The recent hack on New Orleans city hall was one in history. The incident happened in the early hours of 13th December and was intact throughout the day. Now, after studying deeply into the memory dumps of the hack, it was resulted to be the act of the infamous ransomware group, Ryuk.
The City Hack
The cityโs government services were under attack on December 13th this year. This was found when Kim LaGrue, the cityโs Chief Information Officer revealed to press about the hack when they found suspicious activity happening in their systems at 5 AM on 13th December.
After three hours, the situation of suspicion was confirmed when their employees started accessing their respective systems. This was soon informed to Federal for help and the entire cityโs servers were closed to jeopardize the hack.
Though the entire electronic things were shut, emergency communications as 911, fire and police department, EMS, etc were unaltered and continued responding to emergencies throughout. At this time, the officials said they havenโt received any ransom call/note yet and donโt know whoโs behind the attack.
Tracing Through Memory Dumps
This instance was first linked to the Ryuk gang based on the reports uploaded to VirusTotal. Further, it was confirmed by the researches of Colin Cowie from Red Flare Security.
The city of #neworleans was hit with #RYUK Ransomware! Looks like it encrypted their โContracts and Revenueโ file share????
????: https://t.co/PtfHjcYQA0 pic.twitter.com/cP4EcvgoPuโ Colin Cowie (@th3_protoCOL) December 15, 2019
Memory Dumps are the references recorded by the system of all apps that were used in a specific time period. This may consist of strings, file names, commands, and other information in an executable file, which can be decrypted and used for any investigations later on.
Further investigation by Bleepingcomputer reveals a suspicious file named v2.exe (in the path C:\Temp\v2.exe), which contained many files with .ryk extension (Ryuk ransomware) and some references to New Orleans City Hall. While this concludes it to be the Ryuk group, there are instances that the malware groups are been into Cityโs systems and snooping around for a long time.
Source: BleepingComputer