The New Orleans Cyberattack: You Can’t Fight City Hall, but Apparently, You Can Take It Hostage

Someone just morphed ransomware into a DDoS attack strategy. About three days ago (December 13th), the Big Easy (New Orleans, Louisiana) was hit by a ransomware attack, and more interestingly, declared a state of emergency as a result. I’d send you to the City of New Orleans website for that document, but it’s still down as a result the cyberattack.

The New Orleans Cyberattack: What Happened

According to Kim LaGrue, the chief information officer (CIO) of New Orleans, Security Operations Center (SOC) workers first detected the attack around 5:00 a.m. U.S. Central time Friday, December 13. By 8 a.m., city SOC workers found that through phishing, the ransomware began to spread even more quickly.

Early indications from the Bleeping Computer site seem to suggest that this ransomware attack was a variant of Ryuk, a form of ransomware that often demands bitcoin in exchange for decrypting files. Who knows if Bleeping Computer is right, but, let’s suppose New Orleans has succumbed to a variant of Ryuk. Attackers that use Ryuk tend to target major government, infrastructure entities and providers, such as refineries, hospitals, schools and care facilities.

Early Takeaways From the New Orleans Cyberattack

It’s always dangerous to draw too many conclusions on an early story, especially because the media hasn’t been particularly accurate when it comes to reporting about cybersecurity incidents. I’ve heard from CIOs and vice presidents of security from a diverse group of organizations, including the State of Colorado, British Telecom (BT), Target, that the news media gets a small percentage of the actual story right. News is notoriously elliptical and even inaccurate concerning what is really going on.

Nevertheless, here are a few insights that I’ve gathered:

1. We’re seeing ransomware expand its reach: Ransomware is now combining very effectively with phishing and physical attacks. As attackers combine physical and cyber-attacks, we’re going to see more dire results, unless organizations are protected.
2. The addition of distributed denial of service (DDoS) to ransomware: Today, ransomware does more than just ask for bitcoin, as it seems has happened in New Orleans. Ransomware has combined with DDoS attacks. As a result, ransomware has become far more dangerous.

The Cybersecurity Landscape

A couple of years ago, I led a roundtable of cybersecurity workers at the Churchill War Rooms. Our resulting whitepaper, The UK Cybersecurity Landscape 2017 And Beyond: A Report, outlines many of the issues, including the two above, that we’re now seeing as a result of the New Orleans cyberattack.

Best Practices For Incident Response

Funnily enough, CompTIA has teamed up with British Telecom (BT) to create a microcourse about incident response. We’ve partnered with the security professionals at British Telecom (BT), who have outlined their deep understanding of the best practices in incident response. It’s not enough to just refer to standards such as NIST 800-161. Incident response involves much more than just understanding a standard.

Organizations need to regularly prepare and practice:

• Prepare: Create backups.
• Practice: Conduct tabletop exercises, as well as live fire events and war games

Tactically, an incident response plan should include the following steps:

• Obtain definitive knowledge: I’ve noticed that the most mature organizations are able to obtain validated, accurate data quickly. If the reports we’re reading are accurate, the City of New Orleans was able to obtain data they felt was valid. The data had a high confidence level.
• Take decisive action: The state of emergency declaration is very interesting in this regard. Rather than being a desperate move, this move seems to be well considered and part of a rehearsed response. This could set a very a good precedent.
• Consider ramifications: Any good response thinks well beyond the affected data or systems. It focuses on how people are affected.
• Be transparent: The city has done a good job explaining not only what has happened, but the ramifications. As much as possible, they have communicated effectively.
• Communicate clearly: The city has taken measures to communicate with the media, as well as through its own resources, as available. The more ominous result of this attack is that with a declaration of disaster, the city has said it needs to “thoroughly prepare for and respond to any eventuality,” and take “extraordinary measures.” I’ve heard quite a few people snark over the past couple of days that you’re supposed to take measures long before a cyberattack. You shouldn’t have to prepare after the horse has left the barn.
• Create and properly use backups: Hopefully, the City of New Orleans has a good backup strategy.

Follow CompTIA on YouTube to be the first to see our microcourse when it’s released.

The Aftermath of a Cyberattack: Restoring from Backup and Recovering Paper Transactions

As a result of the New Orleans cyberattack, many city workers have had to go back to using pen and paper rather than networked resources. This reminds me of a story I was told years ago by a Disney employee.

Around 2002, a cruise ship docked and connected to the Disney network. The cruise ship was infested with a particularly nasty computer worm, which spread throughout much of Disney’s network in Florida. As a result, Walt Disney World employees couldn’t use the standard Point of Sale (POS) systems anymore. They were reduced to filling out old-fashioned paper carbon copy forms to get customer credit card information for purchases of tickets, souvenirs and food.

The resulting mess took weeks to clean up. Workers had to to clean up more than just the infected systems. They also had to recover from the backlog of paper-based transactions that had to be converted into electronic form.

Is This a Sign of Future Cyberattacks?

We’ve seen government entities worldwide fall victim to ransomware attackers for years, but, this particular cyberattack seems to be a bit different:

1. First, the City of New Orleans has responded much differently. By declaring a public state of emergency, it has shown that cybersecurity incidents represent a true, existential threat to not only how a city works, but also to its people.
2. Second, this particular cyberattack seems to have combined a cyberattack with phishing in a much more creative way.
3. Third, it seems that these attackers aren’t just going after the lowest-hanging fruit. They seem to be going after entities and organizations that are the most ripe for an attack.

Currently, there is no evidence that these attackers used artificial intelligence (AI) resources to wage the attack. But this is going to be a reality, if it isn’t already. One of the new worries is that ransomware and DDoS attacks aren’t designed to simply extort money.

Increasingly, they are being used for two primary purposes:

1. Release sensitive information: Attackers are now resorting to exposing information as part of an attack strategy. Heavily regulated industries (e.g., insurance companies, financial institutions) and organizations (e.g., governments) are increasingly worried about fines and/or losing credibility in the face of cyberattacks.
2. Manipulate the workings of an organization, as well as the data it creates: Cyberattacks have long been conducted for political reasons and to manipulate groups of people. But we are also seeing how cyberattacks are now being conducted to interrupt physical activities. For example, the City of New Orleans has had to suspend its municipal and traffic court meetings today. Imagine the services that a more concerted attack could undermine.

Why Are These Types of Cyberattacks Increasing?

Typically when government institutions are attacked, you hear common excuses:

1. City, state and federal government agencies are chronically under-funded, resulting in a lack of two things: 1) finding and retaining talented IT pros and 2) obtaining funding for software, hardware and security resources (e.g., SIEM software)
2. Governments are major targets of well-funded state threat actors

But, we’re also seeing an increase of these attacks because the perpetrators are obtaining far more granular information about their potential victims, based on input from conclusions that sophisticated AI-driven reconnaissance can provide.

Security Awareness Training: A Part of Incident Response

One of the first lessons is that all organizations need to conduct more employee-based security awareness training. Social engineering (e.g., phishing, spear phishing and deep fakes) remains a major issue.

Second, it’s all about backups. I don’t know what type of backup program New Orleans has in place. Hopefully, it’s as good as the ones that ASL Airlines and the State of Colorado have had in place.