How One Texas County Stopped a Ransomware Attack (#GotBitcoin?)
Hackers have hit cities across the country. Lubbock County was able to fend one off. How One Texas County Stopped a Ransomware Attack (#GotBitcoin?)
Isaac Badu ’s IT department gets calls about strange behavior on Lubbock County’s 1,300 computers all the time.
But this time, it was different. The file icons on a county employee’s computer were changing before their eyes.
Mr. Badu, the first in-house director of technology and information systems for this Texas county, said he immediately suspected malicious activity. He instructed one of his staff to rush to the affected computer and take it off the network.
“We knew right away who that user was, and we had one of our technicians run over to that office,” said the 46-year-old Ghana native, who has been involved in internet security for 17 years.
Within 40 minutes of witnessing the first signs of a ransomware attack, the threat was over.
Though hardly revolutionary, the actions show how training, resources—and a bit of luck—can thwart hackers who have been hobbling U.S. cities and counties.
Lubbock County was one of 23 local government systems in Texas hit by a ransomware attack on the morning of Aug. 16. It appears to be the only one that successfully stopped the hackers, saving the county potentially hundreds of thousands of dollars and hours of work to repair computers and restore lost files.
Almost 200 miles north, in Borger, Texas, the ransomware attack wasn’t caught, hitting the city’s business and financial operations and services. It took another three days for operations to normalize, the city said.
Similar attacks were reported in Keene and Wilmer, two small cities outside of Dallas.
Many smaller municipalities in Texas have limited IT support, or outsource to a vendor, said Edward Block, the state’s former chief information security officer. “With a more complete IT program and security program, it’s easier to resist these type of events,” he said. “Places without an IT department on board, it’s going to take longer to recover.”
Local officials declined to comment, citing a continuing investigation. The Texas Department of Information Resources—which is investigating the attack, along with federal agencies including the Federal Bureau of Investigation and Department of Homeland Security—also declined to provide additional details. The state agency said it believes the source of the attack points to a single actor.
“Ransomware has been around for quite some time,” said Avi Rubin, professor of computer science at Johns Hopkins University and technical director of the Information Security Institute. “But recently, the big targets have been municipalities and local governments because they tend to have lower IT budgets than they should.”
Malwarebytes, a company that specializes in cybersecurity, said their government clients experienced seven times more ransomware attacks so far in 2019 than in all of 2018. Attacks against businesses more than tripled this year compared with last year, according to customer detection data.
Ransomware is a type of malicious software, known as malware, “designed to deny access to a computer system or data until a ransom is paid,” according to the Cybersecurity and Infrastructure Security Agency, a division of Homeland Security. It is unleashed more often than not through email attachments or links that place malware on a device, and then the broader system. After encrypting files, hackers usually demand payment in the form of bitcoin in exchange for files and systems.
Municipalities are generally less prepared than companies because of limited resources and difficulty competing for cybersecurity talent, security professionals say. They are also increasingly reliant on technology to deliver city services, and some have aging computer systems, according to Standard & Poor’s.
“Historically, cities haven’t been particularly well funded in terms of IT and IT security,” Mr. Block said. “They have proven to be an attractive target for attacks.”
The attacks can be costly. Earlier this year, a ransomware attack hobbled Baltimore’s government after the city refused to pay hackers the $76,000 they demanded. The city’s systems were in disarray for well over a month, leaving residents unable to pay fines, receive water bills and even buy property. Baltimore estimated the attack cost it at least $18 million, including the potential lost revenue from fines and property tax collection.
Ultimately, stemming the increasing threat of attacks can happen only through a robust, well-funded and vigilant IT department, said Mr. Rubin, the professor.
“So many places, IT resources are there to just get things working and keep the lights on,” he said. “What you really need are security experts, and you need to spend money on that.”
Mr. Badu’s IT department benefited from a larger resource pool than some of the other Texas municipalities hit.
Lubbock County has a population of around 300,000. The city of Borger has about 12,600 residents.
It can also come down to the right timing and some luck.
After sending one of his team to take the affected computer off the system, Mr. Badu and his team worked to locate the device where the suspicious activity was originating from. Mr. Badu also sent a countywide email alerting other users to be cautious as his team worked.
Lubbock County Judge and Commissioner Curtis Parrish lauded the department for catching the attack at such an early stage. He pointed to the regular training the county’s roughly 1,500 employees receive on suspicious computer activity, no matter how small.
“This is stuff IT departments deal with all the time,” Judge Parrish said. “But you’ve got to have the proper IT department in place and you have to have the proper training in place, and the proper investment in your infrastructure.”
Mr. Badu, who ran IT departments in other Texas cities before taking up his role in Lubbock this year, said that when you have the right planning and resources in place, there is no need to pay a ransom.
“If your file is encrypted, you just restore it and you’re good to go,” he said. How One Texas County, How One Texas County.
German Programmer ‘Hacks Back’ After Bitcoin Ransomware Attack
German programmer Tobias Frömel (aka “battleck”) has “hacked back” the perpetrators of the Muhstik ransomware who forced him to pay 0.09 Bitcoin (BTC) to recover access to his files.
In a Bleeping Computer forum post on Oct. 7, Frömel revealed that he had hacked the attackers’ database, sharing almost 3,000 decryption keys and a free decryptor with fellow victims.
An illegal but sweet revenge
Bleeping Computer previously reported that publicly exposed QNAP NAS devices have been targeted by ransomware dubbed Muhstik. The attackers extorted a fixed “fee” of 0.09 Bitcoin — roughly $740 at press time — from victims to recover access to their data via decryption keys.
Having himself paid €670 to the Muhstik perpetrators, Frömel hacked back their command and control server. He told Bleeping Computer that he had succeeded in retrieving the unique Hardware IDs (HWIDs) and decryption keys for the 2,858 Muhstik victims stored in the attackers’ database.
Victims have since confirmed in BleepingComputer’s Muhstik support and help forum that the HWIDs are accurate and that the decryptor works.
Having succeeded in his task, Frömel conceded that his action was illegal, but argued that it was well-intentioned. He also provided a Bitcoin wallet address for fellow victims to tip him for his labor.
Since Frömel’s work, anti-virus firm Emsisoft has released decryption software for victims running ARM-based QNAP devices, which reportedly were not supported in Frömel’s release.
A growing threat
Last month, Emsisoft also released a new free fix for the Bitcoin-demanding ransomware WannaCryFake.
In August, Cointelegraph reported that McAfee Labs’ research indicating that ransomware attacks had increased by 118% in the first quarter of 2019. How One Texas County,How One Texas County,