Ransomware Gang Demands $5M From Austrian State CarinthiaAffected Services Include Passport Issuing and Traffic Violation Ticketing
After claiming several high-profile victims, the BlackCat ransomware group, aka ALPHV, which is said to be a rebrand of BlackMatter or DarkSide, has now targeted the Austrian federal state of Carinthia. The attack has "severely affected" government services in the state including passport issuance and traffic violation ticketing systems, says Gerd Kurath, the head of Carinthia's press service, in a press conference.
In an initial briefing given on May 24, immediately after the attack was detected, Kurath described the issue as an "IT system failure" due to a "hacker attack" that paralyzed the entire state administration. This forced the state to shut down nearly 3,700 administrative systems as a preventive measure, Kurath says, which made its email services inoperable as well as some phone lines of the state and administrative departments, including Carinthia's district authorities, the state administrative court and the court of auditors, among others.
COVID-19 contact-tracing services in Austria were not spared. Kurath says, "Currently, no suspected case tests can be carried out," and that those who suspect they have symptoms should self-prescribe and get a PCR test done from a pharmacy.
The government of Carinthia also informed the country's data protection officer, who in turn notified the data protection authority of Austria, a legal requirement that should be done within 72 hours of the discovery of any cyber incident, Kurath says.
In an update given the next day, Kurath shared the exact specifics of the attack and also attributed it to the ransomware group BlackCat, whom he confirms demanded a ransom of $5 million in bitcoins.
"The in-house IT experts worked overnight with the support of an [unnamed] external company and gained important insights: The international hacker group BlackCat is behind the attack. Five million dollars in bitcoins has been asked for the decryption software [key]," Kurath says. But, he adds, "It will not be paid. Further procedures are now being coordinated with the State Office for the Protection of the Constitution and the police," he adds.
Kurath also gave details about initial access and how many systems were infected in total.
According to an initial analysis, the entry point came through a computer that was hacked on May 14. The exploit used to gain access has not been disclosed, but with high confidence, Kurath says, "The malware was introduced into the Administration's IT system; from there currently around 100 of the 3,700 systems are infected," he adds.
"Uninfected individual systems have been put into operation in a secure area," says Kurath, pointing out that the systems are only reactivated when the IT and other cyber experts are absolutely sure that the malware has been eliminated. "The systems are being ramped up step by step. It is not yet possible to estimate how long this will take," he says.
After careful examination of the servers using "special software," Kurath says, "Currently, no evidence of data being actually siphoned off from the system has been found." He also says that the firewalls which the state administration's IT department had in place for such a scenario were "important and correct." Kurath added that, "According to the current state of knowledge, the security measures [firewall] used worked so well that major damage could be avoided. For example, all backup data has remained intact."
Kurath says that the recovery process for Carinthia is distributed in three phases that are currently running in parallel since the entire administration is working in an "emergency mode." First, efforts are being made to solve the problem and to repair the IT system. Concurrently, the police are investigating the ransom demand and the group of perpetrators. And at the same time, work is also being done on further expanding the existing protection of the IT system for the future, Kurath says.
A priority order is being used to restore other administrative services of the state, Kurath says. "In particular, services that directly affect citizens are being given a high priority and being tried to be reinstated as soon as possible, which mainly includes services of the district authorities and passport issuance."
In the latest update issued today, Kurath says that the IT department of Carinthia along with the cybersecurity company assisting it in restoration worked over the weekend and that the majority of email accounts that were inoperable since the beginning of the ransomware attack on May 24 have been reinstated.
"Most of the email accounts in the Carinthian provincial administration are working and the restoration has been going on a little faster than planned," Kurath says. This should enable the district authorities to issue passports again as soon as possible, but he says the exact time will be announced by the state of Carinthia and the authorities soon.
Kurath reiterated today that no data has been lost, "although a small amount of data was encrypted; this data could be restored via the administration's backup system," he says.
The state website ktn[.]gv[.]at is also offline for security reasons. "We want to get the site back online as quickly as possible, but we prioritize the security aspect," he says. Employees in the state service can access the intranet again, where a separate information page on all measures relating to the ransomware attack can also be found.
BlackCat's Other Victims
On May 26, around the same time as BlackCat's activity in Austria was being reported, across the Atlantic in the Saskatchewan province of Canada, the Regina Public Schools reported a cyberattack on its systems that took place on May 22, which is now being attributed to BlackCat.
Message from Regina Public Schools on Thursday, May 26, 2022. pic.twitter.com/SkWLA14Vxo— Regina Public Schools (@RegPublicSchool) May 26, 2022
The school district took immediate action and pulled down all affected systems to mitigate any impact to data and its operations. At the time, the school authorities did not name the type of cyberattack but reportedly the CBC Canada says it is the work of the BlackCat ransomware operators.
Citing a copy of the ransom note, which the news agency reviewed, it stated that "an organization called BlackCat/ALPHV alleges that 500 gigabytes of files belonging to Regina Public Schools have been encrypted and that the group now possesses copies of data ranging from tax reports and health information to passports and social insurance numbers."
Educational institutions should be aware that the BlackCat group is targeting this sector. The group has previously claimed to have hit at least three universities, including two based in the U.S. - the Florida International University and the North Carolina Agricultural and Technical State University (see: Update: What's BlackCat Ransomware Been Up to Recently?).
The Florida International University at the time told ISMG that its preliminary investigation showed no risk to any financial information, Social Security numbers, or information on student performance. Its education process also was not affected.
An NCAT State University spokesperson told ISMG that its IT services department had shut down various systems to contain the incident immediately after it was notified. An exhaustive review showed that no current faculty, staff or student data was affected.
After claiming at least 60 victims in a short period of time, in April, the FBI released a flash alert asking people to be wary of the BlackCat crossing their paths (see: FBI Alert: Have You Been Bitten by BlackCat Ransomware?)