Malware

Ryuk Ransomware is suspected to be involved in the New Orleans cyberattack

New evidence suggests that in the recent attack against the systems at the City of New Orleans was used the Ryuk ransomware.

Over the weekend, New Orleans officials announced in a press conference that the city was hit by a ransomware attack, the incident was discovered in the morning of December 13, 2019.

The IT staff immediately informed all employees of the incident and asked them to power down computers to avoid the threat spreading.

Employees were ordered to turn off and unplug their computers from the network as soon as possible via the city hall’s public loudspeakers systems.

Every device was disconnected from the city’s networks, at the time the family of the ransomware that infected its systems was not revealed.

Now, additional information on the attack was shared in the media.

According to files uploaded to the VirusTotal scanning service, the ransomware involved in the City of New Orleans was likely the Ryuk Ransomware.

The day after the ransomware attack on the City of New Orleans, on December 14th, 2019, memory dumps of suspicious executables were uploaded to VirusTotal from an IP address from the USA.

“One of these memory dumps, which contained numerous references to New Orleans and Ryuk, was later found by Colin Cowie of Red Flare Security and shared with BleepingComputer.com.” reported BleepingComputer.

The dump discovered by Cowie is associated with an executable named ‘yoletby.exe,’ it was containing references to the City of New Orleans including domain names, domain controllers, internal IP addresses, user names, file shares, The same dump contained references to the Ryuk ransomware, a circumstance that suggests that this family of malware was used in the attack of the City of New Orleans.

The expert noticed that the dump contained the HERMES file marker, file names ending with the .ryk extension, and references to the created RyukReadMe.html ransom notes.

Experts at BleepingComputer also found evidence that the Ryuk ransowmare was used in the attack against the City of New Orleans.

“Of particular interest in the v2.exe memory dump is a string that refers to the New Orleans City Hall.” continues BleepingComputer.

“After further digging around, BleepingComputer was able to find a v2.exe executable, and after executing it, was able to confirm that it was the Ryuk ransomware.”

Let’s wait for more details about the attack from the City of New Orleans.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – cybercrime, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

6 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

18 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

22 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

2 days ago

This website uses cookies.