Colorado DOT Recovering From Two Ransomware Attacks Within Past Two Weeks
Hackers used a variant of the SamSam ransomware to demand payment in bitcoin
Officials at the Colorado Dept. of Transportation report "steady progress" toward recovering from two vicious ransomware attacks on the agency's computer network within the past two weeks.
CDOT shut down computers for its nearly 2,000 employees after the initial attack on Feb. 21, despite the fact that only a portion of its computers—mostly those running Windows software—were affected. CDOT said it had nearly 20% of the affected computers scrubbed and back online when a second attack on March 1 locked them up again.
Hackers may have used a variant of the SamSam ransomware to take control of the system. They demanded a ransom for release of the agency's files, to be paid in bitcoin.
Employees with infected computers saw this message immediately after the attack: "All your files are encrypted with RSA-2048 encryptions. … It's not possible to recover your files without private key. … You must send us 0.7 BitCoin [around $6,500] for each affected PC or 3 BitCoins [around $27,800] to receive ALL Private Keys for ALL affected PCs."
The state did not pay any ransom, says CDOT spokeswoman Amy Ford.
"We're starting to get everyone back online," Ford says. "Our office email is back up, and the network is slowly returning to where it should be." She says she does not have a timeline for completion of the recovery work and can't comment on details of the investigation into the attack.
CDOT technicians worked with the FBI and cybersecurity experts from the state's Office of Information Technology to battle the ransomware and restore the network, but employees were forced to use pen, paper and personal mobile devices to get their work done during the shutdown.
Officials said the agency's critical functions, such as snowplowing operations and safety alerts, were not affected by the attack.
Although Colorado state IT personnel won't say how the ransomware got into the transportation agency's computers, they offer the same advice to employees (and individual users) heard from cybersecurity experts elsewhere:
- Keep your network's or your computer's software security up to date.
- Change your password frequently and make sure it is sophisticated enough not to be easily guessed or stolen.
- Be careful about opening suspicious emails or attachments, especially from people or sources you do not know.
And be aware that new forms of phishing and cyber schemes surface all the time. One such example comes from Stu Sjouwerman, founder and CEO of KnowBe4 Inc., publisher of the online newsletter CyberHeistNews.
He warns of a new scenario that's especially difficult to spot; it involves people you know—vendors, customers or industry colleagues—who have their emails hacked and their passwords stolen.
The hacker studies their past email correspondence and then uses that email account, often including the person's name, title, company logo, etc., to create convincing copies of legitimate past emails. The hacker sends those emails out with attachments, PDFs, etc. that may contain ransomware or other cyber threats.
Sjouwerman says: "Because these emails are coming from a real email account for a real business partner, they are very hard to identify and, in some cases, are literally impossible to detect."
The best solution, he says, is to be alert for clues like bad grammar or spelling or other red flags in the content. And if you see anything suspicious, call or otherwise contact the individuals offline and ask them if they sent such an email before opening the attachment.
Sometimes old-school street savvy is the best remedy.
There's more good advice at info.knowbe4.com.