A notorious Russian cyber criminal group — LockBit — is claiming credit for the attack on the most populous city in Kansas. A dark web listing flagged by cyber threat analyst Brett Callow indicates LockBit is prepared to post the city's data for other hackers if a ransom is not paid.
LockBit's demands are unclear. Wichita officials would not confirm whether LockBit or any other group has contacted the city about a ransom. The group is known to ask for multimillion dollar payouts in BitCoin, according to a federal indictment unsealed Tuesday.
Wichita officials confirmed on Sunday that the city's computer systems had been targeted by a ransomware attack, which uses computer software to steal files and encrypt them with a secret key. The city shut down its computer network at City Hall in response, forcing it to move to a pen-and-paper and cash-only operation for many departments. Police and firefighters are relying on backup procedures as they continue responding to emergency calls.
The attack comes as Lockbit's alleged leader, Dmitry Yuryevich Khoroshev — who is suspected of operating online under the aliases "LockBit," "LockBitSupp" and "putinkrab" — was unmasked by the U.S. government. The U.S. Court District of New Jersey on Tuesday unsealed a federal indictment that had been filed against Khoroshev on May 2. The U.S. State Department also announced a $10 million reward for information that leads to his arrest. He is believed to be a resident of the Russian Federation.
The indictment calls LockBit "the most prolific and destructive ransomware group in the world" and says LockBit is responsible for extorting at least $500 million in ransom payments from multinational corporations, local governments and nonprofit organizations since January 2020. It has attacked at least 2,500 computer systems around the world, including 1,800 in the United States, the indictment says.
The indictment says law enforcement from the United Kingdom, United States and other countries disrupted LockBit's dark-web leak site in February and infiltrated its infrastructure. Law enforcement found that even after victims paid the ransom, LockBit kept copies of the stolen files.
LockBit typically locks businesses and governments out of their files using encryption keys and demands payment by ransom. It created a data dump page on the dark web to release files obtained from the city of Wichita next week, a screenshot of the listing shows.
The deadline for Wichita to pay the ransom appears to be May 15. City officials would not say what the group is asking for, and it's not clear what files or personal information has been compromised.
PUBLIC AGENCIES TARGETED
Wichita isn't the only government agency recently targeted by cyber attacks. Attacks on state and local governments have become increasingly common, according to a survey by the Center for Internet Security.
Kansas City in Missouri, Jackson County and KC Scout, a partnership between the Missouri and Kansas departments of transportation in the Kansas City metro area, have been recent targets of cyber attacks. The entire Kansas court system was compromised last fall and was not restored for several months.
Cyber criminal organizations with ties to Russia appear to be responsible for the attacks on Wichita, Jackson County and KC Scout. Callow also flagged a page purporting to contain KC Scout's data that was posted on the dark web leak site called "Play" on Tuesday. That group is believed to be linked to Russia, according to CBS News.
Kansas City, Missouri officials have said little about the attack on the city's computer system, and it's unclear who is responsible.
The city's website, kcmo.gov, has been out of commission since Saturday and remained off-line throughout the day on Tuesday. A spokesperson for the city did not return phone calls from The Eagle. The city has canceled committee meetings and closed its municipal court system in response. The city's private water utility provider has also been disrupted by the computer outage, according to KCUR.
Bridget Patton, spokesperson for the FBI, declined to say whether the FBI is investigating but said it is "aware of both incidents," referring to the Wichita and Kansas City network outages.
Cyber attacks against state and local governments increased by 148% year-over-year during the first eight months of 2023, according to the Center for Internet Security survey. Ransomware attacks on government agencies climbed 51% from the same period in 2022.
Public agencies can be particularly susceptible to phishing campaigns compared with private companies because many employees' email addresses are published on government websites, giving hackers a potential access point to computer systems if even one employee falls for the phishing attempt.
The cyber attack on the Kansas court system could have compromised the data of as many as 150,000 people who interacted with the judicial system in some way, the Office of Judicial Administration announced Monday.
DARK WEB COUNTDOWN
Callow, a cyber security threat analyst based in British Columbia, posted screenshots of the Lockbit and Play dark web listings to X on Tuesday afternoon. Several other dark web watchdog groups have since shared screenshots of the Wichita listing on social media.
In an email, Callow told The Eagle he has no reason to believe the Wichita and Kansas City government attacks are connected but that it's possible.
"Groups work on what's basically a ransomware-for-rent basis, and the people who rent the ransomware — they're called 'affiliates' — can work with more than one group," Callow said.
In a phone interview, Jack Danahy, vice president of strategy at Vermont-based cybersecurity group NuHarbor Security, said ransomware groups routinely use countdowns to turn up the pressure on target organizations and maximize the odds of a ransom payment, which is usually requested in cryptocurrency.
The implied threat is that compromised data will either be released on the dark web or destroyed. Federal authorities strongly discourage public and private organizations from making ransom payments.
"Even though the ransom has been paid, the private information still resides somewhere typically," Danahy said. "And while the organization may be claiming that they won't be releasing it, there really is no guarantee."
As an example, he pointed to Change Healthcare, a healthcare technology company that suffered a cyber attack in February and admitted to making a $22 million ransom payment to restore data. Last month, a second group of hackers claimed to have access to four terabytes of company data, including patients' medical records, and demanded a ransom payment within 12 days.
Danahy said there's a slim possibility that federal investigators and third-party specialists can reverse-engineer their way back into locked systems by decrypting keys. But that's a long shot, he said.
"Ordinarily what ends up happening, especially for organizations that don't pay the ransom, that choose not to support this kind of activity, is that they're reconstituting all that information on all those systems from scratch," he said.
'ASSESSING THE BLAST RADIUS'
Wichita says it has reported the attack to federal and local law enforcement and hired an unnamed third-party specialist to investigate the incident and help bring systems back online after they're thoroughly vetted.
The timeline for restoring computer networks after systems have been compromised can vary greatly from case to case. Danahy said the first step is "assessing the blast radius" of the attack.
"How many systems were touched? How were they touched? And how deep does the corruption go?"
He said identifying technology corrupted in a ransomware attack is a pretty straightforward process compared with other more sophisticated cyber attacks.
"You can pretty much tell that the machines that aren't working anymore are the machines that have been affected, so we start with that," Danahy said. "From this, a good organization that is doing recovery planning will be looking around for footprints — basically for people, for organizations, for IP addresses or for actually just network traffic that's traversed to those affected machines by other machines to see if there are in fact other affected machines that may not have been catastrophically shut down by the attack itself."
If organizations have data monitoring systems in place, it's much easier to assess how much data has been withdrawn, where it came from, and where it might have gone.
Another important step is thoroughly inspecting all systems to make sure hackers haven't installed back doors for future access.
Danahy encouraged Wichita residents to exercise patience and ultimately to call for transparency from their government.
"The most constructive thing to do is to be supportive of the teams that are working around the clock to clean this up," he said
"The most important thing now is that they figure out how it happened, they do the very best that they can with the strategy that they choose to clean it up and get things up and running again. At the end of the day, the one demand I would have as a citizen of Wichita is transparency. I want to know what happened ... I want to know why and what you've done to make sure it doesn't happen again."
©2024 The Wichita Eagle, Distributed by Tribune Content Agency, LLC.
