Enlarge / Louisiana state agencies were taken offline during the response to a Ryuk ransomware attack, but are now largely operational again thanks to backups.

In October, the Federal Bureau of Investigation warned of increased targeting by ransomware operators of ‘big game’ goals with deep pockets and critical data that would sooner pay ransom to restore their systems. The past week has shown that the warning was justified.

On November 18, a ransomware attack caused Louisiana’s Office of Technology Services to stop parts of its network, including the systems of several major government agencies. These include the office of the governor, the ministry of health (including Medicare systems), the ministry of child and family services, the ministry of motor vehicles and the ministry of transport. Louisiana Governor John Bel Edwards has activated the cyber security response team.

Today we have activated the state’s cyber security team in response to an ransomware attack attempt that is affecting some state servers. The Office of Technology Services identified a cyber security threat that struck some, but not all, state servers. #lagov #lalege

– John Bel Edwards (@ LouisianaGov) November 18, 2019

Although some services have been brought back online – in some cases within a few hours – others are still being restored. Most of the interrupted services were caused by “our aggressive actions to combat the attack,” said Louisiana commissioner Jay Dardenne. “We are convinced that we have not lost any data and we appreciate the patience of the public while we continue to offer services online in the coming days.”

We will pay you Ryuk (or Dopplel you)

The state did not pay the ransom demanded by attackers, who – based on the analysis of several investigators – used a variant of the same Ryuk ransomware that was used in attacks on the networks of various Louisiana school districts in July. That attack led Governor Edwards to declare a state of emergency to allow government agencies to assist local authorities in restoring the attack. Ryuk attacks this summer also affected the justice system of Georgia and at least two cities in Florida.

On November 15, the Charles-Nicolle University (CHU) hospital in Rouen, France, was hit by ransomware that spread over five sites. According to a report from Le Monde, the hospital was forced to close its networks to prevent the malware from spreading, and the staff were forced to use paper and pencil to follow patients. Although there were reports of a 1,500 euro ransom demand for each of the more than 6,000 affected computers in the hospital, a hospital spokesperson denied that a ransom request had been made and said none would be paid. From November 18, approximately 25% of the hospital applications were recovered.

Also on November 15, the government of the Canadian territory of Nunavut suffered a ransomware outbreak that affected around 5,000 computers throughout the territory. According to Nunavut spokesperson Chris Puglia, that attack used a variant of DoppelPaymer ransomware; the same malware hit the Mexican oil company PEMEX on November 12.

Enlarge / The PEMEX Tor payment site was posted a lot on social media.

Despite documentation of the Pemex attack, business executives continued to deny that the company was affected.

???? # Pemex????????reitera hacer caso omiso a boletines apócrifos que circulan and medios de información y redes sociales. Information about references and empresa productiva del Estado es publicada únicamente por vías institucionales y las redes oficiales.

– Petróleos Mexicanos (@ Pemex) November 17, 2019

According to security researcher Vitali Kremez, both the Nunavut and PEMEX ransomware attacks used the same Tor “hidden service” web portal. Within the portal, the actors behind the ransomware left the message that their attack rationalized: “We don’t care who you are and why this happens. Nobody died. That’s all.”

Although they may or may not use the same type of communication with victims as opportunistic attacks, DoppelPaymer uses a web portal similar to that of opportunistic attacks, while Ryuk saves communication via e-mail – both attacks were targeted rather than opportunistic. Although they can use similar initial compromise methods as opportunistic attacks (phishing, automated vulnerability scans and exploitation, or attacks with Remote Desktop Protocol), targeted attacks are the product of investigating a compromised network and releasing the ransomware only after it has been determined who has it target (and how likely it is that they will pay). As a result, they need less work for attackers because they reduce the number of victims they have to communicate with.

Falling revenues due to backups

Although it is not certain whether PEMEX paid the ransom from the company, the others did not pay, mainly because they had disaster recovery and backup systems and were able to restore functionality after it was interrupted. And that is, according to senior FBI cyber officials, a key to ending the continued growth of targeted ransomware attacks.

In a press conference attended by Ars Technica, senior FBI cyber officials said in the background that the only real way to stop ransomware attacks was improved “cyber hygiene.” That includes backups and software updates. As part of its efforts to raise awareness of state and local authorities regarding ransomware, the FBI recently organized a ransomware summit in Pittsburgh at Carnegie Mellon University.

But due to a number of problems, national and local authorities, as well as hospitals, have been an easy target for ransomware operators due to their dependence on legacy systems and the lack of organic information security skills. This year alone there are more than 100 reported ransomware attacks against national and local governments.

Similar Posts

Leave a Reply