An effort to eliminate a widespread Emotet trojan infection appears to have triggered a ransomware outbreak that government officials believe the attackers used to cover their tracks rather than extort the government of Matanuska-Susitna Borough in Alaska.
A combined attack using the Emotet banking trojan and and Bitpaymer ransomware has caused chaos over the past week for one of Alaska’s largest towns after the discovery that Emotet had infected 500 Windows 7 and Windows 10, and 120 out of the organization’s 150 servers.
Alaskan paper, Anchorage Daily News, reported that Matanuska-Susitna Borough’s network has been infected by multiple malware for more than two months before it wreaking havoc on the town on 23 July.
The attack affected phone, email and online systems and knocked, Matanuska-Susitna Borough officials revealed on Monday. It followed what appeared to be the same malware attack that hit another Alaskan city, Valdez last week.
Despite crippling most of Matanuska-Susitna Borough’s hardware, the government reported on Monday that backups saved most of its data.
According to Mat-Su Borough IT director’s Eric Wyatt, it is the 201th victim of the same malware attack that experts are labelling an advanced persistent threat or highly sophisticated attack.
In a detailed report written by Wyatt, he said the borough was infected with Emotet, a well-known banking trojan, BitPaymer ransomware, a “time bomb” malware, designed to stop computers working at a preset time.
Wyatt called the attack a “zero day” attack because the antivirus it was using, McAfee, hadn’t detected and blocked the malware. He suspects the organization was initially infected with an email containing a link to a malicious website.
The ransomware component of the malware had being “lying dormant” with its network since as early as May 3 during which time Emotet may have been exfiltrating information, according to Wyatt.
“During this time, data from any of our systems may have been compromised and sent outside of our network. We do not have evidence of this, but we must work from the assumption that this was done.
Everything we have seen matches the patterns the FBI has seen at multiple sites throughout the country."
He said the attack matched the situation that recently happened in fellow Alaskan town Valdez.
"The FBI reports that the Trojan and Worm will lay dormant for 4 to 6 weeks and then the Crypto Locker component is frequently launched on a Friday. This happened in Valdez and there are reports that on Friday multiple other locations in Alaska and around the US were hit,” he wrote.
Mat-Su Borough detected Emotet after a McAfee virus definition was updated on July 17. That malware was then only being detected on Windows 7 PCs, but was missing other malware.
It appears that by removing Emotet, this launched the BitPaymer crypto-ransomware into action.
“By the time the number of workstations affected rose to alarming levels, we had discovered the same issues on multiple servers. We developed a script to remove the discovered components that McAfee was leaving behind from all machines and planned to launch this on Monday evening, July 23rd. We also expired all user passwords to force password changes and changed passwords for all admin and service accounts.
“This action, of attacking back, seemed to trigger the virus to launch the Crypto Locker component. This trigger may have been automated, a Dead Man’s Switch, or there may have been a person manually monitoring activity and executed their Command and Control (C2) to launch the attack,” he wrote.
Wyatt suspects the ransomware attack was actually a decoy to destroy evidence used to investigate the source of the first and intended attack. He also notes that even when the ransom is paid, computers remain encrypted.
“This would indicate that the attack’s purpose is not based primarily on money from a particular victim, but to disrupt operations and potentially steal information that may lead to greater financial reward and more disruption from down stream victims,” he wrote.
By July 24, when it realized it was under attack, the borough disconnected servers from the network and then disconnected the borough itself from the internet. The attack affected computers, servers, networked telephones, and email.
That the ransomware infected Windows 10 PCs is somewhat surprisingly, given Microsoft’s assurances that Windows 10 — depending on the specific configurations and security services used — was unaffected by the NotPetya and WannaCry attacks. Microsoft has also said that no machine running the locked down Windows 10 S is vulnerable to any known ransomware today.
At an assembly meeting on Tuesday, one assembly member, Ted Leonard, called it a terrorist attack.
“The group that we are facing that has unleashed this particular attack is a very well organized group and they're using the most sophisticated tools and have done a lot of damage across the country to include us,” Wyatt said at the assembly.
The government said that almost all Windows production servers had been encrypted, including its domain, Exchange, its record management system, its SharePoint intranet and eCommerce systems, GIS, SQL databases, S:\ drive files shares ( L:\, M:\, P:\ ) and even our backup and Disaster Recovery (DR) servers.
Some of the systems were recoverable however Wyatt noted its Exchange email system was completely unrecoverable.
Wyatt noted that it will retain encrypted data "for months or years" in the hope that the FBI will recover the decryption keys.
Organizations bought into to help the borough included the FBI, City of Valdez, State of Alaska, Alaska USA, Denali credit union, Mat Valley Credit Union, State Farm Insurance, ATS, Cisco, FBNSB, Dell, and Commvault.