Ransomware (Sodinokibi/REvil) Attacks Rising Against Many Cities, Striking Local Governments & School Campuses

Several states – Georgia, Boston, Maryland, and Texas among them – have become victims this year of nefarious ransomware attacks that left them in desperate straits. The most recent attack in Texas was the worst to date, bringing the total number of attacks to hit US state, city and county government entities to 70 so far for 2019. The attacks hitting these city governments represent 60 percent of all ransomware strikes in the US this year, per a recent report from Barracuda Networks.

The sizes of towns affected range from bigger cities to mid size cities of 50,000 down to smaller towns with fewer than 15,000 people. The smaller the town, the more likely the level of technological sophistication and resources are minimal.

Texas Experiences Biggest Ransomware Hit So Far with 23 Towns Impacted

In Texas, state officials confirmed 23 towns had their computer systems seized by hackers, all of whom demanded ransom. The FBI investigation was brought in to investigate the city government breaches. They didn't immediately identify the perpetrators but the Texas Department of Information Resources has said they believe the attacks were carried out by the same bad actor and likely not from inside the US. Possibly Eastern Europe or Russia. Later, it was determined the ransomware was Sodinokibi (REvil), a ransomware believed to previously have circulated as GandCrab malware.

All the cities haven’t been officially named but they are in rural areas. Officials in Borger, Texas said their city business and financial operations were affected. In Keene, Texas outside Fortworth, population 6,100, no residents could make utility payments. A timeframe for returning to normal operations isn't known yet. In Massacusetts, the public defender agency and in Georgia, the court system and public safety department were all affected. Utah has also been hit.

The Hackers Got in Through a Third Party - Again

State officials would not comment on the nature of the attack or confirm the ransom amount. But the mayor of Keene, Gary Heinrich, said the city’s information technology software is managed by a third party and the hackers gained access there. Many other clients use the same IT resource because they’re too small to have their own IT staff. Hackers are often successful this way, finding the weakest link in the chain via outsourcer’s systems.

A research team, Recorded Future, sees that these kinds of ransomware attacks are increasingly targeting state and local governments. They found 169 examples since 2013 and over 60 this year.

The hackers lure their targets with the old trick of baiting them in an email with links or attachments that infect the system when clicked.

To Pay or Not to Pay, That Is the Question

City Mayor Heinrich reported everything they do at City Hall is impacted and that the hackers were seeking $2.5 million in exchange for the locked data. He couldn’t speak for others, but he said his team would not give in to the demands. Sometimes small governments are desperate enough to feel they have to give in to the demands and hope once they pay, the hackers will restore their data. In Lake City, Florida with a population of 12,000, government officials paid $460,000 in bitcoin. Police relayed that staff shut down and disconnected computers in City Hall room by room. They had cyber insurance which covered the ransom, less the $10,000 deductible.

Some smaller victims have acquiesced to pay the hackers from tens of thousands to millions of dollars to get their data back. In the cases where the hackers actually honored the exchange (a distorted honor among thieves), this transaction was accomplished by the hackers providing them with decryption keys so the victims could decrypt their own computers and servers enncrypted by the hackers in the first place. In other states, a small town in Pennsylvania paid $21,250 after being attacked in May. Two towns in Florida paid over $1 million in June after being infected by Ryuk malware.

The Recorded Future study learned that, though it’s discouraged, 17% of those struck by ransomware paid the demand. This may have gotten them their data back, but the reward serves to incentivize the criminals. Still, desperate times lead to desperate measures. If an agency or organization has no backups or cannot get to the backups, they may decide they don’t have a better option. Along with government agencies, businesses like hospitals and health care organizations have been targets for cybercriminals for years. The hackers count on heightened desperation. Clearly, organizations need to invest more time and funding into better defenses before they find themselves in a dire situation.

Ransomware Attacks Also Striking Schools

Local and state governments aren’t the only city entities being undone by ransomware attacks. School campuses are also an increasingly popular target of cyber attackers.

Dothan, Alabama in Houston County had their data held hostage by a ransomware attack. The school had to move their first day of school out 5 days.
Several Louisiana schools were also hit by malware, prompting the governor to declare a statewide emergency. (See our article, Campus Life Security story: Why School Systems Have Become Major Targets for Cyberattackers.)

What’s Next?

The surest thing of all is that hackers will keep on successfully hacking. The question is will your network be able to fend off their devious methods?

The Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security’s computer network and infrastructure security branch, released a report the end of July this year: CISA, MS-ISAC, NGA & NASCIO Recommend Immediate Action to Safeguard Against Ransomware Attacks.* The report provides guidance, policies and advisories to increase preparedness against these increasing threats.

Virsec Ransomware Demo

Virsec has some recommendations of its own. Guarding applications is a critical step to blocking ransom attacks. Virsec has prepared a demo that shows advanced hacking tools in action as they carry out a multi-step ransomware attack. Virsec Security Platform immediately sees and stops the attack at every stage. Watch ransomware demo now.


Further resources:

Campus Life Security story: Why School Systems Have Become Major Targets for Cyberattackers

Massive Biometric Data Breach Creates Chaos for MSSPs

New Cyber Security Directive Forces Federal Agencies to Patch Vulnerabilities in 15 Days

White Paper: Why Web Application Firewalls Are Not Enough

EternalBlue reaching new heights since WannaCry outbreak

It’s official: North Korea is behind Wannacry

Newsletter, current issue

2-Minute Virsec Video


*CISA report: