Municipalities have a very distinct problem. They are frequently targeted for ransomware and other attacks, as the attackers know their systems generally are not fully secure unless they been recently successfully attacked and have corrected and mitigated the issues. This is driven by budgetary constraints, not allowing the city, county, etc. to be able to hire exceptional talent, purchase the tools needed in a timely manner, and other requisite uses for cybersecurity. While this is a Catch-22, it leaves these organizations in the wind, hoping to be obscure enough so that they are not noticed and attacked. Even a failed attack can have negative effects on the operations for many reasons.
One of these targeted was the city of Florence, located in Alabama. Florence, much like the city in Italy, sounds like an amazing place to live, located on the banks of the Tennessee River with many festivals and other attractions. This is not a massive metropolis, with nearly 40k residents. Of all the places to target, you have to wonder why Florence?
As you can guess, the city’s computer system had been successfully attacked. The entry points were through the email system. Specifically, this was a phishing attack, and the unfortunate phishee was Steve Price, the IT Manager. His credentials were acquired as part of the attack. The phishing email was one of the many samples of the DHL email, where there are dozens of email recipients, all receiving the same package with the same tracking number on the same day. These emails are pretty obvious as to what they really are there for.
The illustrious, yet distinguished Brian Krebs notified the mayor’s office of their system’s compromise on May 26. From the published accounts, the city somehow did not know of the breach prior to this. This is odd, as seemingly someone in the IT Department maybe should have noticed a strange IP address accessing the system and pulling data from the network. The following day the System Administrator did contact Mr. Krebs to let him know the computer and network account affected has been isolated and is not in service. It appears the SysAdmin did not quite understand the capabilities of the attackers at this point. On June 5, 2020, the attackers finished deploying the ransomware and began their demand for the ransom payment. The city has 12 days to fully defend against the attack, however, unfortunately only did a part of the work required to address the issue.
When the city began to review the situation, it did not appear any of the affected system’s data had been deleted or exfiltrated. This was probably a little too optimistic for the city.
On a side note, the attack occurred while the IT department was attempting to have the City Council approved the expense for a third party to do a penetration test of the IT systems.
The attackers are not going to work through the attack cycle for practice and their mental gymnastics in an attack. The system has been operationalized into a business, and a rather profitable one measured by the return on investment (ROI). In this case, the attackers were DoppelPaymer. The attackers began the demand for the ransom $378k in bitcoin. The amount was negotiated down to $330k by a third-party firm, still in bitcoin. This does seem like a rather large sum, given the size of the city. The attackers, however, have realized the power of their leverage on the systems.
Once the city had the opportunity for a quick review, the city’s IT department and a third-party, contracted by the city (Arete Advisors), began to adequately investigate the issue. As time had passed and more effort was placed into the investigation, the city realized the attackers may have at least a portion of the data on the affected systems. The city noted they just don’t know. One would presume they had sufficient access, such that if they wanted, they could have taken the data they wanted to. On this note, the investigation noted the attackers had access beginning in early May 2020 and continued this for nearly the remainder of the month. During this time, the attackers had free access to roam about and check out the network. They did borrow without authorization the personal information on the city’s employees and customers.
As the city saw the writing on the wall, the city council voted unanimously to pay the ransom. The funds were to be paid from the insurance fund available for these types of issues.
A curious point with this is the city required the attackers, DoppelPaymer, to provide proof they will delete the stolen information they have. The curiosity is, other than promising or a pinky-swear, there really isn’t a way to prove they will delete the data. This is one of the many problems with paying the ransom. The organization is depending on the attackers to follow through and not leave a back-door or recurring malware on the system. Historically, the attackers have followed through and have not left any surprises behind for later easier attacks. They say there is honor among thieves, however, I would not bet on it. The city naturally is also working with law enforcement in the matter.
As of June 13, 2020 (10:46 EST), the online network was down. While the website did note an apology, no reason was given.
If you are management, SysAdmin, or on the cybersecurity team, please consider this occurrence or any of the thousands of other successful ransomware attacks as examples of why training and an adequate SIEM is so important. While cybersecurity is the focus of the cybersecurity department or team, it is still everyone’s job to be vigilant and not be click-happy. If they aren’t expecting an email, don’t know the person or organization it is from, or it simply leaves them wondering if the link or attachment is appropriate, don’t do it. This will save so much time, energy, frustration, etc. for the staff and budget.
Associated Press. (2020, June 11). Alabama city to pay $300,000 ransom in computer system hack. Retrieved from https://www.newsobserver.com/news/business/article243452091.html
Associated Press. (2020, June 12). Alabama city to pay $30,000 ransom in computer system hack. Retrieved from https://www.securityweek.com/alabama-city-pay-300000-ransom-computer-system-hack
Brown, M., & Delinski, B. (2020, June 11). City of Florence out nearly $300,000 after ransomware hack. Retrieved from https://www.waff.com/2020/06/11/city-florence-out-nearly-after-ransomware-hack/
City of Florence. (n.d.). Florence, alabama. Retrieved from https://florenceal.org/
Delinski, B. (2020, June 11). Florence pays nearly $300,000 in bitcoin ransom. Retrieved from https://www.timesdaily.com/news/local/florence-pays-nearly-300-000-in-bitcoin-ransom/article_5dd1200e-58f6-53a5-a3e1-5d7b90edf179.html
Erazo, F. (2020, June 10). Alabama city plans to pay ransomware group despite warnings. Retrieved from https://cointelegraph.com/news/alabama-city-plans-to-pay-ransomware-group-despite-warnings
Freedman, L. (2020, June 12). Alabama city hit with ransomware. Retrieved from https://www.jdsupra.com/legalnews/alabama-city-hit-with-ransomware-40970/
Goud, N. (2020, June). Ransomware attackers demanding $300,000 from florence city of alabama. Retrieved from https://www.cybersecurity-insiders.com/ransomware-attackers-demanding-300000-from-florence-city-of-alabama/
Jackson, J. (2020, June 10). City of Florence agrees to pay nearly $300,000 ransom after cyberattack. Retrieved from https://whnt.com/news/shoals/city-of-florence-agrees-to-pay-nearly-300000-ransom-after-cyberattack/
Krebs, B. (2020, June 9). Florence, Ala. Hit by ransomware 12 days after being alerted by KrebsOnSecurity. Retrieved from https://krebsonsecurity.com/2020/06/florence-ala-hit-by-ransomware-12-days-after-being-alerted-by-krebsonsecurity/
Lincoln Journal Star. (2020, June 11). Alabama city to pay $300,000 ransom in computer system hack. Retrieved from https://journalstar.com/business/alabama-city-to-pay-300-000-ransom-in-computer-system-hack/article_70114db5-92bd-5ecb-9a5e-edf5f3cf3b24.html
Paganini, P. (2020, June 12). City of Florence to pay $300,000 ransom after ransomware attack. Retrieved from https://securityaffairs.co/wordpress/104666/breaking-news/city-of-florence-ransomware.html
SANS. (2020, June 12). Newsletters: Newsbites. Retrieved from https://www.sans.org/newsletters/newsbites/xxii/47
Schwartz, M.J. (2020, June 12). City pays ransom despite pre-ransomware outbreak hack alert. Retrieved from https://www.bankinfosecurity.com/city-pays-ransom-despite-pre-ransomware-outbreak-hack-alert-a-14427
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!