[BreachExchange] La Porte County finally opted to pay $130, 000 Ransom
Destry Winant
destry at riskbasedsecurity.com
Tue Jul 16 10:00:13 EDT 2019
https://securityaffairs.co/wordpress/88406/malware/la-porte-county-paid-ransom.html
On July 6, a ransomware attack brought down government computer
systems at La Porte County, Indiana, finally, the county decided to
pay $130,000 ransom.
On July 6, a ransomware attack paralyzed the computer systems at La
Porte County, Indiana, according to County Commission President Dr.
Vidya Kora, employees were not able to access to any government email
or website.
The county IT director shut down the computer systems to avoid the
spreading of the threat and to limit potential damage. At least half
of the servers at the county’s infrastructure were infected, less than
7% of the laptops was not impacted.
Now La Porte County decided to pay $130,000 to recover data on systems
infected with the ransomware.
For at least three days, government systems were not working forcing
the County officials to evaluate the option to pay the ransom.
Immediately after the attack, the county reported the incident to the
FBI and was working with experts of some security firms to investigate
the attack and mitigate the threat. The law firm of Mullen Coughlin
LLC was managing the incident response operations, but despite the
efforts of the experts the La Porte County was not able to resume its
operations.
According to WSBT, La Porte County’s systems were infected with a
variant of the Ryuk ransomware, the same malware that infected
computers at City of Lake City on June 10.
“Two organizations in our area are recovering from recent cyber
attacks. Both the South Bend Clinic and La Porte County government are
dealing with the aftermath.” reported the WSBT.
“La Porte County paid the ransom on a cyber attack that locked up part
of the government’s computer system. The Ryuk virus got into the
backup servers.”
It seems that $100,000 out of $130,000 are being covered by insurance.
“Fortunately, our county liability agent of record, John Jones, last
year recommended a cybersecurity insurance policy which the county
commissioners authorized from Travelers Insurance” explained Dr. Vidya
Kora,
Recently other administrations decided to pay the ransom to decrypt
their files. Crooks earned a total of over $1 million in June from the
attacks on two municipalities in Florida, Lake City and Riviera Beach.
In April, Stuart City was victim of the Ryuk Ransomware too, but it
refused to pay the ransom. Early March, another city was hit by the
same ransomware, computers of Jackson County, Georgia, were infected
with Ryuk that paralyzed the government activity until officials
decided to pay a $400,000 ransom to decrypt the files.
The Ryuk ransomware appears connected to Hermes malware that was
associated with the notorious Lazarus APT group.
The same ransomware was recently used in an attack that affected the
newspaper distribution for large major newspapers, including the Wall
Street Journal, the New York Times, and the Los Angeles Times.
Further investigation on the malware allowed the experts from security
firms FireEye and CrowdStriketo discover that threat actors behind the
Ryuk ransomware are working with another cybercrime gang to gain
access to target networks. They are collaborating with threat actors
behind TrickBot, a malware that once infected a system creates a
reverse shell back to the attackers allowing them to break into the
network.
Experts at Crowdstrike believe the Ryuk ransomware is operated by a
crime gang they tracked as GRIM SPIDER, in particular by its Russian
based cell dubbed WIZARD SPIDER that is behind TrickBot.
Experts pointed out that Hermes was available for sale into the online
underground community, attackers could have purchased it to create
their own version of Ryuk.
Recently the United States Conference of Mayors asked its members to
“stand united” against paying ransoms in case their systems are hit by
ransomware. The decision is essential to discourage criminal practice.
More information about the BreachExchange
mailing list