City of Valdez, Alaska admits to paying off ransomware infection

City IT network was infected by Hermes ransomware, a strain that researchers previously tied to other North Korean malware and hacking tools.
Written by Catalin Cimpanu, Contributor

Officials from the city of Valdez, Alaska have admitted last week to paying $26,623.97 to hackers after the city's IT network was crippled by a ransomware infection in July.

"Valdez Police Department [...] reached out through our law enforcement channels for assistance with addressing the ransom demand," said Bart Hinkle, Valdez police chief and operations section chief for the cyber incident response, in a press release last week.

"Based on recommendations from several cyber-crimes specialists, the City engaged a specialty cyber-incident response and digital forensics firm based out of Virginia," Hinkle added. "The firm anonymously contacted the attackers on the City's behalf to investigate and possibly negotiate ransom terms."

City officials said that despite the ransomware having infected 27 servers and 170 computers, the third-party firm managed to negotiate the ransom payment down to 4 bitcoin, worth $26,623.97, at the time. The city got off cheap, as ransomware groups usually tend to request between 0.2 and 1 bitcoin per infected system.

"After consultation with the City legal team, our insurance carriers, and careful consideration of the best interests of the City, I authorized the third-party firm to negotiate and pay up to the amount of the ransom demand," said Elke Doom, Valdez city manager and the incident commander for the cyber incident response.

Doom also added that before purchasing the decryption key from the hacker group behind the ransomware infection, city officials and the third-party firm carried out tests to verify if the hacker group could, indeed, decrypt their data, or they were just bluffing.

Ever since paying the ransom over the summer, city officials say they've been slowing bringing the city's IT systems back online, one after the other.

All decrypted files were put in read-only mode, so city employees could access the data, but they were left in quarantine as IT staff "scrubbed" the files for other malware that might have been injected and left behind by the hacker group.

Valdez officials say that next year, in 2019, they plan to replace and rebuild all the IT systems that have been infected by the ransomware, just to be sure there's no residual backdoor or hidden malware that hackers may use to reinfect the city's IT network again.

The city of Valdez, despite having a population of less than 4,000, made quite a few headlines over the summer. Law enforcement said that several cities in Alaska reported ransomware infections at the end of July, leaving some experts to wonder about a possible new ransomware outbreak localized to the Alaska region.

Things didn't turn out to be so. Several of the ransomware notifications from Alaskan cities and private companies that came to light in July were actually for incidents that took place in previous months, and only the city of Valdez and Matanuska-Susitna (Mat-Su), a borough part of the Anchorage Metropolitan Area, suffered ransomware infections at the time.

In the end, it turned out that these two ransomware infections weren't even related, as the Mat-Su borough IT network was infected by the BitPaymer ransomware, while the city of Valdez reported an infection with the Hermes ransomware.

But the most curious thing is that two reports from Intezer Labs and BAE Systems have previously showed connections between the code of the Hermes ransomware and the hacking tools and malware arsenal of Lazarus Group, a hacking group tied to the North Korean regime, and believed to be behind the Sony hack of 2016, the WannaCry ransomware outbreak, and various cyber-heists at banks across the world. In fact, Lazarus Group used the Hermes ransomware as a distraction to cover up the tracks of a cyber-heist at the Far Eastern International Bank (FEIB) in Taiwan. It's unclear if Lazarus Group created the Hermes ransomware, or they just hijacked its code from its true creators.

But, truth be told, the city of Valdez wasn't likely hit by North Korean hackers, but, in this case, your boring cyber-criminal gangs. According to cyber-security firm Barkly, both the city of Valdez and the Mat-Su borough were infected with the Emotet malware, whose authors are known to sell "install space" to other criminal gangs. In this case, ransomware distributors.

Related ransomware coverage:

Editorial standards