systems, a network security firm based in Raleigh, North Carolina, that has worked with electric cooperatives on cybersecurity and technical issues.

Harrington immediately agreed to help. With Hyde, she had her team.

“Because of the attack happening at night, I was able to get my thought process into motion. I knew since our billing and accounting systems were off-site, no member data or financial information was compromised,” Hamilton says.

She also knew she had recent backups for almost all of the affected systems.

She was confident. But the assault infuriated her.

“I felt like I would have if somebody had robbed my house,” she recalls. “I am a part of this cooperative, and this system is a part of me—what I’ve helped build. I was going to get it back to what it was and make it better. That was my thinking.”

'A Perfect Fit'

Before joining Carbon 15 years ago, Hamilton had put in 24 years at UPS, starting in data processing and advancing to tech support. Along the way, she learned data skills, progressing from clunky mainframes to today’s smart, complex, speedy systems. The security of that job allowed her to raise two children as a single parent. It also paid for her college degree.

But she was commuting at least 85 miles from Saratoga to Laramie, driving mountain range roads that were treacherous in harsh weather.

“I told my husband, wouldn’t it be great if a computer job opened in Saratoga?”

Two weeks later, she learned Carbon had such a position. It was a perfect fit, she says, challenging her to learn utility data skills and serve members as a “help desk.” She did it all.

“I am the type of person who wants to know how something works and to know how to make it work if it falters,” she says. “I am a global thinker, not a linear thinker. I tend to look at the big picture, not pieces. This helped in my career, and it helped with the virus problem.”

Transparent About the Incident

For her counterattack on the virus, she charged into the co-op, unplugging cables and hitting off buttons.

“It was like I became possessed to get it back running, rebuilt and protected from something like this ever happening again.”

She also texted General Manager Russell Waldner with the bad news.

Waldner notified the FBI, U.S. Department of Homeland Security, Wyoming Department of Criminal Investigation and Wyoming Public Service Commission. The co-op also contacted Federated Rural Electric Insurance Exchange, where it had cyber-liability insurance.

With Harrington’s help in restructuring the co-op’s domain, Hamilton formatted and restored physical workstations, deploying retired computers for temporary use and a crucial new component that Harrington had overnighted. The co-op only lost two days in accessing its critical systems, but it took several weeks, working 60 hours a week, to get every system restored.

They also preserved images of the infected data for the FBI to investigate.

“When we confirmed it was the Conti virus, all I could think of was how awesome was Cindy’s response,” Harrington says. “She singlehandedly protected several of the mainline business applications due to her fast action. I’d say she saved the company over $300,000 and months of work by having these backups and routinely installing security patches.”

Waldner estimates that non-covered losses were about $10,000.

An analysis revealed that a Carbon staffer had unwittingly unleashed the virus after clicking on an email that looked as if it had originated from a fellow employee.

In a chilling final episode, about two weeks after the attack, the hackers phoned the co-op directly, leaving a voicemail filled with threats to sell the information if the administrator didn’t respond.

Hamilton, following the FBI’s advice, never contacted the hackers.

Carbon was transparent about the incident, reporting it to members in its August 2020 newsletter.

“We don’t want to hide what happened. We think it’s important to be open so that others, particularly small co-ops like ours, can benefit from our experience,” Hamilton says. “You might think that if you’re small, hackers won’t bother with you. But they can, and they will.”