30 Oct 2018
The city of West Haven, Connecticut was hit by a ransomware attack that ran for twenty-three minutes on Tuesday, October 16th and infected 23 servers. The city managed to contain the attack by 5:30pm the following day. With the help of MS-ISAC, a division of Homeland Security, police were able to determine the attack came from outside the United States. Federal authorities and local IT experts were unable to counter the attack, and the city decided the best course of action was to pay the $2000 ransom to unlock their servers. City attorney Lee Tiernan said that after weighing all factors, paying the ransom seemed the best approach. City officials did not comment on what type of ransomware crypto-locked their systems, but Bitcoin was used to pay the attackers. The city has hired TBNG Consulting to provide incident response and remediate services.
In an opposite reaction, Onslow Water and Sewer Authority (ONWASA) in Jacksonville, North Carolina reported it was hit by an attack on October 4th when Emotet malware infected its systems. They have vowed not to pay the attackers who have only contacted the company once to demand their ransom. Instead, ONWASA will rebuild its databases and computer systems from the ground up. Officials stated the attack was deliberately focused on the authority with a two-stage approach after Hurricane Florence.
After initial thoughts the malware was under control, ONWASA had to bring in outside security specialists who determined the malware launched a timed advanced virus known as Ryuk at 3am on Saturday, October 13th. Ryuk ransomware was the subject of an alert in August from the US Department of Health and Human Services that warned that once run, Ryuk destroys its encryption key and launches a BAT file that will remove shadow copies and backup files.
The US Federal Bureau of Investigation has notoriously warned ransomware victims to pay demands because paying only encourages more attacks, and there is no guarantee the victim will see their data decrypted. However, the Bureau itself admits that paying is sometimes the only way to try to recover precious data. Although ransomware growth has stalled in favor of crypto jacking, attacks are still happening, and healthcare, small utilities, and municipalities appear to be the preferred targets. The best defense is to be prepared not just for an attack but also for the recovery and cleanup process. The City of Atlanta’s ransomware cleanup cost has reached over $2.6 million.
Both West Haven and ONWASA state that there is no evidence any data or customer information was stolen.
Worried about ransomware? We’re the experts to call.