State of Emergency Declared by City; Employees Ordered to Power Down Everything
New Orleans Mayor LaToya Cantrell holds a press conference with members of the city’s public safety team. (Photo: Mayor’s office)
Ryuk ransomware is being eyed as the crypto-locking malware used against the city of New Orleans, which on Friday declared a state of emergency after its IT teams detected a ransomware infection spreading across city networks. The attack makes the Louisiana city one of a number of recent victims of crypto-locking malware extortion campaigns.
New Orleans city officials say suspicious network activity began at about 5 a.m. local time on Friday morning and was flagged at 11 a.m. At that point, officials say they immediately instructed all employees to turn off and disconnect their computers from the city network to try and limit the damage.
— NOLA Ready (@nolaready) December 13, 2019
“At approximately 11 a.m. today, the city of New Orleans detected suspicious activity on its networks that indicated a potential cyberattack,” the city said via its NOLA Ready Facebook page on Friday. “Out of an abundance of caution, all employees were immediately alerted to power down computers, unplug devices & disconnect from WiFi. All servers have been powered down as well. … Emergency communications are not affected.”
“We were proactive, and I think this is a real example of that,” New Orleans Mayor LaToya Cantrell said at a Friday afternoon press conference. At least at that point, she said the city had received no ransom demand from its attackers.
The attack led Cantrell to sign an order on Friday declaring a state of emergency.
A declaration of a state of emergency has been filed with the Civil District Court in connection with today’s cyber security event. pic.twitter.com/OQXDGv7JS4
— The City Of New Orleans (@CityOfNOLA) December 13, 2019
Officials say incident response is being coordinated via the city’s Emergency Operations Center and that responders are working with cybersecurity personnel from the Louisiana State Police, the FBI’s New Orleans office, the Louisiana National Guard as well as the U.S. Secret Service.
Kim LaGrue, the city’s CIO, said at the Friday press conference that attackers appeared to have used phishing attacks to sneak the ransomware onto the city’s network.
Much ongoing city business is now being conducted using internet access – not via city systems – together with pen and paper, but not for the first time.
“If there is a positive about being a city that has been touched by disasters and essentially been brought down to zero in the past, is that our plans and activity from a public safety perspective reflect the fact that we can operate with internet, without city networking,” Collin Arnold, the city’s director of Homeland Security, said at the press conference.
Ryuk Attack Likely
Based on files uploaded to the VirusTotal malware-scanning service on Saturday and spotted by Colin Cowie of Red Flare Security, the ransomware appears to have been Ryuk (see: 11 Takeaways: Targeted Ryuk Attacks Pummel Businesses).
“Looks like it encrypted their ‘Contracts and Revenue’ file share,” Cowie tweeted. Bleeping Computer, which first reported Cowie’s findings, noted that “memory dumps of suspicious executables” uploaded to VirusTotal on Saturday contained numerous references to both New Orleans and Ryuk.
— Colin Cowie (@th3_protoCOL) December 15, 2019
Security experts say there appear to be at least two Ryuk-using cybercrime groups at work. Ryuk attackers are notorious for demanding relatively large ransoms in return of the promise of a decryptor, according to ransomware response firm Coveware. But it says Ryuk decryptor tools are so poorly built that they often shred files, even when victims do pay (see: Decryptor Bug Means Ryuk Victims Stuck in Ransomware Rut).
Top three ransomware strains, together with average ransom paid by victims, when they pay (Source: Coveware)
Back to Work
On Sunday, the New Orleans mayor ordered all employees to report to work as normal on Monday.
“City Hall will be open tomorrow, Monday, Dec. 16, for normal business hours. All city employees are expected to report to work as normal on Monday,” city officials say in a statement. “The city remains actively involved in recovery efforts related to the cybersecurity incident last Friday, and individual agencies and departments will be impacted in various ways.”
For example, the city’s nola.gov site remains offline, although a temporary page has been created to handle 311 requests, including requests for service, paying parking and traffic-camera tickets, and for businesses to pay their monthly sales taxes, which remain due on Friday.
Officials say the city’s emergency services remain fully operational, as does the fire department, and “the city’s public safety cameras are functional and are recording” as part of its Real-Time Crime Center.
While the police department remains fully operational, officials say police are “documenting incidents manually,” and continuing to use digital recording equipment. “Body-worn cameras and in-car camera footage continue to record and plans are in place to ensure the preservation of footage,” the city says. “Temporarily, NOPD will not be able to run background checks for the public.”
On Sunday, the city provided a long list of services that will not be available on Monday. For example, “Municipal and Traffic Court will be closed tomorrow, however Municipal Court will be hearing first appearances,” the city said.
Louisiana: Repeat Victim
The attack against the city of New Orleans makes for a total of 104 federal, state, municipal governments and agencies to have been hit by ransomware so far this year, according to security vendor Emsisoft.
In a new report, Emsisoft says ransomware this year has also hit 759 healthcare providers, well as 86 universities, colleges and school districts, noting that up to 1,224 individual schools’ operations have potentially been disrupted.
“Studies and audits have shown that governments do a poor job of managing their cybersecurity, and that needs to change very quickly,” Emsisoft’s Brett Callow tells Newsweek. “Ransomware groups are no longer simply encrypting data, they’re stealing it. If governments don’t bolster their defenses, there is a real possibility that their data – and the public’s personal information – will end up in the hands of cybercriminals.”
Louisiana is no stranger to such attacks. In July, Gov. John Bel Edwards declared a state of emergency after multiple school districts were hit by ransomware. And last month, the state’s own systems, including the department of motor vehicles, were hit by ransomware (see: Louisiana Government Recovering From Ransomware Attack).
Edwards said the state paid no ransom and restored systems from backups.
Louisiana Gov. John Bel Edwards in Lafayette on Aug. 3, 2016. (Source: Wikimedia Commons/CC)
Pensacola Continues Ransomware Recovery
The ransomware attack against New Orleans follows the Florida city of Pensacola getting hit by ransomware on Dec. 7. The city says it’s still recovering from the attack, which the Pensacola News Journal reports involved Maze ransomware (see City of Pensacola Recovering From Ransomware Attack).
In the wake of the attack, city officials ordered numerous systems to be disconnected pending incident response operations, with the exception of emergency services, the city website and systems for obtaining a permit.
“The city of Pensacola has remained operational throughout the incident, but some services have been impacted while the network is disconnected, including city email, some city landlines, 311 customer service, and online bill payments, including Pensacola Energy and City of Pensacola Sanitation Services,” the city said in a Dec. 9 statement, giving no estimate as to when all systems might be fully restored.
But on Thursday, the city issued a statement on the status of its response, noting that energy and sanitation online bill payment capabilities had been restored, although the call center was not yet fully operational, and noted that city employees had limited access to emails and that most landline phones were once again working.
“The majority of our servers are restored, and IT is working to get computers up and running in each department. We are currently in an assessment and recovery mode, and IT staff continue to work diligently to check all computers and fully restore our network,” the city said. “We can confirm that this was a ransomware incident, but cannot provide additional details due to the ongoing investigation.”