City of Albany Latest Local Government Hit With RansomwareAttack Comes After Others That Targeted Counties
Albany, New York, is the latest unit of local government hit with ransomware in recent weeks, following similar attacks reported in Georgia and North Carolina that crippled government IT systems and disrupted service for local residents.
The latest incident happened on Saturday morning, with Albany officials working throughout the weekend to restore most services for residents and investigate the incident. The city's offices had reopened by noon on Monday, with most public services returned to normal. By Tuesday, city residents could access marriage licenses and certificates, but birth and death certificates were still affected by the incident, according to Mayor Kathy Sheehan.
**City of Albany Announces Service Availability Update** pic.twitter.com/ggOoyelywV— Albany Mayor Kathy Sheehan (@MayorSheehan) April 2, 2019
The payroll system for municipal workers, however, remained offline as of Monday, and employees were tracking their hours on paper, according to Steve Hughes, a reporter for the Albany Times Union.
As of Tuesday, there were no official updates on payroll.
So far, Albany officials are not releasing many details about the specific type of ransomware used again the IT systems, nor did Sheehan say whether any ransom was paid. A spokesman for the mayor's office did not respond to Information Security Media Group's request for additional information.
While Sheehan said that no personal data was taken by the attackers, other local officials expressed concern about the impact - and the lack of information provided by the city.
In a Facebook post Sunday, Gregory McGee, the vice president of the Albany Police Officers Union, notes that the police department had not been kept in the loop about the extent of the problems and the officers did not have access to the scheduling system, departmental email or other services.
This, in turn, could affect city residents.
"Also, the attack appears to be affecting the computers in the patrol cars in terms of incident and accident reports," McGee wrote Sunday. "Calls for service may take longer than expected to complete due to the fact officers do not have the tools at hand to provide the appropriate level of service. One has to ask the question of why a police department with sensitive information is on the same network that was so easily attacked. What are the contingency plans in an event like this?"
Rash of Ransomware
As the capital of New York, Albany is larger than some the other units of local government hit with these types of attacks recently, but the disruptions are similar, security experts say.
"With the proliferation of hacking tools, ransomware attacks can originate from anywhere, with a goal of financial gain or just plain disruption," says Praveen Jain, the CTO of Cavirin, a Santa Clara, California-based security company. "Even less sophisticated hackers are now in the game. Organizations must be even more diligent to properly train employees, and put the necessary processes and technical controls in place before an attack happens."
The rash of recent local-focused government security incidents started on March 1, when the IT systems for Jackson County, Georgia, came under attack by what local officials described as the Ryuk ransomware.
Security researchers and law enforcement began looking closer at Ryuk in late 2018 and early 2019 after the ransomware hit the printing facilities of the Tribune Publishing company. With Ryuk, the attackers look to target specific systems within the network. Criminal organizations appear willing to map the network for days or week before releasing the crypto-locking code.
In the case of Jackson County, local officials paid the $400,000 in bitcoin ransom to recover the IT systems and data, according to local news reports.
Then, on March 18, Orange County, North Carolina, sustained what a local television station described as the government's third ransomware attack over the last six years. In this case, the county isolated about 100 computers infected with the malware before it could spread further, officials told ISMG at the time.
While some services were offline for several days, a county spokesman told ISMG at the time that no data was taken. It's not clear what type of ransomware hit the county.
Many local governments are relatively easy targets for ransomware attackers because they lack the budget and staff to respond to an attack, Chris Morales, head of security analytics at Vectra, a San Jose, California-based threat detection and response firm, tells ISMG.
The motive for ransomware attacks can be financial gain or to cause disruption.
"It turns out most victims do not pay, and crypto mining has become a more lucrative form of financial gain for attackers," Morales says. "That leaves disruption of services, which I believe to be what is most likely happening here. The good news is that no data is being stolen in these attacks. The bad news is the cost to the city is going to be substantial."