La Porte County finally opted to pay $130,000 Ransom

On July 6, a ransomware attack brought down government computer systems at La Porte County, Indiana, finally, the county decided to pay $130,000 ransom.

On July 6, a ransomware attack paralyzed the computer systems at La Porte County, Indiana, according to County Commission President Dr. Vidya Kora, employees were not able to access to any government email or website.

The county IT director shut down the computer systems to avoid the spreading of the threat and to limit potential damage. At least half of the servers at the county’s infrastructure were infected, less than 7% of the laptops was not impacted.

Now La Porte County decided to pay $130,000 to recover data on systems infected with the ransomware.

For at least three days, government systems were not working forcing the County officials to evaluate the option to pay the ransom.

Immediately after the attack, the county reported the incident to the FBI and was working with experts of some security firms to investigate the attack and mitigate the threat. The law firm of Mullen Coughlin LLC was managing the incident response operations, but despite the efforts of the experts the La Porte County was not able to resume its operations.

According to WSBT, La Porte County’s systems were infected with a variant of the Ryuk ransomware, the same malware that infected computers at City of Lake City on June 10.

“Two organizations in our area are recovering from recent cyber attacks. Both the South Bend Clinic and La Porte County government are dealing with the aftermath.” reported the WSBT.

“La Porte County paid the ransom on a cyber attack that locked up part of the government’s computer system. The Ryuk virus got into the backup servers.”

It seems that $100,000 out of $130,000 are being covered by insurance.

“Fortunately, our county liability agent of record, John Jones, last year recommended a cybersecurity insurance policy which the county commissioners authorized from Travelers Insurance” explained Dr. Vidya Kora,

Recently other administrations decided to pay the ransom to decrypt their files. Crooks earned a total of over $1 million in June from the attacks on two municipalities in Florida, Lake City and Riviera Beach.

In April, Stuart City was victim of the Ryuk Ransomware too, but it refused to pay the ransom. Early March, another city was hit by the same ransomware, computers of Jackson County, Georgia, were infected with Ryuk that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

The Ryuk ransomware appears connected to Hermes malware that was associated with the notorious Lazarus APT group.

The same ransomware was recently used in an attack that affected the newspaper distribution for large major newspapers, including the Wall Street Journal, the New York Times, and the Los Angeles Times.

Further investigation on the malware allowed the experts from security firms FireEye and CrowdStriketo discover that threat actors behind the 
Ryuk ransomware are working with another cybercrime gang to gain access to target networks. They are collaborating with threat actors behind TrickBot, a malware that once infected a system creates a reverse shell back to the attackers allowing them to break into the network.

Experts at Crowdstrike believe the Ryuk ransomware is operated by a crime gang they tracked as GRIM SPIDER, in particular by its Russian based cell dubbed WIZARD SPIDER that is behind TrickBot.

Experts pointed out that Hermes was available for sale into the online underground community, attackers could have purchased it to create their own version of Ryuk.

Recently the United States Conference of Mayors asked its members to “stand united” against paying ransoms in case their systems are hit by ransomware. The decision is essential to discourage criminal practice.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – La Porte, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]