This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Two ‘Russian’ Ransomware Attacks Take Down North Carolina City And County Government Systems

Updated Mar 10, 2020, 08:51am EDT
This article is more than 4 years old.

The same Russian ransomware that is thought to have been responsible for the City of New Orleans state of emergency last year has now struck Durham City and the County of Durham in North Carolina.

As 2019 wound down to an end, the City of New Orleans was hit by a ransomware attack, thought to be attributable to Ryuk. That attack was severe enough for Mayor LaToya Cantrell to declare a state of emergency. Now the City of Durham and Durham County, in North Carolina, have had to shut down networks after being hit by the same Russian ransomware.

What just happened in North Carolina?

The City of Durham and Durham County Government IT systems were subject to a successful cyber-attack late Friday evening, March 6. Malware detection systems kicked in to provide immediate notification of the attack, and networks were closed down to prevent further spread.

The incident was described as a cyber malware attack, or rather "two separate attacks" at a press conference held by officials Monday, March 9. Thomas Bonfield, Durham City manager, said that while the malware had "been contained " and the city was in recovery mode, "most city networks and phones remain intentionally offline during the initial stages of the recovery process." Bonfield said that the National Guard cybersecurity team was helping with the recovery effort. It should be noted, however, that critical public safety systems, including access to the 911 network, remained operational thanks to the emergency cyber-attack remediation process.

Kerry Goode, chief information officer for the City of Durham, said that the city had "planned for this day to occur." Goode also said that the malware had been "clearly identified" as being Ryuk, a notorious ransomware threat. No ransom note, no demand for money, had been received by the time of the press conference, according to Goode.

Around 80 "contaminated" servers will need to be rebuilt, and some 1,000 compromised computers are to be re-imaged, to get the city and county systems up and running as soon as possible.

What is Ryuk, and who is behind it?

Ryuk is a ransomware threat that is exploited, like so many others, by getting a target to click on a link in a phishing email. More specifically, the exploit is contained within a weaponized Microsoft Office document attached to the email. This exploit will also, in the case of Ryuk, usually kick off the attempted download of a banking Trojan called Emotet and, ultimately, the equally notorious Trickbot malware.

Although far from the only targets of Ryuk, thought to be linked to Russian cyber-criminals, many high-profile victims have been municipalities. Because Ryuk is commonly deployed as part of an attack that includes Trickbot, itself known for exfiltrating data from compromised systems, the forensic investigation is likely to be very time-consuming to determine the actual depth of the damage done.

Are municipalities doing enough to protect against the ransomware threat?

While the emergency cyber-attack response planning appears to have worked, and worked well, to contain the potential damage from a ransomware attack such as this, there are still questions that need to be answered. Not least regarding the efficiency of cyber-awareness training programs. A total of seven computers have been identified that are likely "patient zero" sources of the infection, with both city and county employees clicking on links in emails. It's good that in this case, it looks like both the intrusion detection and data backup systems in place worked well to shut down the attack, is there more that municipalities need to be doing in the face of increasingly sophisticated ransomware threats?

 "At some point, I think the state is going to have to intervene and push effective resources and exert some procurement weight for adopting more of a shared services security model," Ina Thornton-Trump, CISO at Cjyax, says. More broadly speaking, rather than concentrating on the Durham attack, it this incompetence or neglect that has made the municipal attack surface so vulnerable? "My inquires lead me to believe it's a very unhealthy blend of both," Thornton-Trump says, "combined with regional disparities and budget priorities." In researching the situation, he tells me, the majority of spend for municipalities is found in maintaining aged and neglected infrastructure as well as new infrastructure to support urban development. "That leaves IT, and IT security, way down on the list of priorities for funding," Thronton-Trump continues, "new computers, routing and switching is not 'sexy' and is not a "ribbon-cutting political event" like new infrastructure is." 

All hope is not lost, however, according to Thornton-Trump. "Not only do municipalities have to avail themselves of state government and national government programs," he says, "they need to start politicizing cybersecurity." This makes sense when state and national governments are certainly showing interest in investing in cyber-election security, so why not municipal services security as well?

In the meantime, I'd certainly recommend that Durham City and the County of Durham revisit their cyber-awareness training program and give everyone, from the top down, a refresh on why clicking on email links and opening Microsoft Office attachments can be so dangerous.

Follow me on Twitter or LinkedInCheck out my website or some of my other work here