It was Ryuk that also hit state government servers in November, forcing a shutdown. State officials said they did not pay a ransom or lose any data in that incident.
Colin Cowie, founder of Red Flare Security, a cybersecurity research firm in Indianapolis, found the Ryuk connection to the New Orleans cyber-attack on Saturday night in a search through files uploaded to a popular malware analysis service.
Other cybersecurity experts have concurred with Cowie’s assessment that whoever forced a total network shutdown in the city likely deployed Ryuk to do it.
That also means that malware had been spreading across the city’s computer system probably for much longer, scooping up vital user name and password data before someone, somewhere sat down at a keyboard and unleashed havoc, security experts said.
“You’ve got the intruder in the system under a typical situation like this for weeks if not months,” said Andrew Lee, an attorney who heads the cybersecurity team at the Jones Walker law firm in New Orleans.
“Traditionally the ransomware attacker doesn’t steal the data,” only demanding payment, he said. But Lee and others noted that some hackers are now doing both.
A spokesman for Mayor LaToya Cantrell’s office declined to answer several questions about the ransomware attack and the link to Ryuk in an email response Tuesday afternoon, including whether any data was stolen.
"The forensic investigation into this incident is active and ongoing, and the city is working closely with our state and federal partners in that process,” the response read. ”We have no further comment at this time."
City agencies have turned to paper, and some services have been curtailed. But most municipal agencies were open for business Tuesday, and Municipal and Traffic Court was slated to reopen Wednesday.
Cowie said one city file that Ryuk encrypted had the name “contracts and revenue.” Just what information it may have contained — or whether the city will be able to retrieve it — officials declined to say.
Lee said one obvious concern is whether financial data, such as bank wiring information, was taken. But that would likely be just one of many files that Ryuk managed to encrypt before officials powered off all the city's computers Friday, experts said.
Ryuk was first discovered 16 months ago and has become popular among “a variety of different threat actors,” including “crime organizations out of eastern Europe or Russia that do this stuff every day,” Cowie said.
Experts said such ransomware attacks usually start with “phishing,” a scattershot approach to infiltrating computer networks through deceptive email invitations to click. But security experts said that groups using Ryuk don’t stop with automation.
“It’s the team behind it. It’s a criminal organization that’s running this thing,” said Wesley McGrew, director of cyber operations at Horn Cyber, a security firm with offices in Mississippi and Tennessee. “This is not ‘fire and forget it.’ They don’t just randomly attack individual machines on the internet with this thing.”
Instead, Ryuk was designed to target “enterprise” computer networks — those with the potential for big ransom payoffs.
Once malware gains access through phishing or a vulnerability in a remote desktop software, for instance, “trickbots” go to work harvesting email addresses, log-ins and other user information, experts say.
“They try to find the most impactful machine that has the most access to the most stuff,” and tap it “with the user account with the most access to the most stuff,” McGrew said.
Then, with some keystrokes from afar, Ryuk was likely unleashed to encrypt as many New Orleans city files as it could lock down before it was stopped. Just how long it had been operating before the city discovered the breach and shut down the system Friday is uncertain.
McGrew said ransomware like Ryuk came about when criminals struggled to profit from selling stolen data on the “dark web.”
“These criminals figured out that the people most likely to want to spend money on this data are the people they stole it from,” he said. “Why bother to (take) it when you can encrypt it in place and hold onto the key?”
Cowie said ransom messages usually demand payment in Bitcoin. Often enough, the victims pay up.
He recently located a Bitcoin wallet, tied to a Ryuk ransomware threat, that showed a payment of 300 bitcoin — valued now at about $2 million — on Nov. 14.
Two Florida cities, Lake City and Riviera Beach, have acknowledged paying out a combined $1 million this year to hackers after similar attacks seized up operations in those cities.
In May, Baltimore’s servers were attacked by a strain of ransomware known as RobbinHood. The hackers demanded $76,000, with a threat to increase the ransom. The city refused to pay, but it cost an estimated $18 million to restore the system.
“The impact of the ransom outstrips the cost of the ransom, regardless of whether you pay it or not,” McGrew said. “You’re up for just a tremendous amount of incident response, downtime, bringing in consultants. It’s a mess.”
The FBI in October warned that ransomware attacks were growing “more targeted, sophisticated and costly, even as the overall frequency of attacks remains consistent.”
According to a study put out last week by Emisoft, a security and anti-virus company, the U.S. in 2019 faced an “unprecedented and unrelenting barrage of ransomware attacks.” The study tallied 103 state and municipal governments and agencies hit this year, along with 759 healthcare providers and 86 universities, colleges and school districts nationwide.
Just how much of New Orleans' data is frozen, and how much of it the city will be able to recover, is uncertain. Cantrell has said it’s likely to be at least until next week before the system is restored.
In the meantime, the city is working to scrub clean about 4,000 computers at agencies across the city.
“The good news is, because they’re going through and scrubbing all of their systems,” Lee said, “typically with the right software and professionals working on that, you should be able to get a clean start.”
©2019 NOLA Media Group, New Orleans. Distributed by Tribune Content Agency, LLC.