It could take a “very long time” for the Government to recover from being hacked three weeks ago regardless of whether it has paid a ransom, according to a threat analyst in the United States.

Brett Callow, from security software firm Emsisoft, told The Royal Gazette it was common for government entities to fall victim to a cyberattack — he has tracked 63 this year involving US government bodies — and not at all unusual for the recovery to take months.

“You really can’t make any guess at all as to what may be happening here,” said Mr Callow. “It can take a very long time for organisations to recover.”

He said that many public services in Bermuda remaining out of operation, such as front-desk cashiers not accepting credit and debit cards, did not shed any light on what was happening behind the scenes.

“It really suggests nothing,” he said. “You can’t draw any conclusions at all from that. It could be that [if there was a ransom] they haven’t paid and are working to rebuild the network or they have paid and are in the process of recovering their systems.

“Payment isn’t an option for a quick recovery. Even if organisations do pay, then recreating their networks and restoring their data can still take a considerable amount of time.”

He cited a recent breach of the First Judicial Circuit in Florida, which has significantly affected court operations, with the public there told to expect disruption “for an extended period”.

The public here have been told little about the September 20 breach of the Government’s IT systems, including whether or not it was a ransomware attack — a scenario where hackers encrypt a network and demand payment in exchange for a decryption key.

No information has been shared publicly about who carried out the attack, whether any confidential data was stolen or how the hackers were able to get access.

The Bermuda Police Service said yesterday that their inquiry was ongoing.

The Gazette asked for a comprehensive list of everything that was not working due to the cyberattack and in response a government spokeswoman said: “The Government remains fully focused on restoring functionality across the service, particularly those systems that support providing services to the public.

“While there may be some systems that are delayed in being restored, the key point is that the work done thus far has significantly advanced the restoration and recovery effort.

“It is anticipated that once that effort is completed, a further public update will be shared regarding investigations and added security efforts.”

British authorities, including the National Cybersecurity Centre and the National Crime Agency, are helping with the investigation. The Foreign, Commonwealth and Development Office referred inquiries to the Bermuda Government.

Mr Callow said a ransomware attack was one likely scenario, although phishing or access being gained through improperly secured internet-facing services were other possibilities.

“There are relatively few cybersecurity events that would have caused such a disruption for such a lengthy amount of time,” he said.

Speaking generally about ransomware attacks, Mr Callow said that if data was stolen or copied, the hackers would be reluctant to publish it as doing so would mean “they start to lose leverage”.

He described how those working to restore breached systems needed first to make sure that attackers no longer had access, before beginning to assess and repair the damage.

“It’s hard, quite often, for them to work out what’s happened,” he said.

“They don’t know what data may have been accessed because all of their logs may have been scrambled. They may not know if their back-ups are working or restored. It’s a complex process.”

Mr Callow added: “This happens all the time. I only track incidents involving US Government bodies. So far here, there have been 63 affected by ransomware this year.

“That’s only ones that have come to light. There will have been incidents that we don’t know about. That’s only in the US. Governments all over are being hit all the time.”

He said most ransomware attacks succeeded because of security failings and most were preventable, but organisations often failed to use measures such as multifactor authentication. “I can tell you that a lot of organisations should, but they don’t.”

David Burt, the Premier, said after the cyberattack: “There has been an incident which is affecting not only the Bermuda Government but some other regional governments as well.”

Mr Callow suggested that might mean the Government was not specifically targeted.

“They did say that numerous organisations were affected by this and they weren’t the only ones,” he said.

“Organisations don’t always manage all of their own IT. Sometimes they outsource some of it to managed service providers. This is especially the case with governments.

“Those managed service providers use remote access tools to basically manage the IT of multiple organisations.”

He said sometimes that meant multiple organisations suffered a breach, such as in 2019 when an attack encrypted the computers of 22 Texas municipalities.

• UPDATE: this story has been amended to include a statement from a government spokeswoman