New evidence suggests that in the recent attack against the systems at the City of New Orleans was used the Ryuk ransomware.

Over the weekend, New Orleans officials announced in a press conference that the city was hit by a ransomware attack, the incident was discovered in the morning of December 13, 2019.

The IT staff immediately informed all employees of the incident and asked them to power down computers to avoid the threat spreading.

Employees were ordered to turn off and unplug their computers from the network as soon as possible via the city hall’s public loudspeakers systems.

Every device was disconnected from the city’s networks, at the time the family of the ransomware that infected its systems was not revealed.

Now, additional information on the attack was shared in the media.

According to files uploaded to the VirusTotal scanning service, the ransomware involved in the City of New Orleans was likely the Ryuk Ransomware.

The day after the ransomware attack on the City of New Orleans, on December 14th, 2019, memory dumps of suspicious executables were uploaded to VirusTotal from an IP address from the USA.

“One of these memory dumps, which contained numerous references to New Orleans and Ryuk, was later found by Colin Cowie of Red Flare Security and shared with BleepingComputer.com.” reported BleepingComputer .

The city of #neworleans was hit with #RYUK Ransomware! Looks like it encrypted their "Contracts and Revenue" file share😳

🔗: https://t.co/PtfHjcYQA0 pic.twitter.com/cP4EcvgoPu — Colin Cowie (@th3_protoCOL) December 15, 2019

The dump discovered by Cowie is associated with an executable named ‘ yoletby.exe ,’ it was containing references to the City of New Orleans including domain names, domain controllers, internal IP addresses, user names, file shares, The same dump contained references to the Ryuk ransomware, a circumstance that suggests that this family of malware was used in the attack of the City of New Orleans.

The expert noticed that the dump contained the HERMES file marker, file names ending with the . ryk extension, and references to the created RyukReadMe.html ransom notes.

Experts at BleepingComputer also found evidence that the Ryuk ransowmare was used in the attack against the City of New Orleans.

“Of particular interest in the v2.exe memory dump is a string that refers to the New Orleans City Hall.” continues BleepingComputer .

“After further digging around, BleepingComputer was able to find a v2.exe executable, and after executing it, was able to confirm that it was the Ryuk ransomware.”

Let’s wait for more details about the attack from the City of New Orleans.

Pierluigi Paganini