Russian cyber group takes credit for Kansas ransomware attack

(TNS) – Government business in Wichita appears to have been disrupted by a Russian hacker group Eagle Research and cyber threat analyst.

A notorious Russian cybercrime group – LockBit – claims responsibility for the attack on the most populous city in Kansas. A dark web entry reported by cyber threat analyst Brett Callow indicates that LockBit is willing to make the city’s data public to other hackers if a ransom is not paid.

LockBit’s demands are unclear. Wichita officials would not confirm whether LockBit or another group contacted the city about a ransom. The group is known to have demanded millions of dollars in payouts in the form of BitCoin, according to a federal indictment released Tuesday.

Wichita officials confirmed Sunday that the city’s computer systems were targeted in a ransomware attack, which uses computer software to steal files and encrypt them with a secret key. In response, the city shut down its computer network at City Hall and had to switch to pen-and-paper, cash-only operations for many departments. Police and fire departments continue to rely on backup procedures when responding to emergency calls.

The attack came as Lockbit’s alleged leader, Dmitry Yuryevich Khoroshev – suspected of operating online under the pseudonyms “LockBit”, “LockBitSupp” and “putinkrab” – was exposed by the US government. The U.S. District Court of New Jersey on Tuesday dismissed a federal indictment filed against Khoroshev on May 2. The US State Department also announced a $10 million reward for information leading to his arrest. He is believed to be a resident of the Russian Federation.

The indictment describes LockBit as “the most prolific and destructive ransomware group in the world” and is responsible for extorting at least $500 million in ransom payments from multinational corporations, local governments and nonprofit organizations since January 2020. The company attacked at least 2,500 computer systems around the world, including 1,800 in the United States, the indictment says.

The indictment alleges that law enforcement agencies from the United Kingdom, United States and other countries disrupted LockBit’s dark web leak site and infiltrated its infrastructure in February. Law enforcement discovered that LockBit retained copies of the stolen files even after victims paid the ransom.

LockBit typically locks companies and governments out of their files using encryption keys and demands a ransom be paid. A data dump page has been created on the dark web to release files received from the city of Wichita next week, a screenshot of the listing shows.

The deadline for Wichita to pay the ransom appears to be May 15th. City officials would not say what the group is demanding, and it is not clear what files or personal information were compromised.

PUBLIC FACILITIES IN THE TARGET

Wichita isn’t the only government agency to fall victim to cyberattacks recently. According to a survey by the Center for Internet Security, attacks on state and local governments are becoming more common.

Kansas City, Missouri, Jackson County and KC Scout, a partnership between the Missouri and Kansas transportation departments in the Kansas City metropolitan area, have recently been targets of cyberattacks. Kansas’ entire court system was compromised last fall and could not be restored for several months.

Cybercriminal organizations with ties to Russia appear to be responsible for the attacks in Wichita, Jackson County and KC Scout. Callow also flagged a page purporting to contain KC Scout data that was posted on the dark web leak site Play on Tuesday. According to CBS News, this group is believed to be connected to Russia.

Officials in Kansas City, Missouri, have said little about the attack on the city’s computer system and it is unclear who is responsible.

The city’s website, kcmo.gov, has been down since Saturday and remained offline throughout the day Tuesday. A city spokesman did not return calls The Eagle. In response, the city canceled committee meetings and closed its municipal court system. According to KCUR, the city’s private water utility was also impacted by the computer failure.

FBI spokeswoman Bridget Patton declined to say whether the FBI was investigating but said it was “aware of both incidents,” referring to the network outages in Wichita and Kansas City.

According to the Center for Internet Security survey, cyberattacks against state and local governments increased 148% year-over-year in the first eight months of 2023. Ransomware attacks on government agencies increased by 51% compared to the same period in 2022.

Public entities can be particularly vulnerable to phishing campaigns compared to private companies because many employees’ email addresses are published on government websites, providing hackers with a potential entry point into computer systems if even one employee falls for the phishing attempt.

The cyberattack on the Kansas court system could have compromised the data of up to 150,000 people who interacted with the justice system in some way, the Office of Judicial Administration announced Monday.

DARK WEB COUNTDOWN

Callow, a British Columbia-based cyber security threat analyst, posted screenshots of Lockbit and Play’s dark web listings on X on Tuesday afternoon. Several other dark web watchdog groups have since shared screenshots of the Wichita entry on social media.

Callow said in an email The Eagle He has no reason to believe that the Wichita and Kansas City governments’ attacks are related, but that it is possible.

“Groups basically operate on a ransomware-for-rent basis, and the people who rent the ransomware – they’re called ‘affiliates’ – may work with more than one group,” Callow said.

In a phone interview, Jack Danahy, vice president of strategy at Vermont-based cybersecurity group NuHarbor Security, said ransomware groups routinely use countdowns to increase pressure on targeted organizations and maximize the chances of receiving a ransom payment, which is typically demanded in cryptocurrency.

The implicit danger is that compromised data will either be published on the dark web or destroyed. Federal authorities strongly discourage public and private organizations from making ransom payments.

“Even though the ransom was paid, the private information is still somewhere,” Danahy said. “And while the organization may claim they won’t release it, there’s really no guarantee.”

As an example, he pointed to Change Healthcare, a health technology company that suffered a cyberattack in February and admitted paying a $22 million ransom to recover data. Last month, a second group of hackers claimed access to four terabytes of company data, including patient medical records, and demanded a ransom payment within 12 days.

Danahy said there is a small chance that federal investigators and outside specialists could work backwards into locked systems by decrypting keys. But that was a long shot, he said.

“What usually happens, particularly with organizations that don’t pay the ransom and choose not to support this type of activity, is that they compile all the information on all of these systems from scratch,” he said.

“Assessing the explosion radius”

Wichita says it reported the attack to federal and local law enforcement and hired an unnamed outside specialist to investigate the incident and help bring systems back online after a thorough review.

The time frame for restoring computer networks after systems are compromised can vary greatly on a case-by-case basis. Danahy said the first step was to “estimate the blast radius” of the attack.

“How many systems were touched? How were they touched? And how deep does the corruption go?”

He said identifying technology damaged in a ransomware attack is a fairly simple process compared to other more complex cyberattacks.

“You can pretty much say that the machines that are no longer working are the machines that are affected, so let’s start with that,” Danahy said. “Based on this, a good organization doing recovery planning will look for footprints – essentially people, for organizations, for IP addresses, or really just network traffic routed from other machines to the affected machines in order to “In fact, there are other affected machines that may not have been catastrophically shut down by the attack itself.”

When companies have data monitoring systems in place, it is much easier to assess how much data was taken, where it came from and where it may have gone.

Another important step is to thoroughly check all systems to ensure that hackers have not installed backdoors for future access.

Danahy encouraged Wichita residents to exercise patience and ultimately demand transparency from their government.

“The most constructive thing is to support the teams that are working around the clock to eliminate the problem,” he said

“The most important thing now is that they find out how it happened. They are doing their best with the strategy they have chosen to clean it up and get things working again. At the end of the day, that’s one thing. The demand I would have as a citizen of Wichita is transparency. I want to know what happened… I want to know why and what you did to make sure something like this doesn’t happen again.

©2024 The Wichita Eagle, distributed by Tribune Content Agency, LLC.