ILook Investigator Computer Forensics Software

IRS-CI Electronic Crimes

 

Colorado transportation department's painful ransomware experience

 

This is one of the most valuable resources for ILook users as it contains a forum for ILook help and tips


IXimager

ILook v8

List Serve

FAQ

Supporting Agencies

Ransomware hitting private companies isn't a new thing, but the quandary gets way worse when a local government entity is the prey. The Colorado Department of Transportation (CDOT) suffered the consequences of such an incursion back in February 2018. A variant of file-encrypting malware codenamed SamSam, also referred to as Samas, infiltrated the state department's computer network and crippled data stored on more than 2,000 Windows machines.

When the crooks demanded an undisclosed ransom in Bitcoin cryptocurrency, CDOT officials refused to pay and were confident that their recently adopted 'segmentation strategy' would help get the affected systems up and running beyond negotiations with the threat actors. Things were gradually returning back to normal indeed, with the IT staff being able to successfully restore about 20% of the computers.

Ransom note displayed by SamSam/Samas ransomware

However, a few days afterwards, the organization fell victim to another attack. A modified version of the SamSam ransomware circumvented the defenses and struck again, this time causing more damage than the original onslaught. The protection tools that were in place simply failed to catch up with the tactics of the mutating code. The malicious program's focus was on back-office systems rather than traffic control tools, which is good news but still cold comfort to state officials.

Recovering from this double attack ended up really painstaking. It took CDOT's information security specialists about two weeks to fully contain the ransomware, and about the same amount of time to restore most of the mutilated data. In order to do it, the department had to additionally engage security consultants and team up with federal agencies. Overall, the combined efforts of up to 150 experts did the trick. The state has reportedly spent more than $1 million to address this incident.

This case is particularly disconcerting because it demonstrates that organizations are far behind cybercriminals in terms of their protection tactics. The two attacks by the same - yet modified - ransomware within a week is a wakeup call for the likes of CDOT to defend themselves proactively and have a dependable backup strategy in place.

© Copyright 2006. ilook-forensics.org