Bitpaymer ransomware disturbs residential areas in Alaska

BitPaymer ransomware affects Matanuska-Susitna Borough and other regions

Matanuska-Susitna Borough had an incident with multi-vectored malware including BitPaymer ransomware.

Several weeks ago, reports about the whole town affected by a multi-vectored BitPaymer ransomware^[1] showed up. According to a report^[2] from IT director at Matanuska-Susitna Borough Eric Wyatt, the region is still recovering from the attack which involved all kinds of malware.

First of all, city's networks were affected by a zero-day attack^[3] that most likely came from an email with an infected link redirecting to a webpage that exposed local admin permissions. In addition, hackers used a Trojan horse to access the local network and spread their malware around. This infection corrupted the entire network of Windows-based devices.

As Eric Wyatt states, this was a multi-vector attack, containing much more than a virus:

This was a multi-pronged, multi-vectored attack. Not a single virus but more generally, Malware. Aspects include: Trojan Horse (Emotet), Worm, Crypto Locker (Ransomware (BitPaymer)), Time Bomb, Dead Man’s Switch, External hacker logged in to our network, maybe more. This is an Advanced Persistent Threat.

It appears that the attack had been on the system undiscovered since May 3rd. During this time, data from any of the networks may have been shared or compromised without being noticed. As officials say, they have no evidence about such activity, but, to prevent the worst kind scenario, they need to work assuming that it was done.

FBI reports that the attack relied on a Trojan horse and Worm for spreading around the network. Additionally, last week some components of Cryptolocker ransomware were launched. According to the FBI, once the security team started to work on virus termination, the virus compromised about 500 workstations and 120 servers. It is believed that this attack was not expected to help someone receive the money from a particular victim. Most probably, it was created to disrupt the city's operations and steal information to use it to gain the financial reward.

Officials are reinstalling 600 desktop computers and servers

Matanuska-Susitna Borough officials have already managed to recover 110 workstations on service. They cleaned the systems, copied locked data for FBI^[4] to investigate and possibly decrypt. IT specialists from MSB stated that these workstations would be placed on another network as a part of a workgroup, not a domain.

Also, the Borough has already rebuilt their phone system server. The door lock card swipe system was affected by the data encryption as well but continued working as usual. Private sector vendors, government IT specialists and other parties have been working on recovering after the attack. They even used typewriters to write receipts for a library or other offices by hand.

It is not the first time the country gets infected with ransomware

In the beginning, ransomware viruses had been targeting individual systems. However, soon after that cybercriminals started realizing that they can gain more from businesses and similar parties. As a result, ransomware viruses started gaining more revenue from big companies.^[5] By the end of 2017, 35 percent of small and medium-sized businesses had encountered a ransomware attack.

However, the most known city affected by ransomware is Atlanta. In March 2018, hackers managed to affect services paying city bills and accessing court information online. In the end, the city needed $2 million to recover after the attack. According to the latest news, it might need another $9.5 million to get rid of all “effects” caused by this cryptovirus.