String of Ransomware Attacks Target Government Municipalities

Posted by Geraldine Hunt on Tue, Sep 4th, 2018

The SamSam ransomware attack on the City of Atlanta that took down multiple essential city services for almost a week in March of this year showed just how vulnerable local government municipalities are to cybersecurity threats.  Although the city refused to pay the associated ransom, the attack has proved costly beyond all initial estimates.  The current price tag currently is set at $17 million according to a seven-page document reviewed by two local media outlets.   This estimate includes $11 million associated with the cleanup process as well as the purchase of new hardware.  The remaining $6 million is allocated to third-party contractors for security services as well as essential software upgrades to shore up vulnerabilities. 

All of this is the result of an employee who clicked a link embedded within an email.  Approximately 90% of all cyber attacks begin with email.  With cities rapidly digitizing services and incorporating smart city technologies that utilize edge networking IoT devices, the growing trend to target local government municipalities seem certain.  The following is a short list of the many attacks witnessed this summer.

Another Georgia Victim

Five months after the Atlanta attack, the south metro Atlanta suburb of Coweta County lost the use of most of its servers, some down for nearly two weeks.  The perpetrators of the attack were demanding 50 Bitcoin, the equivalent of about $340,000.  Fortunately, for the county, all systems had been backed up the night before the attack on August 19, which was a major reason why the county never considered paying.  The IT staff was able to restore service to the local airport, public safety services, and voter registration within 48 hours.  They then subsequently went about restoring services for the tag office, all court services and other departments over the following ten days. 

The attack on Coweta County shows how reoccurring backups are an effective way to recover from a cyber attack such as ransomware. The attack could potentially cost taxpayers $17 million, making it one of the most expensive suffered by local government in 2018. 

Two Alaska Towns Fall Victim

Located just outside of Anchorage, Alaska, the Borough of Matanuska-Susitna is still recovering from a damaging attack that occurred on July 24.  The borough is home to over 100,000 people and municipal employees found themselves resorting to typewriters, stamping books and handwritten documentation.  Although local endpoint software protection had picked up parts of the malware that infiltrated the network on July 17, it missed other components that lay dormant before initiating the infestation a week later (this is a prime example of why you should not rely on one layer of cybersecurity).

The ransomware infection crippled the Borough's government networks and has led to the IT staff shutting down a large swath of affected IT systems. Cybersecurity experts report that the attack was highly advanced and managed to encrypt some of the county’s backups.  As a result, the email system is irrecoverable according to the IT Manager.  Other systems are being restored with year-old data, forcing employees to manually rebuild affected machines. 

This was a very insidious, very well-organized attack. This ‘’virus’’ has been identified as the BitPaymer ransomware. This ransomware strain was first seen in July 2017, when it hit a string of Scottish hospitals. After gaining access to a hospital system, attackers move laterally on the network to install Bit Paymer manually on each compromised system. It has been reported that the ransomware then encrypted files with a combination of RC4 and RSA-1024 encryption algorithms. Researchers say there's currently no way to decrypt files locked by the Bit Paymer ransomware.

Only days after that attack, the city of Valdez, Alaska lost the use of its entire network due to a separate attack on its facilities.  According to the City Manager, the attack began with a few glitches in the police department’s website.  After the installed antivirus system failed to combat the threat, all systems were shut down, preventing the crypto-virus from spreading to essential services.  The FBI was alerted and the city managed to recover from the attack within a week.

School Disrupted for Two School Districts

In March of 2016, the Cloquet School District in Minnesota was forced to cancel school for a day in order to allow enough time for its IT staff to recover from a ransomware attack.  The same scenario played out once again for the district on August 13.  All school servers were encrypted in this attack once again, but the invaluable knowledge learned from the prior attack allowed the district to recover from this attack much faster without too much interruption.

Meanwhile, a public high school in New Zealand learned the hard lesson of clicking on email embedded links.  As a result, Hawera High School students lost access to much of their recently completed work.  The attack occurred on August 2 and the cybercriminals behind it asked for $5,000 to unencrypt the files.  Luckily, the school was in the process of migrating its data storage to the cloud so much of the school’s vital data was preserved untouched in cloud storage.  Classes proceeded as scheduled although teachers faced the challenge of teaching without the aid of technology for several days.

Health authorities lose records of 1.5 million patients to hackers

The City of Hong Kong found its Health Department the target of a ransomware attack that took place on August 3rd, 2018.  The attack was the result of a cyber-breach that occurred two weeks earlier.  Three of its servers were affected with all of its data inaccessible, with no communication from the attackers at all.  Unlike the large-scale attack that took place against the Health Department of Singapore just two weeks prior that resulted in the loss of over 1.5 million healthcare records to hackers, no data was compromised and the department was able to restore lost services.

Hong Kong has also seen several major hacking cases this year. In April, the personal data of 380,000 Hong Kong Broadband Network customers, including details of more than 40,000 credit cards, were accessed without authorization. In January, computers at two local travel agencies – Goldjoy Holidays and Big Line Holiday – were hacked and their clients’ personal information held for ransom.

With attackers employing increasingly sophisticated tactics and self-propagating techniques, it's more important than ever to block infections before they reach your network and spread. 

Following a ransomware attack, a full system analysis must be conducted to ensure no backdoors have been installed and all traces of malware have been removed. Additional protections then need to be put in place to ensure that future attacks do not occur. The true cost of a ransomware attack is considerable. It is essential that businesses of all sizes have appropriate protections in place to prevent ransomware attacks and limit their severity if they do occur.

SamSam isn’t going away anytime soon. One wrong click and you could be faced with similar difficult decisions and large bills. Instead, prevent these emails from ever reaching your user's inbox. SpamTitan checks every URL in an email against known blacklists - with 100% active web coverage. Protect your users from email links to malicious sites with SpamTitan. 

To find out more about some of the key protections that you can put in place to improve your resilience against ransomware attacks, contact the TitanHQ team today.