Ransomware was never followed up with a demand for ransom
Nearly a month after a ransomware virus seized municipal computer systems in Racine and Oshkosh, the cities are still working to recover from what was likely a Russian-based attack that could have been much worse.
The viruses locked city employees out of email, computers, voicemail systems — even faxing! — when the ransomware was activated. Oshkosh’s internal operations were initially debilitated on Jan. 28, and Racine’s soon followed on Jan. 31. The attacks on Racine and Oshkosh are not unique. Last year, there were 2,047 reports of ransomware, which resulted in $8.9 million in losses, according to the FBI’s 2019 Internet Crime Report.
Spokespeople for both cities told UpNorthNews that their systems are recovering, but it’s unknown when they will be fully back online.
“We’re still in the thick of it,” said Emily Springstroh, Oshkosh’s communications coordinator.
Both cities actively back up their electronic records, so data loss is expected to be minimal.
“It’s certainly inconvenient, but it didn’t cripple the city,” said Shannon Powell, Racine’s communications manager. City employees still cannot use email but are able to do basic workplace functions on their computers.
Alex Holden is a Milwaukee-area cybersecurity expert known for uncovering massive data breaches and Dark-Web crime rings, including the theft of 1.2 billion user accounts from 420,000 sites and some of Adobe Systems programs’ source code. Holden said his firm, Hold Security, has independently examined the Oshkosh and Racine hacks and found that both can be traced to an unnamed group of Russian hackers that utilizes Emotet malware to extort money from its victims in exchange for release of data.
The viruses had been dormant in Racine and Oshkosh’s systems for about a year, Holden said. Oshkosh computers were first infected in September 2018 and Racine’s in March 2019.
Holden explained how the attacks appear to have originated: Hackers who use Emotet send out millions of virus-carrying emails; when a computer is infected, the virus begins automatically gathering data on the network the computer is connected to. If it identifies the computer as part of a business or government entity, hackers can then manually intervene and hold the network’s data hostage until a ransom is paid.
It is unlikely Racine and Oshkosh were specifically targeted, Holden said, because such hackers cast incredibly wide nets.
Neither Racine nor Oshkosh have received payment demands from the cyber attacks’ perpetrators, according to the city spokespeople. Oshkosh has acknowledged the Russian origin of the attack, but Powell said “we have not been given any sort of clarity” on the origin.
“I don’t want to speculate,” Powell said.
Holden said “it’s extremely unusual” that neither city has received demands.
City of Racine employees will “most certainly” undergo further cybersecurity training to learn how to spot potential ransomware, Powell said. He added that a contracted forensic agency will also offer further recommendations for improvements.
Springstroh said it’s too early to tell what changes might be made, but she added that the information technology department likely has plans to re-evaluate practices.
“The city was a victim in this,” she said. “Something like this is not 100 percent preventable.”
The FBI, which is reportedly involved in at least Oshkosh’s investigation, declined to comment on either attack or confirm whether it was investigating them.