SAMMAMISH, Wash. — An extortionist has hit the City of Sammamish using a ransomware attack and it’s led to darkened computer screens at City Hall.
The city’s IT department noticed locked and encrypted files showing up on their network system on Wednesday. Access to several shared drives were shut down immediately.
The Interim City Manager issued a city emergency declaration allowing for the immediate hire of computer forensic specialists to evaluate the city’s computer network.
“They looked at what was immediately affected, which was our shared drives and closed off access to those, and had us all shut off and disconnect from the computer network,” said City of Sammamish Communications Manager Sharon Given.
The analysis of the network began Wednesday night and lasted all day Thursday. In the meantime, the City has shutdown the computer network that services much of City Hall. Workers are using laptops on wireless networks, outside the city’s main network to access the internet, as well as old fashion pen and paper to do their work.
Police, fire and 911 emergency services are not affected but permitting, passport processing and pet licenses are some of the services that have been suspended temporarily. City credit cards have also been canceled.
The City is working with law enforcement with cyber security expertise and evaluating what it will take to unlock city files
“It’s happening in cities around the world, it happened to Atlanta with some ransomware call 'SamSam,'” said Corey Nachreiner, Chief Technology Officer at WatchGuard Technologies in Seattle.
“It’s very targeted, most likely those behind the ransomware have already invaded a city’s system and knows what they are trying to get,” said Nachreiner. His company makes software to prevent ransomware attacks.
Typical ransomware attacks start with a user opening up a piece of malware that may be attached to an email. It may appear to be a legitimate tracking information for a shipment.
“But behind the scenes that malicious script is actually downloading and installing ransomware behind the scenes — the user has no control,” said Nachreiner.
It can take just seconds for the ransomware to rename and encrypt any file on a hard drive that can open be opened by a special key, a numeric or alphabetical string of numbers that works like a password.
To get the key, the user would have pay a ransom to the attacker with no guarantee the key will work after the ransom is paid.
“It used to be the attacker was just after money, but now they can be after information as well, and can use that information like a hostage,” said Nachreiner.
Gavin said the City is not sure what, and if, any information has been compromised.