The city of Augusta Georgia, best known for hosting the Masters Golf Tournament every spring, has been facing city service outages for more than a week thanks to a ransomware attack that was first detected on May 21, 2023. While city officials state that emergency services are operational, offices for other services either remain closed or are only open for limited hours each day. The mayor’s office put forth a statement confirming the attack on May 25. A Russian-based ransomware-as-a-service gang called BlackByte is taking credit for the attack. They claim to have exfiltrated a large amount of sensitive data during the attack and have posted 10GB of data to substantiate their claims. The sample was later analyzed and found to contain payroll information and personally identifiable information such as contact information. BlackByte is demanding $400,000 to delete the information and claims to have a buyer offering $300,000. There are rumors that the gang is demanding $50 million to decrypt the city’s systems but the city mayor’s office is currently denying that allegation.
Identify Indicators of Compromise (IoC)
City officials state that they began experiencing technical difficulties on May 21 resulting from unauthorized access to its network. It is believed that the attackers left a ransomware note for the city’s IT leadership.
Containment (If IOCs are identified)
Thus far, the mayor’s office has remained silent on the details of the attack and what is being done to contain and eradicate it, other than promising that everything possible is being done. The FBI is involved in the investigation.
While it is yet unknown how the ransomware infection began, many ransomware attacks are delivered through phishing email campaigns. As a result, many organizations are turning to phishing simulators or services to identify employees that are susceptible to these types of attacks. These simulator tools and services provide and/or facilitate customized email campaigns to be sent to internal personnel, and resemble real-world phishing threats. These emails contain a benign payload attachment or embedded link. These emails are then sent out to designated groups within the organization. Any user clicking on the attachment or link is promptly identified and the user is informed of their mistake and directed to a short training session. Here, the user will learn tips about how to improve their cyber hygiene. These users are then tested again later. Some organizations have policies for those with multiple incidents.
Of course, every organization needs a well-conceived email security strategy to protect themselves from these attacks. Such strategies must include security controls that can perform spam filtering, malware scanning and data loss prevention. Any email system today must incorporate email authentication protocols such as DMARC, DKIM and SPF to confirm that incoming emails are from a legitimate source. This is supported by policies that discard any emails that have not been properly authenticated to prevent spoofing. You should also create policies that deny email logon attempts from geographic areas of the world that do not pertain to your organization.