[BreachExchange] Keizer officials pay $48k ransom to regain control of city computers

Destry Winant destry at riskbasedsecurity.com
Thu Jun 25 10:40:01 EDT 2020


 The city of Keizer’s computer system was hacked on June 10, and
officials were able to regain access to the data only by paying the
perpetrators a $48,000 ransom.

At this point, no sensitive data appears to have been accessed or
misused. About 11:45 a.m. Wednesday, June 17, city employees finally
regained access to all emails and files.

“We are taking this seriously, and are working to resolve the
situation as quickly as possible,” said city officials in a
hand-delivered statement. The digital strike was discovered when city
employees could not access some data and programs the morning of June

The city “engaged appropriate authorities” to assist in data recovery,
but it soon became clear that the only way to regain access to
information stored on the city’s computers was to pay a ransom to the
hacker or hackers responsible. The particular method used to
infiltrate the city’s computers is known as ransomware, that encrypts

“We were presented with a request for a ransom payment needed to
obtain the needed decryption keys,” the city’s statement read. Rather
than destroying or deleting data, it puts the information behind a
door that can only be unlocked with a numeric key that remains in the
hands of the hackers.

“We believe that the forensic investigation could provide critical
information to defend against attacks in the future,” the statement

Part of a growing trend

When the City of Keizer was hacked last week by an unknown individual
or group, it became the latest victim of such attacks nationwide.

By August of 2019, according to a New York Times report, at least 40
cities had their data held hostage by hackers in the first eight
months of the year. At one point, 22 cities in Texas alone had been
crippled by hacks that involve infecting servers with malware that
puts all the data behind an encrypted wall. The hackers then request
ransom to release the data back to the cities.

In some cases the ransom cost was nearly $500,000 in taxpayer money.
In January of this year, Tillamook County paid $300,000 to regain
access to its data. As companies and towns showed more willingness to
pay the ransoms demanded, the attacks ramped up, according to the
Times report.

However, the ransom demanded by hackers from a city are only a portion
of the costs they incur. In addition to the ransom, Keizer had to
contract with a cybersecurity firm to negotiate with the hackers and
now it will have to spend even more on security in the future data
back-ups and, likely, additional consultants to oversee bringing the
system back online.

In the wake of such attacks, every device – from tablets issued to
city councilors to the laptops installed in police vehicles – must be
examined for existing vulnerabilities and hardened against future

The strain of ransomware that was used in many of the most recent
attacks is named Sodinokibi.

In a report published by the World Economic Forum, cities of all sizes
are urged to prepare for future digital strikes in the same way they
would for an earthquake.

“Digital security is not only about hardware and software. It is about
adopting a comprehensive whole-of-city approach. Security must be
conceived as an essential priority, something that is designed into
every element of the urban infrastructure, not merely introduced as an
afterthought. It requires developing the rules, regulations,
procedures and budgets for city authorities, businesses and residents
to prepare and respond to digital threats when and after they
inevitably occur,” the report states.

The report cites human error and a failure to implement best practices
as the leading causes of such attacks succeeding.

Many attacks could be prevented with relatively simple actions such as
“software patching, correct firewall configuration, frequent and
redundant backups, and use of multi-factor authentication for logons,”
the report concludes.

How ransomware works

It will likely take days or weeks to fully understand how Keizer’s
data systems were held for ransom, but digital strikes on other cities
and counties provide some insight into how it all works.

Ransomware is different than what the average user envisions when
being hacked. Rather than destroying or downloading data, ransomware
makes data inaccessible through encryption that can only be unlocked
with a numeric key held by the hackers.

Hackers are typically known to charge ransom based on the number of
servers it was able to lock up and payments are made through a web of
untraceable digital transactions. Meanwhile in cities with libraries,
the hacks meant checking out books with pen and paper logs. For many
police departments, hacks resulted in hand-written citations. Emails
sent to Keizer city employees bounced back for several days.

According to a malware Wikipedia site, comprised of knowledge gleaned
from those who have dealt with ransomware, a strain known as
Sodinokibi is the current scourge of cities near and far.

Sodinokibi doesn’t destroy data and many of the users don’t appear to
download much unless the victim refuses to pay ransom. Sudinokibi,
also known as REvil, is believed to have originated in Russia and has
already resulted in roughly $7 million in known ransoms paid.

Ransoms are paid to affiliates of the hacker or group of hackers. The
affiliates reportedly keep 60 percent of the ransom paid and that
amount increases to 70 percent after three successful transactions.
The remainder goes to the actor or actors behind the hack. As of early
2020, there were roughly 40 known affiliates accepting ransom payments
for successful Sodinokibi attacks.

While many cases are resolved with the payment of a ransom, some
Sodinokibi hackers raised the stakes earlier this month, according to
Brian Krebs, a cybersecurity reporter with The Washington Post.

One of the hackers behind the Sudinokibi ransomware began auctioning
off data it stole from a Canadian agricultural production company. The
starting price was $50,000 for 22,000 stolen files. The Krebs report
suggests that auctioning data is one way hackers are diversifying
their portfolios given the decreased ability of some agencies to pay
ransoms as a result of the COVID-19 pandemic and the resulting
economic crisis.

More information about the BreachExchange mailing list