The city of Knoxville, Tenn. is reeling from a ransomware attack that knocked the city’s network offline and prevented police officers from responding to non-life-threatening traffic crashes. The incident occurred Wednesday and shuttered systems until Thursday. Also impacted was the city’s internal IT network, public website and court systems – forcing Friday court sessions to be rescheduled.
“Our Information Technology team acted swiftly and followed best-practices protocols to shut down the City’s computer network, identify and isolate problems, and minimize damage,” according to a city official press statement sent via email to Threatpost. “City offices and services are open and available as usual, though visitors to City offices may encounter some inconveniences. City departments are adjusting accordingly to address the needs of residents and businesses.”
While officials have not confirmed an initial source of the ransomware, local reports point to a spear-phishing email, which was opened by a city employee. No financial or personal information was compromised, according to the city.
Glenn Jacobs, the mayor of Knox county (which includes the city of Knoxville), said on Thursday, via Twitter, that while the county and city share basic network infrastructure, there’s no evidence of compromise on the county’s network. “We did pull back and sever the connectivity between all of our shared agencies until we are fully confident that the issue has been contained,” he said.
According to local news reports, the city has received an unspecified ransom demand from attackers. Threatpost has reached out to Knoxville city officials for more information on whether they plan to pay the ransom or not.
Brett Callow, with Emsisoft, told Threatpost that while no ransomware group has been officially linked to the attack, “based on ransomware groups’ current activity levels and past victim profiles, the most likely suspects for this attack are probably Maze, DoppelPaymer and NetWalker – all of which exfiltrate and publish data,” he told Threatpost.
In 2019, a total of 113 state or municipal entities were impacted by ransomware. Knoxville is the 51st city to be hit in 2020, Callow said.
Last year, two Florida cities – Lake City and Riviera Beach – were both hit by ransomware attacks and decided to pay off the hackers. And, after a rash of public schools were hit with ransomware in July, Louisiana’s governor declared a statewide state of emergency. The city of Baltimore meanwhile is another high-profile recent victim of ransomware, which hit in May and halted some city services like water bills, permits and more, with attackers demanding a $76,000 ransom. And in 2018, several Atlanta city systems were infamously crippled after a ransomware attack extorted the municipality for $51,000.
In August, 22 Texas entities – the majority of which were local governments – were hit by a ransomware attack that Texas officials say is part of a targeted attack launched by a single threat actor.
“Cybercriminals tend to target organizations that require the least effort to hack for maximum profit, and state and local governments usually fit the bill,” Chris Kennedy, CISO and VP of customer success at AttackIQ, said in an email. “These smaller government agencies often chug along old legacy infrastructure, and that old legacy infrastructure is easy for bad actors to exploit.”
FREE Webinar: Are you on top of the shifting insider threats within your business? On June 24 at 2 p.m. ET, join Threatpost and our panel of experts for a complimentary webinar, “The Enemy Within: How Insider Threats Are Changing.” Get exclusive insights on how remote working has increased the risk of insider threats, and how to gain visibility into employee behavior while striking the right balance between privacy and ease of use. Please register here for this webinar.