The City of New Orleans was Targeted by Ryuk Ransomware Actors

• New Orleans systems are down since Friday, and the city is running on an emergency network.
• The strain that was used in the attack was Ryuk, but Emotet and Trickbot might also be involved.
• As the city services are gradually restored, people are advised to be tolerant and understanding.

On Friday, the City of New Orleans in Louisiana suffered a ransomware attack that resulted in the immediate shutting down of their public service systems, including all servers and computers. What survived the attack was the emergency services that rely on a separate, isolated network. The city’s officials informed the authorities about what happened and publicized the incident through Twitter. Based on the investigation efforts that followed, and with the help of the FBI, it was discovered that the ransomware strain which hit them was “Ryuk”, one of the most dangerous and widely used types of malware right now.

Over the weekend, all citizen calls were diverted to the Emergency Operations Center, while the recovery is still ongoing. Some systems have been brought back to their normal operational state, but most are still impacted by up to a point. The major’s account on Twitter has provided an overview of the state of recovery only hours prior to writing this piece. As the same sources clarified, the City Hall will open today, albeit some services may be unavailable, or they may take longer to process than usual.

The Emergency Operations Center will remain activated to facilitate interagency response throughout this cybersecurity incident. The City asks residents and vendors for their patience and understanding as our Information Technology team works to restore all operations to normal. pic.twitter.com/vw2t15ywUR

— Mayor LaToya Cantrell (@mayorcantrell) December 16, 2019

As stated previously, the IT team which investigated the incident found no ransom notes, so the actors haven’t officially asked for the payment of any amount. This increases the chances of the occurrence being the result of an automated infection campaign based on phishing emails, which tells us something about the City’s network defense systems. To be fair though, there’s also the possibility of premature interruption of the attack, preventing the planting of a ransom note and indicating robust defensive mechanisms and timely network administrator response.

As for what information was compromised due to this incident, this includes domain names belonging to the City of New Orleans, domain controllers, internal IP addresses, user names, and various file shares. The official clarifications rule out the possibility of any citizen or employee PII data having been accessed by the actors. The truth is though, they will have to keep an eye on their systems for a while as the chances of having to clear Emotet and Trickbot remains from in there are pretty high. If you live in the New Orleans, you are advised to postpone any non-emergency tasks that would burden the city for next week, and generally try to maintain a patient stance towards the public services agents.

What would an effective solution against state-targeting ransomware be? Share your thoughts with us in the comments section down below, or on our socials, on Facebook and Twitter.