A ransomware attack with serious consequences for a city was the focus of the panel “Cyber extortion against companies – it can hit anyone!” at the 4th annual cybersecurity conference of Time. The participants described the course and the severe effects and learned the lessons for future victims of a large-scale attack.
On September 6, 2019, an IT employee from the Lower Saxony city administration Neustadt am Rübenberge noticed extreme server load in the city’s data center. The Trickbot Trojan had already attacked the IT system six months earlier and gradually worked its way up to various levels and sent out signals. A ransomware encrypted at all levels, so that the servers were fully utilized.
“In the first phase it was still relatively relaxed after we had checked that all the backups were running. But then we discovered that various areas were also encrypted there. We decided to block all accounts, all external ones to inform and disconnect from the entire network. Then we called the cybercrime specialists from the LKA, who were there very quickly, “reported Maic Schillack, First City Councilor and IT Manager of Neustadt.
“The LKA advised on how forensic measures should be carried out. They were carried out in such a way that the operation of the municipal utilities did not go even further to its knees. Contacting the LKA at an early stage made it possible to gain a quick overview of the situation,” said Heiko Löhr, group leader Strategy and service in the Cybercrime department at the Federal Criminal Police Office.
City councilor Schillack described the further steps of the administration. First, she checked whether vital systems such as sewage, sewage works, traffic and locking systems, for example for schools, were affected. That was not the case. Then it was about whether social assistance and salaries can be paid out by the city.
“We quickly decided to rebuild the entire network. This is a huge topic that requires a lot of staff. We now had up to 40 IT specialists here who take care of the hardware of the new network and the start-up of the individual workstations have taken care of, “he said.
In the meantime, the administrative workplaces have been outsourced to the neighboring municipalities and to the city’s computer center. “A lot of things are hosted. That worked quite well. In the end, we were back with the basic activities relatively quickly. That took five days because, to my knowledge, even specialists need this time for relatively new viruses to recognize the virus and the To initiate counter-programming. In my experience, it cannot be done any faster. “