City of Wichita public services disrupted after ransomware attack

The city of Wichita is investigating a Ransomware attack This happened over the weekend and resulted in the closure of numerous networks and services in the city. There is currently no end in sight and it is not possible to predict when the systems will be restored.

The attack occurred on Sunday when ransomware encrypted “specific,” unspecified city systems a warning on its website, which means that many of the core cities’ online services are temporarily inaccessible.

Officials have taken business continuity measures in response to the attack and are “working with outside specialists to restore the computer network safely and securely” and are investigating the original with law enforcement, said the alert, which was released the same day as the attack .

Such rapid release of an alert informing citizens of a cyber incident is not always the norm, according to security experts. But given the extensive damage affecting everything from the city’s airport to water supplies to public transportation, informing the public can be a helpful way to prepare them for disruptions, notes Malachi Walker, a security consultant at a security firm DomainTools.

“The transparency shown by the City of Wichita in disclosing the ransomware attack is incredibly important so that those affected can remain vigilant and take the necessary response,” he said in an email to Dark Reading.

Numerous systems affected

Indeed, these disruptions appeared to be numerous, with a “Frequently Asked Questions” section in the city’s alert suggesting that people’s main concerns are being addressed.

If the systems fail, the city will switch to cash-based systems to pay water bills, ride the bus, attend cultural events and pay for landfill services, among many others that typically offer digital payment options.

The city also will not be able to livestream city council meetings and is advising people interested in the proceedings to attend in person. Both Wi-Fi service and departure screens at Dwight D. Eisenhower National Airport in Wichita are also not working due to the attack, although flights are operating normally.

There is also evidence that critical city infrastructure was affected by the attack, as alarmed officials have advised that those whose water was turned off present a payment or proof of payment at city hall and their water will be reconnected.

Additionally, the city is waiving late fees and penalties for people who have difficulty paying their water bills until the incident is resolved. However, residents can still pay by cash, mail or directly to Wichita City Hall. New accounts can also be set up at City Hall, while automatic payments are suspended for now, the alert says.

Ongoing investigation

The city’s IT department is working with law enforcement and security partners to conduct the investigation. However, specific details of the attack remain unclear and the city said there is currently “no timeline for when systems may come back online.”

“We appreciate your patience as we address this incident as quickly and thoroughly as possible,” reads the alert, which will be updated as the situation changes.

Ransomware attacks have become all too common these days, although earlier this year there were indications that some – particularly those targeting industrial control networks – are on the retreat. In fact, global law enforcement efforts have been proactive and successful However, it appears that the aim is to break up known ransomware groups new seem to appear almost immediately when you disassemble it.

Still, each ransomware attack should be treated with individual seriousness, especially when so many public services are affected, as is the case in Wichita, notes Colin Little, a security engineer at a cybersecurity company Centripetal.

“These days it’s all too easy to say ‘yes, another cyberattack,’ but having to confirm that statement in a press release clearly underscores the seriousness of this event,” he said in an email. “That these services are carried out Business continuity measures is proposing to defund the police and fire departments, and in one of the largest cities in the United States, that’s a big deal.”

Next steps for future prevention and protection

The key to the investigation now is to find out who the attackers are and what specific tactics they used so that officials can increase the security of the networks in the future, security experts say.

Tom Kellermann, senior vice president of cyber strategy at a security company Contrast reliability, suggested that state-sponsored Russian actors may be behind the attacks as they have “expanded their destructive attacks against U.S. cities in retaliation” for a recent aid package for Ukraine passed by Congress. However, no perpetrator of the attack has yet been identified.

Identifying the original access point is also critical to the investigation to protect networks in the future, another expert noted.

“Was it social engineering, unpatched software or firmware, or something else?” says Roger Grimes, data-driven defense evangelist at a security awareness training company KnowBe4. “If they can’t figure out how the ransomware first accessed it, it will be much harder to prevent it from happening again.”

It’s also important to determine whether encrypted data was also exfiltrated by attackers so that officials can notify the public if the incident could lead to further consequences, such as sharing their information on the dark web or future attacks, Walker said.