How New Orleans Defeated a Ransomware Attack

New Orleans, Louisiana-Early early Friday, December 2019, a team monitoring a computer network that handles New Orleans government activities realized something suspicious.

Kim Walker Lagru, Chief Information Officer of the City of New Orleans, told VOA: “It looked like a user with the wrong credentials was trying to access the data center, but it’s possible that one of the admins was working early in the morning. I don’t think it’s malicious. I did. “

It was 5 am. Within hours, similar activities affected multiple users and a service desk was called in for investigation.

From there, it didn’t take long for the LaGrue team to figure out what was going on.

“We have confirmed that a ransomware attack has been launched against the city,” she said.

Ransomware is malicious software that is installed on computer networks to look for sensitive data. Once that information is found, hackers threaten to publish the data or prevent it from being used until the ransom is paid.

And this kind of attack was not unfamiliar to the New Orleans City Hall. A month ago, Louisiana, the state of New Orleans, was targeted by another ransomware attack.

In fact, in 2019, 106 city and county governments were targeted by ransomware attacks. And the problem seems to be getting worse. Last year, the United States received more than 65,000 similar attacks. Ransomware hacking, which has been gaining attention recently, is targeting US oil pipelines and major meat processors.

Vince Gremillion, owner and founder of Restech Information Services, a cybersecurity company based in the New Orleans region, explains:

“Ransomware attacks can be very beneficial to attackers, and victims are often not equipped to thwart them. If I’m surprised, this isn’t too much. It doesn’t happen often. “

The attack started with phishing

Phishing is the sending of emails pretending to be from a reputable company to disclose personal information such as passwords. This is often done by inducing the victim to click a link in the email.

This is how the New Orleans attack began.

“It will increase over the next few days,” LaGrue explained. “A few days before we detected something, one of our employees on the network clicked on a link that we thought was legitimate.”

Email is just one way criminals try to hack the system, Gremilion said.

“I may think it’s an exaggeration, but every time a new Internet connection is established, it’s being investigated for vulnerabilities in that connection,” he said. “It’s all automated and they’re just looking for weak passwords available. Unfortunately, there are many weak passwords.”

Gremilion states that attacks can come from anyone, anywhere, but experts such as Andrew Wolf, director of cybersecurity degree programs at Loyola University, often say Iran, North Korea, and the Soviet Union. It states that it comes from former member states of the Soviet Union, as well as countries such as China.

“The attack doesn’t come directly from the foreign government, it’s not just a nasty guy in a Siberian hut,” Wolff told VOA. “The line between individual hackers and governments is really vague.”

US officials are tracking some of the recent ransomware attacks on Russia. Russian President Vladimir Putin has not denied that a ransomware attack has occurred in his country. However, he categorically denies the involvement of the Russian government and coordination with hackers.

Wolff said the industry as a whole has evolved around these attacks.

“Some people are focused on developing ransomware, others are carrying out attacks,” he said. “Some are creating new and better ways to collect ransom and do money laundering, while others are providing real customer service to criminals. Currently, the entire dark supply chain is It exists. “

Prime target

“Attackers can now gain access to the network when an employee clicks on a malicious link,” explains LaGrue.

She said the attacker has begun uninstalling antivirus software that can detect the attack. They have meticulously removed the layer of security that protects the system.

Gremilion said the speed at which hackers can access vulnerable systems is staggering.

“We’ve seen examples of Russian hackers getting control-level access to the system in 20 minutes,” he said. “It’s so fast, and it was a few years ago. It’s probably even faster now.”

After criminals gain that level of access, they turn to sensitive data in the organization and allow it to be used to withdraw ransom.

Local governments are often the target of ransomware attacks, Wolfe said for several reasons.

“One is that we really need this data. Cities perform so many important tasks, such as public health, public security, and taxes, that we cannot afford to lose access to that data. Attackers know this, but they also know that local governments do not have a great reputation for having the most capable IT staff in terms of system security. “

In addition to loose security to protect valuable data, increasing the likelihood that insurers will agree to pay the ransom on behalf of local government clients means that attackers will concentrate on cities like New Orleans. The reason is.

Changing situation

“Now, if we were fair, the way New Orleans handled ransomware attacks was almost the best scenario,” Wolff said.

By the time system administrators understood what was happening, criminal hackers were already well on their way to gaining control of the data needed to demand a ransom. At that time, city officials decided to celebrate that the experts were particularly familiar.

“The mayor (LaToya) Cantrell declared a state of emergency and we instructed all employees to shut down and unplug their computers and disconnect from the Internet,” LaGru said.

The massive shutdown temporarily shut down many of the city’s functions, but also made it impossible for hackers to continue their attacks.

“I don’t want to underestimate how difficult and burdensome it was for city agencies to do a lot of manual work, but it turns out that cyberattacks are becoming more frequent and need preparation. Problem, we carried out the plan. “

But even a well-implemented plan turned out to be expensive. LaGrue said they had a price tag of about $ 5.2 million, even recovering from the failure of the attack they received.

That’s well below the $ 17 million spent in Atlanta, Georgia after the 2018 ransomware attack, with less than $ 18.2 million in recovery in Baltimore, Maryland in 2019. Still, the cost of New Orleans was considerable.

“Most of it was inventory exchanges,” says La Grue. “We had to replace about 600 devices (nearly 25% of our inventory) to make sure all our computers weren’t infected with the virus.”

And it wasn’t just an economic cost. In addition to cleaning these devices, the city evaluated and cleaned more than 3,000 computers and 200 virtual servers. We have also built a new storage and security infrastructure. The recovery lasted for months.

Meanwhile, according to Wolf, the city had to suspend or postpone basic municipal functions.

“They were still able to perform essential functions like public security,” he said. “But there were places where it was very difficult to pay a parking ticket or get a building permit, for example.”

Cybersecurity prioritization

LaGrue acknowledged that there were some priorities that the city had to put on hold until it recovered from the attack, but felt that the city hall was stronger through this process.

“This allowed us to improve our cybersecurity infrastructure in ways that would probably not have been possible without the attack,” she said. “For example, this improvement allows employees to work safely at home much faster than other methods.”

The city also better understands the importance of ongoing cybersecurity training for its employees.

“If we have 4,000 employees, that means there are 4,000 potential cybersecurity vulnerabilities,” says LaGrue. “We need to make them more aware of the threats they may encounter while online.”

Experts such as Gremilion are pleased with the improvements, but say they want organizations to protect their networks before the crisis.

“Half of all Internet traffic is malicious, but IT departments don’t seem to behave that way,” he said. “It seems like a priority is to get rid of things, such as having to wait for the password to go wrong many times to log in. However, these “inconveniences” keep your network secure. “

Gremilion believes that such security measures are essential to avoid future painful and costly attacks. They range from complex security layers that can take a day or two to implement to very simple ones.

“Don’t start using passwords. What are you doing if you are still using your initials or” password “as your password? Cyber ​​criminals are making more and more progress. The good news is that the system used to repel those criminals is getting. It is also more advanced. So we need to educate ourselves. If you don’t, the results won’t get much worse and you need to do better. “

How New Orleans Defeated a Ransomware Attack

Source link How New Orleans Defeated a Ransomware Attack

Back to top button