The first obvious signs of the cyber attack appeared on Saturday 14 December 2019 when the Council’s email system shut down. The incident rapidly escalated to impact every other system. There was a complete server outage, limited end user computing capacity and no access to VoIP phones. It was not only the Council’s central operations that were hit but all of the community services such as libraries and support hubs throughout the 518 km² of City of Onkaparinga’s suburban and rural areas.
Investigations identified the RYUK cryptolocker virus had infiltrated its ICT environment. This particularly vicious strain of cryptolocker, originating in Russia, paralyses organisations in multi-stage incidents. RYUK monitors the host, gets into the system and lies dormant before enabling the hackers to take over administration privileges to delete and encrypt critical files. While the cyber attack took place in December, indications are that the hackers had infiltrated Onkaparinga’s systems in early October. And, complicating the barrage on the Council’s network were two other serious threats – Emotet and TrickBot.
Rapidly evolving malware strains, such as RYUK, can break into even the most diligent organisations and security aware employees. The targeted sophistication of RYUK’s Phishing campaigns deceive staff with what look like genuine internal emails.
The City of Onkaparinga ICT Team Leaders Kym Groves and Zoran Bancevic explain: “We’re told the RYUK emails were addressed directly to our people, covering topics they were working on. When everything looks normal, busy people are going to click on attached documents to be actioned. And when there’s no immediate system issue, no danger signals are flagged.”
The initial attacks would have been short lived, perhaps only a few days, so as to not raise suspicion. As the emails were distributed throughout the organisation, its contact lists were compromised. But nothing would have registered in the sent or exchange logs. The Council’s Antivirus reports may have signalled for Emotet and that the attack has been cleaned, but RYUK was still at work.
Once the RYUK activated on 14th December, Onkaparinga’s ICT team spent four sleepless days and nights battling the incursion. As back ups from the Friday were reinstated, a new attack at 1.30 am each night again closed everything down.
“It was insane chaos over the first few days, however because our back up data was not encrypted, we were confident we could get systems back but we badly needed boots on the ground to help. And we didn’t contemplate opening any files that may have contained a ransom demand because our backups were protected. We contacted our original anti-virus vendor and they told us they couldn’t help, we were on our own. Their response was terrible,” Desma Morris, Manager Information Communication Technology (ICT) says.