20 December 2019

More ransomware attacks

In early December 2019, three new ransomware attacks were reported almost at the same time.

As a result of a Maze ransomware infection, the city authorities of Pensacola in Florida, USA had to take most of the city’s computer systems offline, including phones and emails at City Hall, landline telephones, as well as Pensacola 311 customer service, online payment systems at Pensacola Energy, and other services.

The cyberattack started on the morning of December 7. The attackers demanded $1 million in ransom. In addition, the attack caused officials to be concerned about a possible personal data leak, because Maze malware not only encrypts files, but also automatically copies all affected files to malicious operators’ servers.

Work related to restoring systems to normal operation continued through December 11. No information is available on whether ransom was paid in this case.

The second attack took place in New Orleans, Louisiana. Like the Pensacola attack, it affected the computer networks of the city administration and municipal services. The attack was detected on Friday, December 13, at 5 AM local time, when suspicious activity was first detected on the network. By 8 AM, when city employees started to turn on their computers, there was an increase in the malicious activity and the city authorities promptly launched an investigation. It was decided to power down the computers of employees and most of the servers used by the City Hall and municipal services. The 911, police department and fire department continued to take calls.

There is no definitive information on the ransomware used in the attack. It has been suggested that the attack on the City of New Orleans was likely done using the Ryuk ransomware. This suggestion is based on an analysis of executable file memory dumps uploaded to VirusTotal. This information has not been officially confirmed to date.

In one more incident, which took place in Czech Republic on December 11, attackers infected the computer network of a hospital in the town of Benešov in Czech Republic with ransomware, which encrypted data on the medical facility’s systems.

The attack was carried out at about 2 AM. Computers in the surgical clinic slowed down and about an hour later the hospital’s entire internal system was down. The malware penetrated the firewall and evaded two antivirus products. As a result of this, all of the hospital’s IT systems, including all laboratory instruments, have stopped working.

The cyberattack made it impossible for the hospital’s staff to do X-rays, ultrasound examinations or laboratory tests. All planned operations were postponed and some of the patients had to be moved to hospitals in nearby towns.

Sources: Bleeping computer, Pensacola news journal, Czech news agency