Hackers infecting the computer systems of the city of New Bedford, Massachusetts, with ransomware wouldn't settle for anything less that than $5.3 million to decrypt the data. The ransom was too high and they got a big fat nothing in return.
The attack occurred on Friday, July 5, before working hours, and details remained unknown at the time as cybersecurity consultants "strongly advised" against providing information about the attack.
Blame it on greedy Ryuk
In a communication on Wednesday, Mayor Jon Mitchell disclosed that the city fell victim to a ransomware attack that affected 4% of the City's computers, or 158 workstations.
The infection did not spread to other machines due to Management Information Systems (MIS) staff's response to contain the data encryption process from spreading by disconnecting servers and shutting down workstations on the network.
Mitchell says that the attacker deployed a variant of Ryuk ransomware, a threat which according to Malwarebytes has climbed to the top spot in the list of file-encrypting malware targeting businesses.
The Providence Journal reports that the attackers demanded a bitcoin cryptocurrency payment of $5.3 million for the release of the data decryption keys.
The city tried to negotiate for $400,000, which was in line with payments from other cities hit by ransomware attacks. The offer was rejected and the negotiations stopped at this as the hackers made no new demand and the city decided to try and recover the data on its own.
Lesson learned
For Ryuk incidents, cybersecurity company Emsisoft says they can decrypt files in 3% to 5% of the cases. The ID Ransomware service can confirm if decryption works with a particular sample or not.
Not paying the ransom has been a strong recommendation from the infosec community for years, since giving in to the attacker's demand keeps the ransomware business humming.
Administrators of this sort of malware are making big money and have partnered up with other cybercriminals for distribution to victims. One of the most recent ransomware families is Sodinokibi. Although its activity started in April, the average payment for decrypting a network of computers is $150k. Its handlers have already found affiliates to spread it and take a portion of the ransom.
Creating backups and storing them off the main network is a good way to prevent significant losses and lower the downtime caused by a ransomware attack.
"The City’s MIS Department has now completely rebuilt the City’s server network, restored most software applications, and replaced all of the computer workstations that were found to be affected."
Mayor Mitchell said that systems will continue to be restored and the city will be vigilant for such incidents in the future. Without offering details, the mayor states that additional measures will be taken to avert these episodes.
Comments
Peter_M - 4 years ago
Comments like these mask the true nature of what happened, I currently have to investigate multiple Ryuk attacks every day, so let me translate:
"In a communication on Wednesday, Mayor Jon Mitchell disclosed that the city fell victim to a ransomware attack that affected 4% of the City's computers, or 158 workstations."
= That 4% was likely all or most of their servers, which is what Ryuk concentrates on. They also manually delete backups and reset snapshots before launching the attack.
"The infection did not spread to other machines due to Management Information Systems (MIS) staff's response to contain the data encryption process from spreading by disconnecting servers and shutting down workstations on the network."
= Ryuk does not spread, it is deployed by the attackers to a predefined list of computers. In most attacks they will use PsExec and some batch files that include a stolen domain admins creds. The copying and executing the the Ryuk exe's typically takes less than an hour to complete depending on the amount of machines targeted. By the time the victim spots whats going on it is to late. Most attacks also happen in the middle of the night while admins are sleeping.
My advice to victims is check for new AD accounts and disable any you don't recognize, especially any called "Martin Stevens" as that is a favorite of theirs atm. Look for the batch files, often found in a folder created by the attackers "C:\Share$", typically on a DC. reset every admin password. Importantly look at the powershell logs for executions in the days leading up to the attacks, you are looking for anything with long strings of base64 encoded text. The base64 will typically start with "sqb" or "jabz". If you find these, decode the multiple layers of obfuscation and you will get either a PEmpire or Cobalt Strike C2 which you need to block on your firewall.
Also in case you didn't know already, if you have been hit by Ryuk you are also infected with the TrickBot malware, so you also need to deal with that. You have most likely been infected with TrickBot for weeks or months prior to Ryuk.
Advice to future victims..........BACKUP YOUR SYSTEMS! OFFSITE AND OFFLINE! if your admins can access your backups, so can the hackers.
chadf - 4 years ago
Victims should start taking a page out of the movie Ransom (1996). Offer whatever amount they demand as a reward for successfully arrest and conviction of those responsible. The greedier they are, the bigger the bounty on their head. Since we're talking about criminals, chances are their associates/friends would turn them in, in a heartbeat, for the reward money.
The only down side would be needing to take extra steps to verify the perpetrators didn't frame someone else and try to collect the reward.