Municipal Corporate Network Ransomware Attack

Posting ID 128659
Date Added: 12/7/2020 3:35 PM EST
Date Modified: 12/9/2020 1:33 PM EST
Anonymous

Description

Summary:

On or about December 4, 2020, IT Staff discovered that certain files on its corporate systems were encrypted by ransomware.  Upon discovery, IT staff immediately disconnected affected servers and endpoints from its network and launched an investigation into the nature and scope of the incident. Working with third-party forensic specialists, IT staff determined that its systems were infected by the Egregor ransomware variant. The threat actor purports to have exfiltrated data from the environment and threatened to release the data absent payment of a $1 million demand. The investigation and restoration processes are ongoing and no payment has been made at this time.

It should be noted that there has been no impact to the BES or any associated assets at this time.


E-ISAC Update (12/9/2020 -1:20 p.m ET):

This E-ISAC member has provided the City Manager’s press release below and permission to share this information with industry trade organizations.  The member also advised that the forensic investigation is ongoing, the situation is continuing to evolve and no further specifics are available to provide at this time.

City of Independence issues statement following apparent ransomware attack:

INDEPENDENCE, Mo. – The City of Independence City Manager Zach Walker issued the following statement following an apparent ransomware attack on City technology.

“The City of Independence recently experienced an event that resulted in technical difficulties and disruption to multiple services. It appears that these disruptions are the result of a ransomware event that was discovered and stopped before it could infect the full City network. We want to ensure that you have the most accurate and up-to-date information about this incident.

Upon discovering the event, we began aggressively working with forensic specialists to confirm the nature and scope of this incident and implement a mitigation and response plan. Our team has been working diligently around the clock to conduct a thorough, methodical investigation and restore access to the impacted systems as quickly as possible. 

In addition, the team are taking several steps to ensure the security of the City’s environment moving forward. These steps include full system scans and restoring impacted systems from available backups.  These efforts may result in temporary disruptions to certain services both internally and externally. These service disruptions should be limited in duration and will be resolved as quickly as possible as we continue our ongoing response.   

We will provide the public with additional information as the investigation progresses and relevant information is learned. Thank you for your patience and understanding as we work through this process.“

Bulletin Type:
Cyber Bulletin
Category Type:
Cyber Security
Impact:
Low
Urgency:
Routine
Region where event occurred:
Midwest Reliability Organization(MRO)
Purpose:
Situation Awareness
TLP - White
Shared Count (16)
  • Canadian CERTs
  • CRISP - Cyber Risk Info Sharing Program
  • DHS - NICC, NCCIC, US-CERT, etc
  • DNG-ISAC
  • DOE Complex
  • E-ISAC AOO Members
  • E-ISAC Staff
  • ESCC, including SEWG
  • FBI, LE Fusion
  • FERC - OEIS, etc
  • FS-ISAC
  • International (other ISACs, CERTs)
  • MS-ISAC
  • Other (inc. local/state commissions)
  • Trade Organizations
  • Watch Floor
Change History
  • Admin, 12/23/2020
  • Admin, 12/09/2020
  • Admin, 12/09/2020
  • Admin, 12/09/2020
  • Admin, 12/09/2020
  • Admin, 12/09/2020
  • Admin, 12/09/2020
  • Admin, 12/09/2020
  • Anonymous, 12/08/2020