Ransomware has been rampant lately. Medical and Dental offices/facilities are not exempted from attacks. Now, they are becoming a lot bolder by targeting city government computers and servers.
New Orleans city government has been affected by cyber-attacks last week due to a ransomware known as Ryuk. Sample malware was based on shared uploaded files on website VirusTotal.
Red Flare Security’s founder Colin Cowie was first to spot the lines of code both referencing functions of New Orleans’ municipal agencies and the Ryuk virus.
Last Friday afternoon, city officials have acknowledged the attack. They even declared a state of emergency due to the fact that they had to shutdown/turn off 4,000 computers and servers across the government. Even their websites were down for a few days. It was a massive blow they have gotten. Municipal courthouses were closed. Healthcare for the homeless service was unavailable since they cannot access files. 911 was unaffected, and other work that can be done offline or use Gmail accounts were used to handle non-emergency requests while the city’s email server was still offline.
New Orleans Chief Information Officer Kim LaGrue announced during a press conference last Saturday said that she expects data loss caused by the ransomware to be very minimal. Good thing that they quickly responded upon early detection thus preventing further spreading. The malicious activity that got into their network gained their attention last Friday around 5AM prompted them to decide to do a city-wide systems shutdown within a few hours. They do have offline backups of their files and applications that would help restore services back to normal and/or minimal mitigation required.
They do have a team that closely monitors activities like these to prevent data loss thus minimizing risk. It is part of their standard operating procedures to keep on investigating and looking for suspicious activities. According to them, “They are now looking to recover from a very resilient platform.”
State and federal law enforcement agencies are now investigating together with Louisiana National Guard in regards to the said ransomware attack. They are even doing a forensic investigation – which is still a work in progress with hopes to finding out more about it, which includes mechanisms and methods of compromising computers.
No information were disclosed about the source of the attack and how much the ransomware demand was. Although it is true that municipal government is now part of a trend among ransomware targets.
Huge payouts have been collected from the following $400,000 from Jackson County, Georgia; nearly $600,000 from Riviera Beach, Florida; $490,000 from Lake City, Florida; $130,000 from LaPorte County, Indiana; and $100,000 from the public school district in Rockville Centre, New York.
But recent research from Emsisoft, a New Zealand firm that specializes in ransomware, indicates that governments should think twice about paying for a decryption key to regain access to their files. Emsisoft’s work shows that Ryuk is designed to only partially encrypt larger files to ensure it spreads quickly, which can lead the decrypter to corrupt data in some cases. “Depending on the exact file type, this may or may not cause major issues,” the researchers wrote.
Ryuk was also seen in an attack last month against the state of Louisiana that prompted Gov. John Bel Edwards to issue his second emergency declaration of the year because of a cyber-attack. The virus frequently works in concert with banking trojans that steal financial information and credentials from recipients of phishing emails who open malicious links. When one of the trojans, TrickBot, determines that a compromised network can be infected with ransomware, the Ryuk virus is delivered and begins encrypting files.
“We’ve never confirmed any credentials were given out,” LaGrue said. “But when we look at how our environment was permeated, it was through a compromise of credentials that belong to city employees.”