City of Stratford Says Cyberattack Recovery Takes ‘Days, Not Hours’
It takes “days, not hours” to recover from the recent cyberattack that hit the City of Stratford, this according to the statement released by the City.
Last April 14, the City of Stratford, Ontario announcedthat it was managing of what appears to be a cyberattack. More than a week after the initial cyberattack announcement, the City, in a statement, said that a virus encrypted the City’s data and locked the staff out. “We have now begun methodically unlocking and decrypting our systems,” the City said. “This is a thorough process that takes days, not hours.”
In response to the cyber incident, the City said that it intentionally shut down its IT and email systems to contain the virus and in order to protect the data. Critical services, like emergency services, transit, water and wastewater systems, the City said, are all operational, and that the staff are processing routine transactions manually where they can.
The City of Stratford didn’t mention the particular malicious software (malware) or the type of malware that attacked its system. It only described that a “virus” “encrypted” the City’s data and “locked out” users and it’s currently “decrypting” its systems.
While malware is a catch-all phrase for any type of malicious software, a virus, meanwhile, is a type of malware that spreads by attaching itself to legitimate files and programs and distributed via infected websites, emails or flash drives. A virus is activated when a victim opens the infected file or program.
In the cybersecurity field, a malware that encrypts computer data and locks out users as a result is typical of a malware called “ransomware”. Data encrypted or locked by a ransomware can only be unlocked using the decryption key or keys given by the ransomware attackers and these keys are only given after ransom is paid, typically in the form of cryptocurrency like Bitcoin. The ransom note is displayed on the screen of the infected computer.
In the case of the cyberattack at the City of Stratford, it’s not clear how the City got hold of the decryption key or keys used in decrypting or unlocking the encrypted files, or whether or not ransom was paid to the attackers. It’s also not clear how the malware initially infected the IT system of the City.
In recent years, there has been an increase in ransomware attacks across the world. The closest example of an attack similar to the attack in the City of Stratford is the recent cyberattack on the City of Stuart in Florida. Last April 17, the City of Stuart confirmed that it was managing a cyberattack, in particular, a ransomware attack. Stuart City Manager David Dyess told the TCPalmthat the ransomware called “Ryuk” has locked the City’s servers since last April 13.
Dyess said that the City emergency services, including 911, remain unaffected and that the City will remain disconnected from all networks while it rebuilds its servers and scanning every server in the City and every computer owned by the City to eliminate any viruses on these machines.
Dyess added that the yet to be identified attacker or attackers left ransom notes on the affected computers. He, however, refused to disclose the exact ransom demand but said the attackers want to be paid in the cryptocurrency Bitcoin. Dyess said that the City isn’t negotiating with the attackers as it has a computer backup system.
“If we wouldn’t have had these viable backups, we would probably be in a situation where we had to move into negotiations,” he said. “But with those backups in place, why would we negotiate?”
Cybersecurity Best Practices
Any organization with important data stored on their computer or network is at risk of ransomware attacks. Depending on the level of preparation, every organization reacts differently to a ransomware attack.
As exemplified by the City of Stratford, recovery from an apparent ransomware attack entails the methodically unlocking and decrypting of systems. The City of Stuart, meanwhile, sees no need to unlock and decrypt the infected systems as it has a back-up system to turn to. It’s important, therefore, to back-up important files of your organization so that in case an unfortunate cyber incident occurs, your organization can easily turn to the back-up data, and as a result, your organization can rebuild your systems and ignore the ransom demand of attackers.
It’s also important to note that ransom payment isn’t a guarantee that your organization will get your files back. There have been a number of ransomware cases in the past in which despite paying the attackers ransom, victims were still not able to unlock their files as some ransomware programs are created in such a way that the attackers themselves can’t unlock the files as they themselves have no decryption keys or they are unable to determine to who paid the ransom and who didn’t.
Aside from data back-up, here are some cybersecurity best practices in order to prevent ransomware attacks:
- Update all your organization’s software and operating systems with the latest patches.
- Train your organization’s staff not to click on links or open attachments in unsolicited emails.
- Restrict non-IT staff from installing and running software applications.
- Use application whitelisting to allow only approved programs to run on a network.
- Use spam filters to block phishing emails and authenticate inbound email to avoid email spoofing.
- Configure firewalls to block access to known malicious IP addresses.