IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

After an Initial Ransomware Attack, Colorado DOT Gets Hit Again

The original attack in late February has morphed and re-infected a portion of the transportation agency’s remaining computers, according to officials.

(TNS) — As state security officials mopped up ransomware that attacked Colorado Department of Transportation computers last week, malware struck again Thursday.

The original attack, a variant of the malicious SamSam ransomware, has morphed into something new and re-infected CDOT computers that had been cleaned, said Brandi Simmons, a spokeswoman for the state’s Office of Information Technology.

“We had 20 percent of the computers up and running when our security tools detected malicious activity. And sure enough, the variant of SamSam ransomware just keeps changing,” Simmons said. “The tools we have in place didn’t work. It’s ahead of our tools.”

The agency took 2,000 CDOT employee computers offline on Feb. 21 after discovering the SamSam variant had locked computer files and demanded bitcoin for their safe return. The state said it did not pay hackers a cent nor does it plan to. Only back-office and internal computer systems using Windows software were impacted. CDOT employees began using personal devices for email or accessing shared documents through Google. Critical transportation systems, like road alerts or CoTrip, were not affected.

Simmons said security officials continue to work around the clock to contain the new variant and recover damaged files. The agencies have reached out to other security companies and are also getting help from the FBI and the National Guard. Several dozen OIT employees and an unknown number of CDOT workers are working on the SamSam issue.

SamSam ransomware has been infecting computers in government, healthcare and other industries since 2015. SamSam wormed its way into some hospital computer systems because of a misconfigured web server or, more recently, through a vendor’s username and password. Security researchers with Cisco’s Talos reported in January that the new SamSam variant had so far collected 30.4 bitcoin, or about $325,217.

To minimize an attack by malware or ransomware, computer users should keep all their software updated, avoid phishing emails and maintain strong passwords.

Updated at 8:54 p.m.: This story was updated to clarify that Brandi Simmons, with the Office of Information Technology, said several dozen OIT employees are working on the problem. She did not have information on the number of CDOT employees working on recovery.

©2018 The Denver Post Distributed by Tribune Content Agency, LLC.