The recent hack on New Orleans city hall was one in history. The incident happened in the early hours of 13th December and was intact throughout the day. Now, after studying deeply into the memory dumps of the hack, it was resulted to be the act of the infamous ransomware group, Ryuk.
The City Hack
The city’s government services were under attack on December 13th this year. This was found when Kim LaGrue, the city’s Chief Information Officer revealed to press about the hack when they found suspicious activity happening in their systems at 5 AM on 13th December.
After three hours, the situation of suspicion was confirmed when their employees started accessing their respective systems. This was soon informed to Federal for help and the entire city’s servers were closed to jeopardize the hack.
Though the entire electronic things were shut, emergency communications as 911, fire and police department, EMS, etc were unaltered and continued responding to emergencies throughout. At this time, the officials said they haven’t received any ransom call/note yet and don’t know who’s behind the attack.
Tracing Through Memory Dumps
This instance was first linked to the Ryuk gang based on the reports uploaded to VirusTotal. Further, it was confirmed by the researches of Colin Cowie from Red Flare Security.
— Colin Cowie (@th3_protoCOL) December 15, 2019
Memory Dumps are the references recorded by the system of all apps that were used in a specific time period. This may consist of strings, file names, commands, and other information in an executable file, which can be decrypted and used for any investigations later on.
Further investigation by Bleepingcomputer reveals a suspicious file named v2.exe (in the path C:\Temp\v2.exe), which contained many files with .ryk extension (Ryuk ransomware) and some references to New Orleans City Hall. While this concludes it to be the Ryuk group, there are instances that the malware groups are been into City’s systems and snooping around for a long time.