On the weekend of July 21st-22nd 2018, Matanuska-Susitna Borough of Alaska has been struck by a ransomware virus that encrypted all 500 town’s desktop workstations and 120 servers out of 150 total. Although the infection was already sitting in Mat-Su network since May 3rd, 2018 it stayed unnoticed until mid-July. After discovering that some Windows 7 system machines were infected by a Trojan, cybersecurity professionals developed a script to remove it and was planning to launch it on 23rd of July-Monday, but the full attack was launched earlier and now all machines were compromised.
Multi Vector Attack In Alaska quicklinks
- What caused the Mat-Su cyber attack
- How the Borough is recovering from the BitPaymer ransomware
- What are the future prevention plans of Mat-Su officials
In order to fix the major ransomware infection, the whole town of Mat-Su, with more than 100,000 residents, was disconnected from the servers on July 24th Tuesday, leaving local people without the access to the Internet and phones. But, according to Borough’s Public Affairs Director Patty Sullivan, that did not stop Mat-Su employees from working, as old-fashioned typewriters were used for issuing manual receipts, landfill fees, book patron lists and plenty other documents in 73 different buildings. Until yesterday it was not known what virus caused such incidence, however, the updated report uncovered that it was not just one threat responsible for the attack, but rather a collection of multi-vectored malware.
What caused the Mat-Su cyber attack
With the help of many supportive agencies, companies, and organizations the conclusion was reached that the actor behind the attack was not a single virus but an ‘Advanced Persistent Threat’ that at the beginning looked like a Trojan and ransomware, but actually contained much more features of other types of malware. The multi-pronged infection included a banking Trojan Emotet, Worm, ransomware BitPaymer, Time Bomb, Dead Man’s Switch, manual hacker manipulation from the distance and probably even more malicious features. Since antivirus is not capable yet to identify and remove this multi-threat the attack was given a ‘Zero-day’ name.
As Eric Wyatt, the IT director of Mat-Su, reported the virus was most likely was delivered with a malicious attachment/link in socially engineered emails and infected only computers with Window 7 and Windows 10 operating systems. Firstly, the Trojan was installed opening the path to other threats to come in unnoticed and to spread further via the Outlook contact list. This vulnerability allowed hackers to gain administrative rights and take over the computers on the network completely gathering the sensitive data, adjusting security settings and possibly sending out a virus to the outside networks.
The FBI uncovered the most intriguing part of this multi-infection is that Trojan and Worm after getting into machines just spreads around infecting masses of computers for weeks and then each Friday the encrypting ransomware is activated. This is done on Friday for a reason, because everyone goes on a weekend and so the protection and reaction is not as fast, and virus has time to perform other tasks, since it is believed that BitPaymer ransomware attack is just a cover, which helps to hide other malicious components which would direct investigators in finding out the hackers. Also after paying the ransom crooks have not given the decryption key.
The officials from FBI claimed that this pattern is not new, yet pretty rare since Mat-Su borough was only a 210th victim. The interesting fact is that another city, called Valdez, in Alaska is currently also under attack of similar malware as they reported on their official and some other locations in Alaska are undergoing such cyber-attacks.
How the Borough is recovering from the BitPaymer ransomware
Right after discovering the infection with BitPaymer, Patty, that Mat-Su town went offline to prevent virus escalation. People were unable to use phones, emails, computers until IT specialist began solving the issue. With the help of expertise of FBI tons of IT experts and community were gathered to help figuring out the notorious infection. Meanwhile, local institutions left with no computers and databases had to use good-old-fashioned typewriters. Take a look at pictures how Mat-Su employees were implementing typewriters into their work routines.
At the current moment, an ’update stated that phone servers were fixed on Sunday and most of them are coming back online, first starting with the most important ones like Mat-Su administration, public safety department, Animal Care and etc. Furthermore, the government’s backup servers managed to protect most of the data, therefore virus did not lock everything. Fortunately, credit card information was never stored online, that is why it was never at risk.
While more than 20 agencies involved with the case are still working day and night on this case, 110 computers of 120 infected already has been cleaned, reimaged and are ready to be used by the employees. The email server is still being rebuilt, sadly, with a probability of not getting older emails restored. Slowly but surely Mat-Su with the help of IT community is recovering from the ‘Zero-day’ attack.
What are the future prevention plans of Mat-Su officials
In the Pdf report, called ‘The IT Director Eric Wyatt wrote that the Borough is planning to organize periodic user education training in order to prevent threats in the future, as well as actively take part in information sharing meetings to enlighten the community about the cyber-attacks and possible ways to avoid them. As this example shows, virtual crimes are becoming more relevant these modern times and not only the individual users can become targets, therefore precaution and awareness when browsing is necessary at all times.
As for the encrypted files that have not been recovered yet, Wyatt said that information will be stored for as long as needed until the FBI agents will recover the decryption keys, whether it will take months or years. To finish on the positive note, IT specialists and collaborating agencies are working their best to fix the situation and a lot of data has already been unlocked and many computers cleaned, therefore the old typewriters can soon go back and rest in their closets, this time, hopefully, permanently.