Cyber attack

Article originally published on: https://arstechnica.com

Lubbock County managed to isolate the attack quickly. Others, not so much.

Few details have emerged about the coordinated ransomware attack that struck 22 local governments in Texas last week. But five local governments affected by the attack have been identified.

On August 20, the Texas Department of Information Resources revised its initial report that 23 “entities” had been affected by the ransomware attack, reducing that count by 1. And a Texas DIR spokesperson said in a statement that about a quarter of the local governments affected have been able to at least partially restore normal operations.

That includes Lubbock County, which apparently escaped major disruptions. Lubbock County judge Curtis Parrish told Magic 106.5 Radio that the county’s IT department “was right on top of it… they were able to get that virus isolated, contained and dealt with in a very quick manner so it did not affect any other computers or computer systems here in Lubbock County.”

Other, smaller local governments were not as lucky. Borger, Texas, which has a population of about 13,000, was one of the first to go public. On August 19, Borger city officials announced on Facebook that the ransomware attack had “impacted normal City business and financial operations and services.” A continuity of operations plan had been put into effect to “provide basic and emergency services (Police, Fire, 9-1-1, Animal Control, Water, Wastewater and Solid Waste Collection),” but there was no estimate of how long it would take for full services to be restored.

A spokesperson for the City of Kaufman, Texas, announced on Facebook that Kaufman had also been affected by ransomware. “The City of Kaufman Computer and Technology Services has been severely affected by an outside source,” the spokesperson said in an August 19 post. “At this time, all of our computer and phone systems are down and our ability to access data, process payments, etc. is greatly limited.” Kaufman’s police and fire departments remain operational, according to the statement.

Today, the LA Times reported that Keene, Texas—a small incorporated city of 6,500 people 40 miles south of Fort Worth—was also hit by the ransomware. While Keene’s police and utilities were not affected, the city’s payment system for water bills was taken down.

But the hardest hit known so far is the City of Wilmer, a community of about 3,600 in Dallas County. According to a report from CBS’ Dallas/Fort Worth affiliate, systems at Wilmer’s police department, water department, and public library were affected. City workers reported that when they turned on computers, they were greeted with a blue screen carrying the message, “all your files are encrypted.”

While the ransomware used in the attack has not been identified, the details reported thus far do not appear to match with the ransomware used in attacks on local governments in June and July. Those incidents involved the Ryuk malware, which leaves a ransom note in the form of a text file on the victims’ computers. However, the new attack does appear to be targeted.

Small cities are a favored target of ransomware operators because they’re more likely to pay, according to Chris Hinkley, a senior security researcher with the Threat Resistance Unit (TRU) team at the cloud security provider Armor. “The enormous impact of city’s operations, like 911, courts, police and fire, and even non-emergency services creates a huge sense of urgency and anxiety,” Hinkley explained. “With the high level of urgency and potentially mission-critical value of the data being held hostage, the threat actors are more likely to get paid, and at a higher amount, than if they attacked another target.”

Hinkley said that it was not surprising that Texas had been hit hard by ransomware—aside from the 22 attacks in last week’s coordinated ransomware campaign, “there are seven other Texas municipalities which have been victims of ransomware in 2019,” he said. Texas has 1,216 incorporated cities, of which only 35 have more than 100,000 residents. That, Hinkley said, makes for a “very large attack surface.” And smaller cities are less likely to be able to defend themselves adequately against ransomware.