UPDATED! The Colorado Department of Transportation (CDOT) and the city of Allentown, Pa., are in the process of digging themselves out from two separate cyberattacks that hit in the last few weeks.
CDOT was hit on February 20 with a ransomware attack, identified as SamSam, which forced the organization to shut down 2,000 computers across its system while it investigates and attempts to mitigate the attack, according to a Denver Post report. CDOT said it has back up of its files and has no intention of paying the ransom.
Andy Norton, director of threat intelligence, Lastline, said the SamSam gang seems to have a good system in place to extort payment from its victims and possibly the only reason CDOT is not paying in this case is its most critical systems were not affected.
“What is interesting is the targeting in use by the SamSam authors, who must be one of the most successful ransom gangs out there with more than 30 bitcoins to their name. Choosing government critical services and attempting to propagate across many systems, while offering a single key to decrypt all infected machines at 3 bitcoins, is clearly a sweet spot, and evidently often the easier option for infected organizations. If the infection had impacted critical services of the CDOT, we may of seen a different response from them,” he told SC Media.
City officials initially contacted Microsoft, which charged $185,000 to attempt to stop the malware from spreading and fix any damage. The city’s computer system all run on Microsoft software. So far the extent of the damage has not been determined, nor how it entered the city’s system. Emotet is generally distributed via spam botnets spreading emails with malicious attachments.
The malware has stopped several city departments from functioning properly including finance and the police, The Morning Call reported. There is no time frame in place for having the systems back online.
Savannah, Ga. was also hit on February 13 and is still in recovery mode.
Updated information is from Lastline’s Andy Norton.