Another city fell victim of a malware attack, systems at the city of Stuart, Fla., were infected by the Ryuk ransomware on April 13, 2018.

Law enforcement is investigating a ransomware attack that hit the City of Stuart on April 13, 2018. The Ryuk malware infected several servers and forced them offline.

“City officials on Wednesday confirmed a computer virus that infected servers over the weekend was the result of a ransomware attack.” reported the website TCPalm.

“The virus detected Saturday froze up the city’s servers and they are still offline, said Stuart City manager David Dyess.”

According to officials, the ransomware attack targeting the city of Stuart started with a phishing email, the infection was discovered by an IT employee who was setting up a new server.

City manager David Dyess confirmed that the city systems were infected with a strain of the Ryuk ransomware, but he did not disclose the Bitcoin ransom demanded by crooks.

“They discovered we had two things going on: We had what’s called a trickbot, which is basically a malware type of regular virus which can lead to other more serious issues,” Dyess said. “We also had the Ryuk virus that is an encryptor virus, where it encrypts your files and specifically likes to target your servers.”

At the time of writing, Dyess confirmed that experts are investigating to determine the way the attackers exploited to infect the systems.

IT staff at Stuart city has restored servers, payroll, utilities, and budgeting, only city employees still don’t have access to their email accounts.

Stuart’s police and fire departments are still offline, Dyess believe that overall services should be fully restored within the next week.

Early March, another city was hit by the same ransomware, computers of Jackson County, Georgia, were infected with Ryuk that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Unlike the Jackson County, Stuart City refused to pay the ransom.

“We are not negotiating with them. We are in the process of trying to rebuild our systems,” Dyess said. “We also began scanning every server in the city and every (personal computer) and every laptop in every department to eliminate any viruses on those outer machines.”

Dyess confirmed that the impact was limited thanks to the availability of city’s computer backup system.

“If we wouldn’t have had these viable backups, we would probably be in a situation where we had to move into negotiations,” he said. “But with those backups in place, why would we negotiate?”

The Ryuk ransomware appears connected to Hermes malware that was associated with the notorious Lazarus APT group.

The same ransomware was recently used in an attack that affected the newspaper distribution for large major newspapers, including the Wall Street Journal, the New York Times, and the Los Angeles Times.

Further investigation on the malware allowed the experts from security firms FireEye and CrowdStriketo discover that threat actors behind the

Ryuk ransomware are working with another cybercrime gang to gain access to target networks. They are collaborating with threat actors behind TrickBot, a malware that once infected a system creates a reverse shell back to the attackers allowing them to break into the network.

Experts at Crowdstrike believe the Ryuk ransomware is operated by a crime gang they tracked as GRIM SPIDER, in particular by its Russian based cell dubbed WIZARD SPIDER that is behind TrickBot.

Experts pointed out that Hermes was available for sale into the online underground community, attackers could have purchased it to create their own version of Ryuk.

Pierluigi Paganini

(SecurityAffairs – Ryuk ransomware , Stuart city)

Share this...

Linkedin Reddit Pinterest

Share On