Ryuk Eyed as Culprit in New Orleans Ransomware OutbreakState of Emergency Declared by City; Employees Ordered to Power Down Everything
(See update on recovery efforts.)
Ryuk ransomware is being eyed as the crypto-locking malware used against the city of New Orleans, which on Friday declared a state of emergency after its IT teams detected a ransomware infection spreading across city networks. The attack makes the Louisiana city one of a number of recent victims of crypto-locking malware extortion campaigns.
New Orleans city officials say suspicious network activity began at about 5 a.m. local time on Friday morning and was flagged at 11 a.m. At that point, officials say they immediately instructed all employees to turn off and disconnect their computers from the city network to try and limit the damage.
"At approximately 11 a.m. today, the city of New Orleans detected suspicious activity on its networks that indicated a potential cyberattack," the city said via its NOLA Ready Facebook page on Friday. "Out of an abundance of caution, all employees were immediately alerted to power down computers, unplug devices & disconnect from WiFi. All servers have been powered down as well. … Emergency communications are not affected."
"We were proactive, and I think this is a real example of that," New Orleans Mayor LaToya Cantrell said at a Friday afternoon press conference. At least at that point, she said the city had received no ransom demand from its attackers.
The attack led Cantrell to sign an order on Friday declaring a state of emergency. She said that the city expects to have to rebuild 4,000 PCs and 400 servers.
A declaration of a state of emergency has been filed with the Civil District Court in connection with today’s cyber security event. pic.twitter.com/OQXDGv7JS4— The City Of New Orleans (@CityOfNOLA) December 13, 2019
Officials say incident response is being coordinated via the city's Emergency Operations Center and that responders are working with cybersecurity personnel from the Louisiana State Police, the FBI's New Orleans office, the Louisiana National Guard as well as the U.S. Secret Service.
Kim LaGrue, the city's CIO, said at the Friday press conference that attackers appeared to have used phishing attacks to sneak the ransomware onto the city's network, but noted that the city's teams spotted it very quickly. "We expect that data loss has been extremely minimal," she said.
Much ongoing city business is now being conducted using internet access - not via city systems - together with pen and paper, but not for the first time.
"If there is a positive about being a city that has been touched by disasters and essentially been brought down to zero in the past, is that our plans and activity from a public safety perspective reflect the fact that we can operate with internet, without city networking," Collin Arnold, the city's director of Homeland Security, said at the press conference.
Ryuk Attack Likely
Based on files uploaded to the VirusTotal malware-scanning service on Saturday and spotted by Colin Cowie of Red Flare Security, the ransomware appears to have been Ryuk (see: 11 Takeaways: Targeted Ryuk Attacks Pummel Businesses).
"Looks like it encrypted their 'Contracts and Revenue' file share," Cowie tweeted. Bleeping Computer, which first reported Cowie's findings, noted that "memory dumps of suspicious executables" uploaded to VirusTotal on Saturday contained numerous references to both New Orleans and Ryuk.
Security experts say there appear to be at least two Ryuk-using cybercrime groups at work. Ryuk attackers are notorious for demanding relatively large ransoms in return of the promise of a decryptor, according to ransomware response firm Coveware. But it says Ryuk decryptor tools are so poorly built that they often shred files, even when victims do pay (see: Decryptor Bug Means Ryuk Victims Stuck in Ransomware Rut).
Back to Work
On Sunday, the New Orleans mayor ordered all employees to report to work as normal on Monday.
"City Hall will be open tomorrow, Monday, Dec. 16, for normal business hours. All city employees are expected to report to work as normal on Monday," city officials say in a statement. "The city remains actively involved in recovery efforts related to the cybersecurity incident last Friday, and individual agencies and departments will be impacted in various ways."
For example, the city's nola.gov site remains offline, although a temporary page has been created to handle 311 requests, including requests for service, paying parking and traffic-camera tickets, and for businesses to pay their monthly sales taxes, which remain due on Friday.
Officials say the city's emergency services remain fully operational, as does the fire department, and "the city's public safety cameras are functional and are recording" as part of its Real-Time Crime Center.
While the police department remains fully operational, officials say police are "documenting incidents manually," and continuing to use digital recording equipment. "Body-worn cameras and in-car camera footage continue to record and plans are in place to ensure the preservation of footage," the city says. "Temporarily, NOPD will not be able to run background checks for the public."
On Sunday, the city provided a long list of services that will not be available on Monday. For example, "Municipal and Traffic Court will be closed tomorrow, however Municipal Court will be hearing first appearances," the city said.
Louisiana: Repeat Victim
The attack against the city of New Orleans makes for a total of 104 federal, state, municipal governments and agencies to have been hit by ransomware so far this year, according to security vendor Emsisoft.
In a new report, Emsisoft says ransomware this year has also hit 759 healthcare providers, well as 86 universities, colleges and school districts, noting that up to 1,224 individual schools' operations have potentially been disrupted.
"The ransomware threat is at crisis level; governments must act immediately," Emsisoft's Brett Callow tells Information Security Media Group. "Put simply, they need to up their security game and do it quickly. If they do not, it is very likely that their data - and the public’s data - will leak. Increasingly sophisticated attack mechanisms mean that governments can no longer have subpar security and escape unpunished. Those days are over: they must invest to improve their resilience and preparedness.”
Louisiana is no stranger to ransomware attacks. In July, Gov. John Bel Edwards declared a state of emergency after multiple school districts were hit by ransomware. And last month, the state's own systems, including the department of motor vehicles, were hit by ransomware (see: Louisiana Government Recovering From Ransomware Attack).
Edwards said the state paid no ransom and restored systems from backups.
Over the weekend, meanwhile, Associated Press reports that three different Louisiana parish sheriff’s offices - the Rapides, Washington and Orleans parishes - reported being targeted by ransomware attackers. State officials in Baton Rouge are reportedly helping to respond to the incident, which has left at least some of the sheriff's offices using pen and paper.
Pensacola Continues Ransomware Recovery
The ransomware attack against New Orleans follows the Florida city of Pensacola getting hit by ransomware on Dec. 7. The city says it's still recovering from the attack, which the Pensacola News Journal reports involved Maze ransomware (see City of Pensacola Recovering From Ransomware Attack).
In the wake of the attack, city officials ordered numerous systems to be disconnected pending incident response operations, with the exception of emergency services, the city website and systems for obtaining a permit.
"The city of Pensacola has remained operational throughout the incident, but some services have been impacted while the network is disconnected, including city email, some city landlines, 311 customer service, and online bill payments, including Pensacola Energy and City of Pensacola Sanitation Services," the city said in a Dec. 9 statement, giving no estimate as to when all systems might be fully restored.
But on Thursday, the city issued a statement on the status of its response, noting that energy and sanitation online bill payment capabilities had been restored, although the call center was not yet fully operational, and noted that city employees had limited access to emails and that most landline phones were once again working.
"The majority of our servers are restored, and IT is working to get computers up and running in each department. We are currently in an assessment and recovery mode, and IT staff continue to work diligently to check all computers and fully restore our network," the city said. "We can confirm that this was a ransomware incident, but cannot provide additional details due to the ongoing investigation."