City Weathers Cyberattack

By Jeremy Morrison

During the first weekend of this month, at around 1:30 a.m. on a Saturday morning, the city of Pensacola was hacked. By Sunday, city officials realized the cyberattack had crippled several municipal operations.

“Everything that was here within city hall has been compromised,” Mayor Grover Robinson revealed during a Monday morning press conference.

Initially, the city was unable to use its phone system or communicate via email. Neither permits could be issued nor payments processed online. What else might be vulnerable—such as personal or private information held by the city—was not known, but the Pensacola Police Department and Pensacola International Airport were spared in the attack.

A few days into the cyberattack, with the city’s IT department working to assess the extent of the damage and law enforcement working to determine a responsible party, officials verified that the attack involved ransomware but were mum on further details—How did it happen? Who did it? What data is compromised? How much is the ransom? Is the city paying?

“Not to sound like a broken record, but I don’t think I can get into these kind of details,” said Kaycee Lagarde, Pensacola’s public information officer. “We know everyone has these questions. It’s just such a sensitive issue.”

Tech Support on the Dark Web

Cyberattacks on municipalities are a reality of the modern landscape. About a week after Pensacola was attacked, New Orleans was hit. Numerous cities have been targeted, and more than a few have paid up when faced with ransomware.

“The city of Pensacola certainly isn’t the first, and it won’t be the last,” said Troy Gill, manager of security research with AppRiver, a cyber security company based in Gulf Breeze.

The basic mechanics involved with a cyberattack entail locking up a target’s technical capabilities, and then offering up an encryption key to remedy the situation.

“The idea is to just take down the ability of a city to do its day-to-day business,” explained Greg Hall, a research scientist with the University of West Florida’s Center for Cybersecurity.

Ransomware, which facilitates this type of cyberattack, first began appearing in the 1990s, but the game has since evolved markedly.

“The threats in recent years have certainly gotten more targeted, more customized and more dangerous,” Gill said.

A ransomware attack is launched on a target’s system in a few different ways. It can be done manually, in person and on site. It can be done using a bona fide username and password of someone who has legitimate access to the system, or it can be allowed in by opening an email or clicking on an ad, one of the more common methods, known as “phishing.”

“Usually, a ransom note is left on the desktop or appears as a background,” said David Pickett, AppRiver’s senior cyber analyst.

Once a system is infected with ransomware, the targeted entity needs that encryption key to regain use of and access to the system. Additionally, some cyberattacks also involve a threat of releasing sensitive data if the ransom is not paid.

“Usually, the person who does it is going to ask for what I consider a large amount,” Hall said, ballparking an average ask of a municipality to be in the hundreds of thousands of dollars. “Sometimes they settle for an undisclosed amount.”

Hall said that while it’s not impossible to figure out who launched a cyberattack, the attacks increasingly originate outside of the country.

“And particularly in countries that don’t extricate to the United States,” he explained.

And there is apparently no need for a depth of technical know-how to initiate such a cyberattack.

“You can purchase any facet of the attack on the dark web,” said Gill, noting the ever-evolving marketplace he encounters in his work. “We were looking at one yesterday and they had, like, tech support.”

“I was amazed,” said Pickett, marveling at how the criminal enterprises mimic the customer service of a legitimate business.

No More Privacy

For as long as there have been computers, there has been a consistent piece of advice—backup everything.

“You need to make backups,” Hall said. “That still rings true today.”

“Really, it has a lot to do with your backup situation. If you don’t have backups, you’re in a predicament,” said Gill, stressing the importance of backing a system up. “It puts you in a good position to start restoring from backups.”

But backups aren’t perfect, and sometimes there’s no way around needing that encryption key. It’s not known exactly how the city of Pensacola has dealt with its ransomware attack, as officials are keeping a lid on the specifics, but in the week following the attack, it was able to restore its email, phone lines and online payment services.

“We don’t want to talk about how exactly we were able to get back online,” Largarde said. “Obviously, that’s not something you want to share publicly. It’s just such a sensitive issue, when you’re talking about our security measures.”

Lagarde did say that IT is still assessing the situation to determine the extent of the cyberattack and if the city’s computer system is clean and that federal law enforcement agencies—including the Federal Bureau of Investigation, the Department of Homeland Security and the Florida Department of Law Enforcement—are currently investigating the attack. The city will also be engaging an outside cyber security consultant for assistance.

“We want to make sure that we have that extra layer of security and that we have those outside experts come in and take a really hard look,” Lagarde said.

In the meantime, officials have declined to discuss details about the ransom or what the city’s response has been on that front.

“Again, that’s not something we can discuss publicly,” Lagarde said.

However, an email surfaced from within the circles of Escambia County government—posted briefly to a county commissioner’s blog—that included an update from the FDLE on the city’s cyberattack. The agency noted that the ransomware appeared to be using software associated with an attack on California-based security company Allied Universal.

Additionally, cyber security blog BleepingComputer has reportedly been in contact with the Maze ransomware operators that claim to be behind the cyberattack on the city of Pensacola. In an email exchange, the apparent hackers confirmed they were seeking a $1 million ransom. Also in the exchange, the attackers noted that public safety elements were intentionally shielded from the attack and that the attack’s proximity to the shooting at Naval Air Station Pensacola—which happened a day earlier and left four dead—was completely unrelated and coincidental.