[BreachExchange] “Typewriters are productive again”, the aftermath of Mat-Su’s Ransomware Attack

Destry Winant destry at riskbasedsecurity.com
Wed Aug 1 22:23:09 EDT 2018


https://hackercombat.com/typewriters-are-productive-again-the-aftermath-of-mat-sus-ransomware-attack/

Time travel has been proven at last, but not the type we saw from the
Back-in-the-Future and The Time Machine films, but like a
dress-rehearsal of a dystopia brought about by a localized malware
attack. Government employees of Matanuska-Susitna Borough had no
choice but to continue the operations of their respective departments
by reusing typewriters and handwriting documents.

Matanuska-Susitna also known in its shorter alias, Mat-Su is a 63
thousand square kilometer borough in the State of Alaska, United
States. The malware attack happened last July 21 to 22, 2018, a
weekend. It was a massive ransomware infection of 120 servers (The
Mat-Su government has 150 servers overall.) and 500 desktop computers.
Further investigation revealed that the initial penetration of the
ransomware had already been happening since May 3, 2018, but it took
until July for people to visually notice the problem.

Patty Sullivan, Mat-Su’s Public Affairs Director explained: “Last
Tues, July 24, the Borough first disconnected servers from each other,
then disconnected the Borough itself from the Internet, phones, and
email, as it recognized it was under cyber attack.”

Sullivan also highlighted the resiliency of their employees, as they
remained calm and continued the operations of their respective
offices: “Without computers and files, Borough employees acted
resourcefully. They re-enlisted typewriters from closets, and wrote by
hand receipts and lists of library book patrons and landfill fees at
some of the 73 different buildings.”

On his part, Eric Wyatt, Mat-Su’s IT Director said: “(This is) a
multi-pronged, multi-vectored attack. not a single virus but multiple
aspects of viruses together including trojan horse, Cryptolocker, time
bomb, and dead man’s switch. This is a very insidious, very
well-organized attack, it’s not a kid in his mom’s basement.”

The IT Director, with the help of FBI, has finally identified the
actual ransomware that encrypted and infected their computers. His
report is published and named the culprit ransomware as the BitPaymer.
The BitPaymer ransomware family is a trojan taking a form of a
standard Windows executable .exe file. It is also known as
HPmal/Ransom-Y and Troj/Agent-AXEG in various antivirus signatures.
Once executed, it takes advantage of the NT file system’s alternate
data stream, creating duplicate copies of itself for redundancy
purposes. Using the alternative data streams effectively hides the
infection from regular anti-malware applications.

The malware uses an RSA-1024 public key to encrypt the data files
using a .locked filename extension. Third party application programs
under the Program Files system folder are also encrypted, this
effectively renders the apps unusable as well. This ransomware is
highly damaging to both user productivity and uptime of the infected
computers.

Mat-Su’s government is already taking action, as they are currently
restoring all the affected computers to a clean state. “Since then,
infrastructure is steadily being rebuilt, computers cleaned and
returned, and email, phones, and Internet connection becoming
restored,” concluded Sullivan.

The good news was the official website of Mat-Su, www.matsugov.us/ is
not hosted locally, hence its web server was not targeted by the
ransomware. The official site’s page about the cyber attack incident
has been posted, the latest updates are the following, as directly
quoted from their website:

- Phones are coming back online and were mostly restored at the
administration building in Palmer on Monday. Later this afternoon, IT
dispatched a team of six to begin restoring phones at other sites. The
phone server was rebuilt Sunday night.
- Palmer Pool’s phone number for the front office is 746-2455 during
the cyber crisis.
- The external website has been functioning since last Tues.
- The Assembly meets Tues. night, July 31, at 6 pm in the Borough
Assembly chambers for a special meeting with the agenda posted on the
web.
- An email stop gap is given to some employees until the actual
exchange email server is rebuilt. Older email files may not be
recoverable.
- Most employees have been without computers. 110 workstations have
been cleaned, reimaged, and are ready for dissemination to employees.
- My Property, a useful web application property, has been restored
with some limitations.


More information about the BreachExchange mailing list