Ransomware-seized New Orleans declares state of emergency

On Friday, the US city of New Orleans became the latest local government to be held hostage to ransomware.

The ongoing attack caused Mayor LaToya Cantrell to declare a state of emergency. During a press conference on Friday, the mayor confirmed that it was a ransomware attack, and that its activity started around 5 a.m. that morning.

The city spotted the suspicious activity on its networks around 11 a.m., at which point it basically turned itself off.

According to NOLA Ready – the city’s emergency preparedness campaign, managed by the Office of Homeland Security & Emergency Preparedness – the city powered down all of its servers, took down all NOLA.gov websites and told employees to power down their computers, unplug devices, and disconnect from Wi-Fi. Emergency communications weren’t affected, according to NOLA Ready, with the 911 emergency and the 311 city service phone lines still operational.

The city pulled local, state, and federal authorities into a (still pending) investigation of the incident. As of last night, the city was still working to recover data from the attack but planned to be open as usual.

Did NOLA get Ryuk-ed?

Cantrell has confirmed that this is a ransomware attack, but that no ransom demand has yet been made. Federal and state investigators have been called in to help with the investigation.

Bleeping Computer reported that, based on what look like memory dumps of suspicious executables that were uploaded to the VirusTotal scanning service on Saturday, the day after the attack, it looks like it was done by the unfortunately very active threat actors behind the Ryuk ransomware.

Security researcher Colin Cowie, of Red Flare Security, found that one of the sets of files contained numerous references to New Orleans and Ryuk.

Cowie shared one of the memory dumps with Bleeping Computer. It’s for an executable named yoletby.exe that contains both references to the Ryuk ransomware as well as references to the City of New Orleans, including domain names, domain controllers, internal IP addresses, user names, and file shares.

After digging around in the file names, Bleeping Computer also found an executable that it confirmed was Ryuk. Inside that executable there’s a string that refers to the New Orleans City Hall, the publication reported.

As of Monday, New Orleans hadn’t confirmed whether or not Ryuk was used in the attack. However, it wouldn’t be surprising if it were indeed Ryuk, given how active its threat actors are.

Ryuk is an especially pernicious ransomware variant. Recently, among a long list of nasty acts, it’s been used to prey on our elders: last month, a Ryuk attack froze health record access at 110 nursing homes. It was also recently used in a ransomware attack that affected hundreds of veterinary hospitals.

Since appearing in 2018, variants of Ryuk (named after a character in the manga series Death Note) have also been blamed for numerous attacks on US state and local governments, including the city of New Bedford in Massachusetts.

How to protect yourself from ransomware

  • Pick strong passwords. And don’t re-use passwords, ever.
  • Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
  • Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
  • Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
  • Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.