Texas Municipalities Hit by REvil/Sodinokibi Paid No Ransom, Over Half Resume Operations

Cybercriminals who held to ransom the files of 22 Texas local government units for a combined ransom amount of US$2.5 million did not get a single cent, according to Texas state officials. This is due to a successful coordinated state and federal cyber response plan that was spearheaded by the Office of the Chief Information Security Officer at the Texas Department of Information Resources (DIR).

[READ: Coordinated Ransomware Attack Cripples Local Government Organizations in Texas]

The coordinated REvil or Sodinokibi ransomware attacks happened in the early morning of August 16, 2019. According to the mayor of Keene, Texas, the ransomware was deployed through a software a third-party IT company uses to manage the municipality’s infrastructure. The same software was used by the other victim municipalities, and was used to breach the different cities’ networks.

[READ: GandCrab Threat Actors Possibly Behind Sodinokibi Ransomware]

During the cyberattack, the city of Keene reported to have temporarily discontinued online and credit card payments as well as utility disconnections.

As of writing time, the Texas DIR reported that more than half of the impacted Texas municipalities were fully operational.

Coordinated Response in Affected Texas Municipalities

According to the DIR, just hours after learning of the simultaneous ransomware attacks, a response plan was already created and has been executed by state and federal teams. The impacted municipalities have been initially assessed, and those in need of more urgent assistance had been prioritized — teams removed the ransomware from infected systems and assessed overall damage.

On day four since the coordinated attacks, the DIR reported that 25% of cyber response activities had already taken place in all affected municipalities. By August 23, the teams transitioned to remediation and recovery from assessment and response. By this date, all business-critical services have been restored. 

[READ: Bridging Cybersecurity Gaps with Managed Detection and Response]

According to Amanda Crawford, Texas DIR’s Executive Director, the concerted effort between the different state and federal teams coupled with preparedness “allowed a very critical situation to be resolved quickly and with minimal impact for Texans."

Despite reports of some government units having coughed up large sums of ransom payouts in the past, more and more have decided against paying cybercriminals. Recently, New Bedford, Massachusetts, disclosed that in July, it was hit by a Ryuk ransomware attack. Cybercriminals demanded a whopping US$5.3 million in bitcoin, but the city was only willing to give US$400,000. This counter-offer was turned down by the ransomware actors. The city then decided to restore files from backups since only 4% of the total number of the city’s workstations were affected by the attack.

Trend Micro’s Managed Detection and Response Service

Backed by 30 years of threat research experience, Trend Micro’s managed detection and response service — Trend Micro™ Managed XDR — provides access to experts who are proficient with live response and are familiar with products that can provide meaning to security incidents that happen to organizations and their industries. Trend Micro XDR applies the most effective AI and expert analytics to the activity data collected from its native sensors in the environment to produce fewer, higher-fidelity alerts. Global threat intelligence from the Trend Micro Smart Protection Network™ infrastructure combined with expert detection rules continually updated by threat experts maximize the power of AI and analytical models in unparalleled ways.

The Trend Micro Managed XDR service is backed by specialists who protect an organization’s IT environments through a comprehensive security technology stack. Trend Micro experts have the necessary tools and technologies to analyze threats and help organizations maintain a good security posture.



Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Cyber Attacks