Employees at the Colorado Department of Transportation (CDOT) spent the second day offline today, while security officials — including the FBI — continue to investigate a ransomware virus that hijacked computer files and demanded payment in Bitcoin for their return.
According to Amy Ford, a CDOT spokeswoman, only employee computers running Windows and equipped with McAfee security software were impacted.
“No one is back online. What we’re doing is working offline. All our critical services are still online — cameras, variable message boards, CoTrip, alerts on traffic. They are running on separate systems,” Ford said. “The message I’m sharing [with employees] is CDOT operated for a long time without computers so we’ll use pen and paper.”
SamSam
The ordeal began on Wednesday morning when CDOT shut down more than 2,000 employee computers and began investigating the attack. The malicious code was a variant of ransomware called SamSam, according to Brandi Simmons of the Governor’s Office of Information Technology (OIT). Later in the day, in attempts to prevent further damage, McAfee, the security software used by the CDOT computers, provided a software patch to stop the execution of the ransomware.
“This ransomware virus was a variant and the state worked with its antivirus software provider to implement a fix today. The state has robust backup and security tools and has no intention of paying ransomware. Teams will continue to monitor the situation closely and will be working into the night,” said OIT chief technology officer David McCurdy in a statement.
The OIT, which reached out to the FBI for assistance, are still investigating the attack and have not paid a cent to attackers — nor do they plan to according to Simmons:
“No payments have been made or will be made. We are still investigating to see whether or not files were damaged or recovered,” she said in an email.
As noted, the ransomware was a variant of SamSam, which last made headlines in January after targeting the healthcare industry. It encrypted files and renamed them “I’m sorry,” according to a report by security firm TrendMicro. One hospital in Indiana, Hancock Health, paid $55,000 to get its files back. To make things worse, a growing problem is that paying cyber-jackers in itself isn’t always easy— sometimes other hackers hijack the ransom payments before they are received and redirect them into their own cryptocurrency wallets.
These remote hacks are becoming more and more common — just last week Elon Musk’s cloud was hacked. In this case, though, the cyber-attackers didn’t steal information: They used his computer system’s power to mine cryptocurrencies, deeming it more profitable than extracting files and demanding ransom.