Cybersecurity and Ransomware
Woesnotgone MeAll is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.
Here in the Meadow, we haven’t had too many cybersecurity incidents. Possibly we just aren’t on anyone’s radar...yet. Two towns in Alaska have not been this lucky lately though. These attacks crippled the operations of the towns. Having your PC or smartphone infected, and not functioning is disruptive enough. Having two town’s infrastructure down is certainly not a pleasant experience.
The incident occurred on July 23, 2018. The compromise caused the town’s operations to shut down. This disrupted the city services and slowed any productivity to a snail’s pace. This also affected Valdez, also in Alaska. The affected systems shut down were for the libraries, swimming pools, e-commerce, the local landfill, animal care, and collections. In addition, the phone systems and door lock card swipe systems were partially disabled. These were located in 73 different buildings.
A devastating effect from the attack involved the email system. After a careful review, it appeared this was not completely recoverable. The attack affected 60 of the Windows 7 PCs initially. When IT began to try and remove the malware, it spread to nearly all of the 500 workstations and 120 of the 150 servers. Although not specifically addressed, it appears this was set to spread once the remediation activity started.
The servers were a victim of ransomware. All of the Windows-based production servers were encrypted. The attackers appear to have done the appropriate level of reconnaissance, as this even affected the back-up and Disaster Recovery (DR) servers. In theory, these should have not been affected as these were engineered and configured to not be vulnerable to the known attacks and exploits. The attackers used the BitPaymer ransomware tool and Emotet Trojan. These leveraged the zero-day attacks. These had apparently been on the system since at least May 3, 2018, with an exploit date of July 23, 2018.
The staff was forced to use a pen, paper, and typewriters. It sounds as though they had a very bad day. The end goal for the attack may not have been totally financial. Due to the robust and well-thought-out nature of the attack, there may have been more involved. To remediate the issue, the borough began to reimage from the back-ups. A portion of these were a year old.
Financially, this attack was rather serious. The total estimated cost was $1.4M to restore the systems and servers. For a town, this is a massive amount. Thankfully, the borough did have $1M of insurance.
The Alaskan municipalities appear to be viable and continued targets. The city of Valdez was successfully attacked. The Valdez attack was so thorough, the staff was reduced to working with pen and paper. The initial symptom was a few glitches in the system, ranging from not being able to login to accounts to other issues. A few viruses were found at this point, as the attack began on July 25-26, 2019. The issue became significantly worse on Friday with a Police Department website outage. This blossomed until nearly all of the systems had to be shut down, including the phone, email, finance, and payroll. This infected 27 of their servers and 170 computers.
The underlying issue was ransomware. The attack was indeed robust, however, the resident’s personal information did not appear to be compromised. The city contracted with a firm from Virginia for a forensic review. To be proactive, the city is working to have a better method for upgrades and tracking changes. In the short-term, the city did pay the ransom (4 bitcoin, or $26,623.07 at the time) for the decrypt key.
Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.
Cimpanu, C. (2018, July 31). BitPaymer ransomware infection forces alaskan town to use typewriters for a week.Retrieved from https://www.bleepingcomputer.com/news/security/bitpayment-ransomware-infection-forces-alaskan-town-to-use-typewriters-for-a-week/
Cimpanu, C. (2018, November 21). City of valdez, alaska admits to paying off ransomware infection. Retrieved from https://www.zdnet.com/article/city-of-valdez-alaska-admits-to-paying-off-ransomeware-infection/
Crawley, K. (2018, September 18). Ransomware cripples an alaskan town. Retrieved from https://blog.comodo.com/comodo-news/ransomware-cripples-an-alaskan-town/
Dunn, J.E. (2018, August 3). Alaskan borough dusts off their typewriters after ransomware crims pwn entire network. Retrieved from https://www.theregister.co.uk/2018/08/03/alaskan-town-has-entire-network-owned-by-ransomware-crims/
Kirby, D. (2018, November 18). Four bitcoin for your data: How a roll of the dice by the city of valdez paid off after a cyber attack. Retrieved from https://www.ktuu.com/content/news/City-of-Valdez-paid-four-bitcoin-ransom-to-recover-data-after-July-cyber-attack-500564211.html
Rogers, J. (2018, August 1). Alaskan borough dusts off typewriters after ransomware attack. Retrieved from https://www.foxnews.com/tech/alaskan-borough-dusts-off-typewriters-after-ransomware-attack
Schroeder, S. (2018, August 2). Ransomware attack forces town’s employees to go back to typewriters. Retrieved from https://mashable.com/article/malware-alaska-town/#edAoW3zC80zX
Sowells, J. (2018, November 25). Valdez city, alaska, the newest victim of ransomware to pay for decryption. Retrieved from https://hackercombat.com/valdez-city-alaska-the-newest-victim-of-ransomware-to-pay-fordecryption/
The Associated Press. (2018, July 28). Virus shuts down city computers in valdez. Retrieved from https://www.usnews.com/news/best-states/alaskan/articles/2018-07-28/virus-shuts-down-city-computers-in-valdez
VanWagenen, J. (2018, August). An alaskan municipality suffers a devastating ransomware attack. Retrieved from https://statetechmagazine.com/article/2018/08/alaska-municipality-suffers-devaststing-ransomeware-attack
Weber, S. (2018, August 1). The valdez star-Serving prince william sound and copper river basin. Retrieved from https://www.valdezstar.net/story/2018/08/01/main-news/hacked-by-cybercriminals-city-website-downed-by-ransomware/1987.html
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.