Ryuk ransomware implicated in City of New Orleans shutdown

The malware has struck several US municipalities in 2019

ANALYSIS The cyber-attack that prompted the City of New Orleans’ mayor to declare a state of emergency on Friday (December 13) is the latest in a string of attacks on city and state governments to be linked to the Ryuk ransomware.

New Orleans Chief Information Officer Kim LaGrue confirmed during a press conference that suspicious activity on the city’s networks – including evidence of phishing and ransomware – had prompted the city to quarantine systems and pull the plug on its website.

A day later, Bleeping Computer revealed that executables containing references to Ryuk and New Orleans City Hall – including domain names, domain controllers, internal IP addresses, user names, and file shares – had been found within memory dumps handed to them by Red Flare Security researcher Colin Cowie.

However, the City of New Orleans has yet to confirm or deny whether Ryuk is involved.

NOLA Ready, the Louisiana city’s emergency preparedness campaign, confirmed that the city had powered down its servers, taken down all NOLA.gov websites and instructed employees to shut down their computers after discovering a potential breach at 5am on Friday morning.

Ready or not

Although workers have reverted to using pen and paper, NOLA Ready, which is managed by the Office of Homeland Security & Emergency Preparedness, has tweeted that City Hall was “open as usual”, but that “some services may be delayed”.

Emergency services, including the 911 emergency and 311 city service phone lines, were not disrupted, it also said on Twitter.

A tweet posted Monday also confirmed that “permits and inspections are being completed, employees would be paid as normal.”

Residents can pay taxes and tickets through a temporary government website, with the vendor payment system expected to be back online by the end of the week.

LaGrue told journalists that data loss should be “very minimal” since the city had offline backups of its files and applications.

Referencing the city’s recent traumas with natural disasters, most notably 2005’s Hurricane Katrina, Collin Arnold, New Orleans' homeland security director, told Nola.com that “our plans and our activities reflect the fact that we can operate without the internet and without a city network.”

Ryuk has become a weapon of choice for cyber-extortionists, with local government and healthcare organizations among the favoured targets.

Attackers harnessing Ryuk, which emerged in 2018, have successfully extracted ransom payments from Jackson County, Georgia; Riviera Beach, Florida; Lake City, Florida; and LaPorte County, Indiana in 2019.

The city of New Bedford in Massachusetts, however, restored systems without paying the ransom.

Ryuk hit 110 nursing homes and 400 veterinary hospitals in the US, as well as Spanish security firm Prosegur, in November alone.

US-based cloud hosting provider DataResolution.net fell prey to the malware in January.

Perfect storm

A report published just hours before the attack on New Orleans by Emisoft has revealed that more than 100 federal, state and municipal governments and agencies have been hit by ransomware in the US this year, including the Louisiana state government only last month.

Sam Curry, chief security officer at Cybereason, said government targets made for compelling targets.

“The governance changes frequently, and IT has grown irregularly and often without formal rationale, especially in the smallest towns,” he said.

“As a result, ransomware has hit many with no contingencies for a cyber crisis, no departments with bench strength and no know-how within the organisational structure.”

He added: “It's a perfect storm, and cities are advised to treat cyber like they would highways, zoning and education: systematically and as a core function.”

The wave of attacks, most notably the debilitating attacks on state governments in Atlanta in 2018 and Baltimore this year, have spurred Congress to take legislative action.

The State and Local Government Cybersecurity Act, which passed the Senate on November 21, would provide additional federal funding and support to state and local governments, from the National Cybersecurity and Communications Center (NCCIC), Department of Homeland Security (DHS).

And the Strengthening State and Local Cybersecurity Defenses Act, which would empower the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to engage more extensively with municipalities and other stakeholders, was put before Congress last week.