[BreachExchange] ‘Shut down everything:’ Global ransomware attack takes a small Maryland town offline

[Sophia Kingsbury]

https://www.washingtonpost.com/technology/2021/07/08/kaseya-ransomware-attack-leonardtown-maryland/

It was just after 12:30 p.m. on the Friday before the Fourth of July
holiday when a warning popped up on Laschelle McKay’s computer screen.

McKay, the town administrator for Leonardtown, Md., didn’t even have time
to read the whole message before it disappeared and her computer froze.

“Everything shut down,” she said in an interview. “You couldn’t open any
document, you’re completely locked from all your files.”

McKay learned later that day that the town had been a victim of the massive
ransomware attack that breached a popular software made by the information
technology company Kaseya. The attack reached Leonardtown through its IT
management company, JustTech, which uses the affected Kaseya product,
JustTech told McKay.

In emails sent to Leonardtown and shared with The Washington Post, JustTech
wrote that neither its “servers nor your network were directly hacked or
breached. The intrusion came through the remote monitoring and security
software we utilize from an industry leading provider.”

The firm was part of what cybersecurity researchers are calling potentially
the largest ransomware attack ever, affecting hundreds of businesses and
other entities globally. In a ransomware attack, hackers break into a
company’s systems, lock them and demand money for a key to unlock those
systems.

Last week, hackers exploited a software vulnerability at the IT services
provider Kaseya. The resulting hack infected about 60 of Kaseya’s customers
like JustTech, customers that in turn provide IT services to small
businesses. The attack then spread through the Kaseya software to affect as
many as 1,500 U.S. businesses, Kaseya has said, and the full extent of the
damage is not yet known.

The Russian-language hacking group REvil has taken responsibility for the
attack and demanded a total ransom of $70 million to unlock the files of
all of its victims. Hundreds of grocery stores in a cooperative chain in
Sweden had to close temporarily because of the hack, and at least nine
schools in New Zealand were affected.

JustTech owner Joshua Justice said in an email that his team is working
around-the-clock to restore backups to its affected clients in five states.
“We had plans to bring clients back and fully recover from situations such
as this but never envisioned we would need to do everyone at once,” he said.

McKay said JustTech informed Leonardtown that the ransom demand was $45,000
per computer but that the town’s leaders never seriously considered paying.
Instead, they are undertaking the painstaking work of restoring computer
system backups. The town has 19 computers, and all but two were frozen. One
was spared because the employee who uses it was on vacation and the machine
was turned off, and the other was an older computer left at an employee’s
home.

On Friday after the computers froze, McKay said, city staffers called
JustTech, which told them to start turning off the devices.

“Shut down everything,” JustTech reportedly told the city staffers, noting
that the problem was bigger than just their organization.

A JustTech employee showed up at the office Friday afternoon before the
town had even been informed of the extent of the attack. The worker turned
off the affected server, too. In its initial email to clients on Friday,
JustTech wrote that it had “discovered the breach, disabled, and shut down
the affected servers within 8 minutes.”

The IT firm said it has secure backups for the town’s systems that it will
be able to restore. But it’s unclear how long that will take. Experts say
it can take weeks or months to fully recover from a cyberattack.

JustTech also has been inundated in the attack, McKay said.

“We’re trying to be patient,” she said. “We were able to finally talk to
one of the reps yesterday, and they’re just exhausted. I mean, it’s just
been 24 hours a day since last Friday, working to try to recover, so I feel
really bad for them.”

McKay and the city staff of 15 others are doing their best to work without
computers in the near term; they’re helping residents in person and over
the phone. Their electronic billing software and system to send utility
bills has shut down, and the office doesn’t have any Internet access,
except through individual cellphone plans.

Staffers need to run home to print documents, and even simple activities
like scanning documents have become a chore.

“We can’t access any of our data right now, to be able to service our
customers,” McKay said.

The staff had been preparing quarterly utility bills to send out to about
3,000 residents. The bills were being finalized Friday, but all of that
data probably has been lost, McKay said, and the bills will be delayed.

“We have a lot of residents that are used to getting their bills on time,”
she said.

She’s also trying to ensure the town’s payroll system is back online before
paychecks need to go out next week, even if that means working with a
different IT firm to get it running, something the town is considering.

Many residents have made contact by phone calls and texts to express their
support for the small staff, McKay said. Several asked if any personal
information had been accessed during the hack. JustTech told the town it
doesn’t think any personal information was taken.

Kaseya is working on a software patch for its customers affected by the
hack but did not give an exact timeline for the fix.

Another town in Maryland, North Beach, issued a news release confirming
that it, too, had been a victim of the attack. The town’s water and phone
systems were still working, it said.

“Resolution of this incident is expected to take approximately one week and
your patience is appreciated while our IT service provider works to
reinstate the network server and workstations,” it said in the release.

Ransomware attacks have surged in the past few years as hackers work
together to extort as much money as possible from victims including
health-care providers, schools, municipalities and businesses of all sizes.

High-profile cyberattacks on Colonial Pipeline, the meat supplier JBS and
several health-care providers have highlighted the dangers and potential
widespread fallout from the attacks. The attack on Colonial caused a
panicked run on fuel at East Coast gas stations, leaving some empty. An
attack at a hospital in Vermont delayed chemotherapy treatments for some
patients.

The Kaseya attack has put further pressure on the Biden administration to
address cybersecurity within the United States and to resume talks with
Russia about cybersecurity, given that many cyberattacks appear to
originate inside Russia.

REvil is believed to be based mostly in Russia.

“If the Russian government cannot or will not take action against criminal
actors residing in Russia, we will take action or reserve the right to take
action on our own,” White House press secretary Jen Psaki said Tuesday when
speaking about cybersecurity consultations between the two countries,
discussions that the leaders agreed to begin when they met last month.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210708/487f5d59/attachment.html>