Matanuska Susitna, a borough in the Anchorage Metropolitan Statistical Area with a population of just below 107,000, declared a disaster on Tuesday after it was hit by what Eric Wyatt, the IT director, claimed was a combination of the worst malware strains in the world.
It’s not in the video but they use Mcafee AV. They got infected with Emotet (which is all over USG systems - big issue) and then BitPaymer. It’s unclear if Emotet was used to deliver BitPaymer.— kevin (@GossiTheDog) 2 August 2018
Nearly all of the 500 workstations, running either Windows 7 or Windows 10, were affected and 120 of the 150 servers were hit as well. Wyatt said recovery would easily take three weeks.
"All of the pieces of this are the absolute worst in the world and they've all been combined together and put on us," Wyatt said in a PR video put out by the borough.
You know the Alaskan town reduced to typewriters by ransomware? They’re on a PR blitz and have made a video of their recovery efforts and incident response: https://t.co/uom2AThfds— kevin (@GossiTheDog) 2 August 2018
The attackers used the Emotet loader and the BitPaymer ransomware and the borough said one person had also infiltrated the systems.
"The cyber attack has caused major disruption in Borough services and loss of productivity, which may continue for a prolonged time," Assembly member Ted Leonard told a borough Assembly meeting, according to a report on Mashable.
The borough was using McAfee's anti-virus software but it did not prevent the infection. Wyatt said in a report that the software did not have the necessary definitions to stop the attack.
Also spinning the situation was Kurt Bunker, an IT contractor/consultant, who said: "I think the FBI was pleasantly surprised by how prepared the staff was and how well we had managed the data and the evidence.
"Based on what we've set up, the type of documentation we put forward showing data flow, quarantine, clean, air-gapped environments, how we're moving the data, having a 30-day plan for how we're not only going to recover but maintain the data that could be cleaned and looked at later and also give the FBI what they need in a safe environment...
"I think they were pleasantly surprised. They put a lot of confidence in us and that really goes to show what the staff is doing around here."
According to Wyatt, the malware had lain dormant in the borough's systems since at least 3 May. "The FBI reports that the trojan (Emotet) and the worm (BitPaymer) will lay dormant for four to six weeks and then the Crypto Locker component is frequently launched on a Friday.
"This happened in Valdez and there are reports that on Friday (27 July) multiple other locations in Alaska and around the US were hit."