The mayor of New Orleans Friday declared a state of emergency after the city detected what is now believed to be a Ryuk ransomware attack.
Mayor LaToya Cantrell said the attack closely resembles previous attacks on the state of Louisiana less than a month ago. Louisiana activated its cybersecurity team in mid-November after the state was targeted in an attempted ransomware attack similar to those aimed at government organizations and local school districts during the summer, the newly re-elected Governor John Bel Edwards tweeted at the time.
In this latest incident, New Orleans officials began taking systems offline after noticing suspicious activity, including phishing attempts, last Friday at 5 a.m. “The city remains actively involved in recovery efforts related to the cybersecurity incident last Friday and individual agencies and departments will be impacted in various ways,” Cantrell tweeted Sunday evening.
“The agility showcased by the city of New Orleans in taking their systems offline after seeing instances of the Ryuk ransomware on their network underscores just how critical incident response is and affirms that cybersecurity has integrated itself into the landscape of disaster preparedness,” said Fred Kneip, CEO at CyberGRX.
In a series of updates via Twitter, Cantrell said “Regular nola.gov services are down, however a temporary webpage has been deployed to allow residents to make 3-1-1 requests for service; pay sales, use, and parking taxes; and pay parking and camera tickets.”
While the mayor also said city hall would be open today during normal business hours, the city tweeted some agencies and departments, such as Juvenile Court, will be closed, though staff is expected to report to work. The police department is continuing its normal operations but “is documenting incidents manually” and temporarily “will not be able to run background checks for the public.” But the Fire Department and Emergency Medical Services were not affected by the attack and cameras operated by the Real-time Crime Center are functioning, Cantrell tweeted.
Calling New Orleans “the latest in a long line of American cities and towns to suffer a crippling ransomware attack,” Paul Martini, CEO at iboss, contended, “The fact that this particular incident impacted the city’s police department proves the incredibly dangerous power that hackers wield.”
As government employees continue to do “more work-related business on the go than ever”, government agencies must take steps to protect “individuals outside of the four walls of the office,” said Martini. “Preventing attacks like these, which now qualify as national emergencies, should be a priority at every level of local, state and federal government.”
Local governments are easy and profitable targets for opportunistic attackers, said Chris Morales, head of security analytics at Vectra, who explained that miscreants typically either looking for financial gain or disrupt business. “The good news is no data is likely being stolen in these attacks,” said Morales. “The bad news is the cost to the local governments is going to be substantial regardless of outcome. That is why it is so important to detect and respond to ransomware before it causes damage.”
Louisiana has been hit this year by a series of significant ransomware attacks, and Colin Bastable, CEO of Lucy Security, said, “This attack may have been initiated in parallel with the recent Louisiana attack.”
The state is hardly the member of an exclusive club.
“2019 has been a bonanza for ransomware gangs targeting local and state governments,” said Eyal Aharoni, vice president of customer success at Cymulate, although Alex Guirakhoo, strategy and research analyst at Digital Shadows, said many ransomware attacks go unreported. “While it feels like we hear about another example every week, the actual number of incidents is almost certainly higher," he said.
The uptick in attacks prompted a July 2019 joint advisory from "several U.S. government agencies warning state and local government organizations about the ongoing threat of ransomware attacks,” said Guirakhoo. “These types of organizations are likely perceived by ransomware operators to be less secure (and therefore more accessible targets) than larger government or private sector organizations" and attackers might see them as putting a low priority on information security, particularly if they have limited financial resources, and, as a result, have limited technical knowledge, outdated infrastructure and a poor security culture.
“Under-resourced and under-funded, many organizations still don’t take the necessary steps to mitigate such attacks and hackers will continue to reel on their success undeterred in 2020," said Aharoni .
The problem with ransomware attacks, said Bastable, “is that they are not always immediately apparent. The attackers may need to navigate from their initial point of entry – usually via phishing email – to the systems and data that they need to encrypt. The attack can be undetected for a relatively long time before being triggered.”
Aharoni expects “New Orleans’ IT team will now be dedicating resources to understand how the malware (reportedly Ryuk) was triggered and will no doubt heavily invest their cyberdefenses to prevent similar crises happening in the future.”
Organizations should prepare for cyberattacks as they would for other emergencies, including fire or flood, Kneip said, or otherwise pay stiff consequences. “Digital and physical barrier lines have blurred and as a result, the ramifications of such an attack will echo far beyond the four walls of an organization, especially within a city, which collaborates with hundreds of vendors and partners in order to serve and protect its citizens," he said. "The impact of a ransomware attack, if not properly managed, has the potential to grow far beyond the initial incident to affect everyone within the ecosystem, directly or indirectly.”