Louisiana Ransomware attack

Maze ransomware was behind Pensacola “cyber event,” Florida officials say

Pensacola was hit by Maze ransomware, which has apparently stolen data before encrypting it in other cases.

Enlarge / Pensacola was hit by Maze ransomware, which has apparently stolen data before encrypting it in other cases.
Paul Harris / Getty Images

An email sent by the Florida Department of Law Enforcement to all Florida county commissioners indicated that the ransomware that struck the city of Pensacola on December 7 was the same malware used in an attack against the private security firm Allied Universal, according to a report by the Pensacola News Journal. That malware has been identified elsewhere as Maze, a form of ransomware that has also been distributed via spam email campaigns in Italy.

Bleeping Computer’s Lawrence Abrams reported in November that the Maze operators had contacted him after the Allied Universal attack, claiming to have stolen files from the company before encrypting them on the victims’ computers. After Allied apparently missed the deadline for payment of the ransom on the files, the ransomware operators published 700 megabytes of files from Allied and demanded 300 Bitcoins (approximately $2.3 million) to decrypt the network. The Maze operators told Abrams that they always steal victims’ files to use as further leverage to get them to pay:

It is just a logic. If we disclose it who will believe us? It is not in our interest, it will be silly to disclose as we gain nothing from it. We also delete data because it is not really interesting. We are neither espionage group nor any other type of APT, the data is not interesting for us.

Stealing data as proof of compromise—and to therefore encourage payment by ransomware victims—is rare but not new. The RobbinHood ransomware operator that attacked Baltimore City in May also stole files as part of the attack and posted screenshots of some files—faxed documents sent to Baltimore City Hall’s fax server—on a Twitter account to encourage city officials to pay. Baltimore did not pay the ransom.

Theft of data opens up another problem for targets of ransomware who in the past would pay quietly to decrypt their data, as it introduces the possibility that they will have to report the breach to customers and government regulators. So in some cases, it may ironically remove some of the motivation for victims to pay, since their data may be sold off by the attackers whether they pay or not.

The use of the data to blackmail the victim, and in Allied’s case, the threat to use Allied’s certificates and domain name to spam customers with additional ransomware attacks, is something new.”This is fhe first time this has ever happened, as far as we know,” said Brett Callow, a spokesperson for the antivirus software vendor Emisoft.” Ransomware groups usually encrypt, not steal. We expect data exfiltration to become more and more commonplace. Whether Pensacola’s data was exfiltrated, I obviously can’t say.”

“Broad targeted” attacks

Maze, Ryuk, and other ransomware attacks against government agencies and companies have moved increasingly toward what Raytheon Cyber Services Senior Manager Dylan Owen referred to as a “broad targeted” attack—while they rely on spam for the initial breach, the attackers “are poking around figuring out who they breached” before they launch the attack.

“They don’t necessarily target a specific agency,” Owen told Ars. “The attackers have often either gotten a list of emails from another source, or they “have programs that randomly try emails, or combinations of username, first name/last name, middle initial, all different kinds of combinations,” he explained. “They might do a little bit of research if they were going for a particular type of organization, but usually they’re very broad-based… then once they get a beacon back saying, ‘Hey, somebody clicked on my link’, they go and figure out who it was.” And if the click came from a larger organization rich in targets, Owen said, they go forward.

State and local agencies have been particularly vulnerable to these sorts of attacks because of the economics of their IT operations. “They’re dependent on the funding through taxes or whatever, and that money can only go so far,” Owen noted. “They also have a preponderance of older IT systems because of the lack of funding over the years. So it’s something that’s built upon itself. A lot of them also have proprietary software, so it’s not commercial, off the shelf—they hired somebody to create some special code, and that code may not run on newer operating systems. So now they have older operating systems that are harder to patch.”

On top of that, many state and local agencies haven’t done the work of segregating those vulnerable systems and putting additional defenses around them to reduce the risk posed by legacy systems, Owen explained. But he said that’s starting to change. “I know with Louisiana particularly, the governor had said that cyber security is going to be a really big focus for 2020,” he said. “They put a lot of money in it in 2019.” And while Louisiana had to take the drastic step of cutting off many services during the recent Ryuk attack, it was effective in stopping the spread of the attack.

Pensacola confirms ransomware attack but provides few details

A decommissioned fighter jet is held up by a metal beam over a highway rest stop.

Enlarge / Pensacola, home of the Navy’s flight school and a cyberwarfare training center, was still reeling from a mass shooting at the Naval Air Station when ransomware hit the city’s network.

On December 7—less than a day after a mass shooting at Naval Air Station Pensacola—the city of Pensacola, Florida, was hit by what was originally described as a generic “cyber incident.” A city spokesperson has since confirmed that ransomware had struck a number of the city’s servers, taking down phones, email, electronic “311” service requests, and electronic payment systems.

With a population of 52,500 people, Pensacola is in Florida’s Gulf Coast “panhandle.”  In addition to being the home of the US Navy’s pilot training center, Pensacola is also, perhaps ironically, home of one of the training centers for the Navy’s Information Warfare Training Command.

Pensacola public information spokesperson Kacee Lagarde said in a statement that the Pearl Harbor Day ransomware attack began in the early morning. Lagarde said:

As a result of the incident, Technology Resources staff disconnected computers from the city’s network until the issue can be resolved… The City of Pensacola has remained operational throughout the incident, but some services have been impacted while the network is disconnected, including City emails, some city landlines, 311 customer service (311 can receive calls, but online services are not available) [and] online bill payments including Pensacola Energy and City of Pensacola Sanitation Services. Emergency dispatch services and 911 were not impacted and continue to operate normally.

The attack’s timing appears to be coincidental and not related to the killing of three sailors by a Saudi Air Force officer on December 6. And it follows the pattern of a number of recent Ryuk-based ransomware attacks on other state and local agencies.

Ars reached out to Pensacola officials for more details on the attack but received no response—possibly because the city has just begun to restore email service to city workers with mobile devices.

A Pensacola city-government Facebook update on the ransomware attack.

Enlarge / A Pensacola city-government Facebook update on the ransomware attack.

Backup on the bayou

Meanwhile, Louisiana officials claim to have largely shrugged off last month’s Ryuk ransomware attack. In a statement to Ars, Jacques Berry, director of policy and communication for Louisiana’s Division of Administration, characterized the ransomware as an “abject failure” because there was no “major data loss or compromised information or irrecoverable applications—none of these happened.” Berry insisted that sources who spoke to Ars “have incorrect, misleading, or conflicting information. I would strongly caution you against trusting information that doesn’t come from me or an interview arranged by me.”

The staff of Louisiana’s Office of Technology Services spent the week after the attack “laboring 24/7,” Berry said, “and scaling back only somewhat since then… They implemented a plan with a specific order of priority and continue their efforts as final service restorations are completed in the most urgent but accurate manner possible.”

Medicaid records affected were limited to “program files from the Medicaid office,” Berry said, and the state’s new LaMEDS (Louisiana Medicaid Enrollment System) was not affected. Additionally, he said, no Medicaid recipient’s personal information was in the affected data. Other reported data outages were due to network shutdowns and not data loss, Berry explained.

Hacker’s paradise: Louisiana’s ransomware disaster far from over

Building with tower overlooks its own reflection in lake.

Enlarge / Louisiana State Capitol, Baton Rouge, Louisiana, at dusk. (credit: Visions of America/Universal Images Group via Getty Images)

Louisiana has brought some of its services back as it recovers from a targeted ransomware attack using the Ryuk malware on November 18. The state’s Office of Motor Vehicles re-opened offices on Monday in a limited fashion. But OMV and other agencies affected—including the state’s Department of Health and Department of Public Safety—are facing a number of potential hurdles to restoring all services, according to people familiar with Louisiana’s IT operations.

The ransomware payload was apparently spread across agencies by exploiting Microsoft Windows group policy objects—meaning that the attackers had gained access to administrative privileges across multiple Active Directory domains. This is symptomatic of TrickBot malware attacks, which uses GPOs and PsExec (a Microsoft remote administration tool) to spread its payload.

This is the second major cybersecurity incident this year in Louisiana tied to Ryuk ransomware. In July, Governor John Bel Edwards declared a state of emergency and deployed the state’s cyber response team to assist seven parish school districts. There have been many other Ryuk attacks this year that have used TrickBot and, in some cases, the Emotet trojan—an attack referred to by some experts as a “Triple Threat” commodity malware attack. At least two Florida cities and Georgia’s Judicial Counsel and Administrative Office of the Courts were also hit by “Triple Threat” attacks.

Read 3 remaining paragraphs | Comments