I’m betting that there will some openings for IT positions coming soon in various Florida municipalities. Ars Technica reported today that a third (that’s right – third) city in Florida fell victim to ransomware. According to Ars, Key Biscayne, FL was breached using the Ryuk strain of ransomware (the same as Lake City, FL on June 10th which cost that city just shy of half a million dollars in bitcoin, and possibly the same as Riviera Beach, FL which cost that city $600k).
Key Biscayne became infected with Ryuk through what is known as a triple-threat attack: Emotet, in this instance, was brought into the network as a result of a successful phishing email. Emotet was used as a dropper to bring in the Trickbot trojan, which allowed the attackers lateral movement throughout the city’s infrastructure. At this point, the attackers had enough control to be able to infect the city’s systems with Ryuk – and game over. The city held a meeting tonight in which, one would assume, they’d decide on whether or not they need to pay the ransom or not. That decision has not yet been made known.
Let’s think about the different ways that this attack should have been – but was not – stopped in its tracks before it had a chance to wreak this havoc:
- Employee Security Awareness training. Training employees to avoid clicking on phishing links will help; although it is still subject to human error and ignorance. I recommend conducting phishing security tests and following up with necessary training – KnowBe4’s training platform is an awesome tool for this purpose.
- Key Biscayne’s MX record points to keybiscayne-fl-gov.mail.protection.outlook.com, meaning that they’re using email services through Office 365’s Exchange Online platform but also likely that they’re relying solely on Microsoft’s spam filtering. Microsoft is not ineffective at preventing phishing emails, but plenty of phishing emails will inevitably get through. Microsoft provides some advanced phishing prevention when users are assigned Advanced Threat Protection (ATP) licenses – it’s unclear if the city had subscribed to this additional license.
- Lateral movement was allowed from the infected user’s workstation to the back-end server infrastructure. Key Biscayne is a small city with a population of only around 3,000. What likely happened here is that the city did not invest enough in their IT infrastructure. Most network admins these days recognize the importance of minimizing the possibility for lateral movement, but in an organization this small I imagine that it was not recognized as an important security control.
- Why aren’t we restoring from backups? I’m making the assumption that they can’t, and that they’ll eventually be paying the ransom. Will this lesson ever be learned by our IT organizations? Back up your data, air-gap it so that the backups can’t be compromised, and have a disaster recovery plan in place that details how you’ll restore systems in a worst-case scenario such as this.
More details are sure to emerge regarding Key Biscayne’s ransom payment decision over the next few days. If anyone from the city happens to read this, please let us know if we can be of assistance in the recovery of your systems.