BitPaymer Cyberattack in Alaska

A malicious computer cryptovirus is known to have hit Matanuska-Susitna (Mat-Su) borough, an Anchorage Metropolitan Area in Alaska on July 24^th 2018. The discovery of the ransomware attack led Borough’s government networks and IT staff to shut down largely affected IT systems. Servers were the first to loose connectivity  followed by phones, email id, and Internet access!

The security team is steadily working to  cope with the compromised systems and to get them cleaned and restore email, phones and Internet connection.

BitPaymer Cyberattack in Alaska – Multi-pronged, Multi-vectored Attack

Modus Operandi on the attack revealed that the virus exhibited a “Multi-pronged, Multi-vectored attack” trait that had the multiple aspects of viruses including dead man’s switch, Cryptolocker, time bomb and Trojan horse.

The malware was identified as BitPaymer ransomware that was first spotted in July last year. Culprits behind the design of this ransomware are suspected to be linked to the same criminal group that runs infamous Dridex banking Trojan.

The “Trojan” aspect of the BitPaymer ransomware was first detected by the anti-virus scans on July 17^th 2018 on windows 7 machines.  Other traits of this multi-pronged virus however, were completely missed by anti- virus software scans.

Attack Repercussions:

1. All user passwords were intentionally expired by the security team to compel users to change passwords for all admin and service accounts.
2. An attempt was made to remove the discovered components of the virus with manually generated scripts. This attempt triggered the virus to launch its Crypto Locker component. Researchers speculate this trigger to be automated or suspect crooks to have been monitoring the activity and executed their Command and Control (C2) to launch the attack.

The results were devastating as 500 Mat-Su desktop workstations and 120 of 150 Mat-Su servers were dominated by the encryption. As a result, Mat-Su network was taken offline, FBI was notified, and the network rebuilding operation was initiated. Some data has been successfully recovered from the backups. There is no information regarding the demands of crooks being fulfilled to restore the infected system is not known.

3. Cleaning and reinstallation of 650 desktop computers and servers located on the parts of the Mat-Su network that are believed to be affected is in progress.
4. 110 employee workstations were cleaned and returned to service.
5. The Phone server was rebuilt on 29^th July 2018 and some Mat-Su phones were back online on 30^th.
6. Government was assisted to reconstruct its IT infrastructure by 20 different agencies and private sector vendors.

List of unaffected Networks

1. Data stored with third-party providers like Payment card data remained safe.
2. The Mat-Su official website remained unaffected.
3. Though Mat-Su door lock card swipe system was compromised, but it continued to work seamlessly.

Still,  there are no evidences of attackers leaking the stolen data.

A Pat on the Back to Borough employees

Deprived of computers and files at the time of the devastation, Borough employees acted resourcefully. The use of age old technology: A typewriter was commendable. Lists of library book patrons, receipts and landfill fees were all prepared using typewriters.

Other attacks similar to BitPaymer Cyberattack in Alaska

Mat-Su Borough was victim number 210.

Researches revealed that the city of Valdez in Alaska experienced a similar attack. The traits of the attack resemble BitPaymer infection. The news came to light on July 28^th 2018, when Valdez city officials confirmed about the attack in an official Facebook statement.

Hits: 229