New Orleans servers and networks crippled by Ryuk ransomware attack

by Ugnius Kiguolis - - 2019-12-16

Employees were ordered to shut down computers and disconnect from New Orleans WiFi network

New Orleans hit by ransomware On Friday, December 13th, New Orleans suffered a ransomware attack that is believed to be Ryuk

On the morning of December 13, the city of New Orleans, Louisiana, was hit by a ransomware attack. As reported by WWL-TV^[1] and Nola.com^[2] local news networks, the city was forced to shut down its servers and local computers, although emergency services like 911, police department, fire department, as well as EMS continued to operate, despite the cyberattack. Among the affected servers were those of City Hall and the New Orleans Police Department.

The news about the attack was announced over the loudspeaker in City Hall, and all the city's computers were turned off Friday afternoon. Additionally, the internal text message from the New Orleans Office of Homeland Security and Emergency Preparedness was distributed among workers and read:

The City of New Orleans is under a cyber attack. Please power off your computers and unplug them immediately. Await further instructions

The official website of the City of New Orleans was also shut down for the maintenance, although some of its functions are still retained, such as paying parking tickets.

The city was partially prepared for a cyberattack

New Orleans' Chief Information Officer Kim LaGrue, said that the suspicious activity was first detected at 5 AM of December 13. Once the city's workers started arriving at work just before 8 AM, the IT experts saw an increase in the unauthorized actions on the network, which prompted them to investigate further.

Just after 11 AM, the city of New Orleans declared that it was under cyberattack and that it has been hit by ransomware, although it was not clear which particular malware was involved. The officials began the investigation immediately, and the helping parties include the Louisiana National Guard, Louisiana State Police, FBI New Orleans, and the Secret Service.

Despite several servers being down, multiple departments are continuing its operations, as officials claim the training was conducted to countermeasure such situations. As a result, all the necessary services are able to operate without the internet or the city network:

Collin Arnold, the director of Homeland Security, claimed that several services are forced to use pen and paper, as well as alternative communication services like radios:^[3]

If there is a positive about being a city that has been touched by disasters and essentially been brought down to zero in the past, is that our plans and activity from a public safety perspective reflect the fact that we can operate with internet, without city networking

Ryuk ransomware is the most likely culprit of New Orleans ransomware attack

Initially, no ransom notes were found on the affected systems, as there was no ransom note found on the affected computers. However, a few suspicious files were uploaded on Virus Total on December 14 and came from an IP located in the USA. Interestingly, the analyze of memory dumps related to these revealed multiple mentions of Ryuk ransomware^[4] and New Orleans cyberattack.

The files were found and examined by security researcher Colin Cowie, who later posted his findings on Twitter:^[5]

The city of #neworleans was hit with #RYUK Ransomware! Looks like it encrypted their “Contracts and Revenue” file share

Security researchers can use memory dumps of executables to learn more about the attack, namely file names, commands used, and other information relating to it. The memory dump of the uploaded yoletby.exe contained such data like domain controllers, internal IP addresses, file shares, and other information that correlates to the New Orleans and the Ruk ransomware string. For example, researchers managed to extract the ransom note name, which was RyukReadMe.html.

Third ransomware incident in the Louisiana state

While this evidence is compelling, it is still only a speculation, and the City of New Orleans is yet to confirm whether it was indeed hit by Ryuk and not other data-locking malware. In case security experts are correct, it is highly likely that the systems were infected via spam email attachments, and the first payload was either banking Trojan Trickbot or/and Emotet.

Louisiana state is highly targeted by various ransomware strains, as the recent attacks show. In August, three schools were hit by ransomware, and Governor John Bel Edwards had to declare a state of emergency.^[6] Most recently, in November, Louisiana experienced another ransomware hit, and hat to shut down its email and web services after state government's IT Network for encrypted.

Malicious actors are known to target governments and municipalities in the US, as they know there is a lot of money to be earned. The officials hope to avoid major disruptions and get back on track by paying ransoms to criminals, which, unfortunately, leads to more attacks.

About the author

Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References

^ New Orleans government targeted by cyberattack. WWL-TV. CBS-affiliated television channel.
^ Jeff Adelson. New Orleans city government under cyberattack; workers told to turn off, unplug computers. Nola. Latest New Orleans, LA Local News, Sports News.
^ Kirsten Korosec. New Orleans declares state of emergency following ransomware attack. TechCrunch. Startup and Technology News.
^ Jake Doevan. Remove Ryuk ransomware (Removal Guide) - updated Jun 2019. 2-spyware. Cybersecurity news and articles.
^ Colin Cowie. The city of #neworleans was hit with #RYUK Ransomware!. Twitter. Social Network.
^ Catalin Cimpanu. Louisiana governor declares state emergency after local ransomware outbreak. ZDNet. Technology News, Analysis, Comments.