Ransomware Attack forced Employees to use Typewriters Again

Typewriters are productive again” the aftermath of Mat Su’s Ransomware Attack

Time travel has been proven at last, but not the type we saw from the Back-in-the-Future and The Time Machine films, but like a dress-rehearsal of a dystopia brought about by a localized malware attack. Government employees of Matanuska-Susitna Borough had no choice but to continue the operations of their respective departments by reusing typewriters and handwriting documents.

Matanuska-Susitna also known in its shorter alias, Mat-Su is a 63 thousand square kilometer borough in the State of Alaska, United States. The malware attack happened last July 21 to 22, 2018, a weekend. It was a massive ransomware infection of 120 servers (The Mat-Su government has 150 servers overall.) and 500 desktop computers. Further investigation revealed that the initial penetration of the ransomware had already been happening since May 3, 2018, but it took until July for people to visually notice the problem.

Patty Sullivan, Mat-Su’s Public Affairs Director explained: “Last Tues, July 24, the Borough first disconnected servers from each other, then disconnected the Borough itself from the Internet, phones, and email, as it recognized it was under cyber attack.”

Sullivan also highlighted the resiliency of their employees, as they remained calm and continued the operations of their respective offices: “Without computers and files, Borough employees acted resourcefully. They re-enlisted typewriters from closets, and wrote by hand receipts and lists of library book patrons and landfill fees at some of the 73 different buildings.”

On his part, Eric Wyatt, Mat-Su’s IT Director said: “(This is) a multi-pronged, multi-vectored attack. not a single virus but multiple aspects of viruses together including trojan horse, Cryptolocker, time bomb, and dead man’s switch. This is a very insidious, very well-organized attack, it’s not a kid in his mom’s basement.”

The IT Director, with the help of FBI, has finally identified the actual ransomware that encrypted and infected their computers. His report is published and named the culprit ransomware as the BitPaymer. The BitPaymer ransomware family is a trojan taking a form of a standard Windows executable .exe file. It is also known as HPmal/Ransom-Y and Troj/Agent-AXEG in various antivirus signatures. Once executed, it takes advantage of the NT file system’s alternate data stream, creating duplicate copies of itself for redundancy purposes. Using the alternative data streams effectively hides the infection from regular anti-malware applications.

The malware uses an RSA-1024 public key to encrypt the data files using a .locked filename extension. Third party application programs under the Program Files system folder are also encrypted, this effectively renders the apps unusable as well. This ransomware is highly damaging to both user productivity and uptime of the infected computers.

Mat-Su’s government is already taking action, as they are currently restoring all the affected computers to a clean state. “Since then, infrastructure is steadily being rebuilt, computers cleaned and returned, and email, phones, and Internet connection becoming restored,” concluded Sullivan.

The good news was the official website of Mat-Su, www.matsugov.us/ is not hosted locally, hence its web server was not targeted by the ransomware. The official site’s page about the cyber attack incident has been posted, the latest updates are the following, as directly quoted from their website:

  • Phones are coming back online and were mostly restored at the administration building in Palmer on Monday. Later this afternoon, IT dispatched a team of six to begin restoring phones at other sites. The phone server was rebuilt Sunday night.
  • Palmer Pool’s phone number for the front office is 746-2455 during the cyber crisis.
  • The external website has been functioning since last Tues.
  • The Assembly meets Tues. night, July 31, at 6 pm in the Borough Assembly chambers for a special meeting with the agenda posted on the web.
  • An email stop gap is given to some employees until the actual exchange email server is rebuilt. Older email files may not be recoverable.
  • Most employees have been without computers. 110 workstations have been cleaned, reimaged, and are ready for dissemination to employees.
  • My Property, a useful web application property, has been restored with some limitations.

Leave a Comment


Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password