Ransomware Attack Cripples Matanuska-Susitna Borough IT Systems in Alaska
In late July 2018, the Matanuska-Susitna Borough in Alaska suffered a major ransomware attack by BitPaymer, which effectively brought the municipal IT infrastructure to a standstill. As a result, employees had to temporarily abandon email and phones, resorting instead to typewriters and handwritten records.
How the Attack Unfolded
Eric Wyatt, the borough’s IT director, detailed that the first signs of the attack appeared in mid-July 2018, when McAfee antivirus began detecting a trojan on Windows 7 machines after an update. However, it was later discovered that the malware had infiltrated the borough’s network as early as May of that year.
The antivirus was unable to remove all components of the infection, so IT staff wrote a custom script to clean up what McAfee missed. They planned to run this script on July 23 and also force a password reset for all user and administrative accounts. Wyatt believes that running the script may have triggered the ransomware component, either due to an automatic “kill switch” in the malware’s code or because the attackers were monitoring the situation and remotely activated the ransomware.
Impact and Response
The ransomware ultimately infected 500 workstations (running Windows 7 and 10) and 120 out of 150 servers in the Matanuska-Susitna Borough. In response, IT staff decided not to wait for the situation to worsen and proactively took the entire network and systems offline—including telephony, mail servers, and employee computers—while notifying the FBI.
Staff had to wipe and reinstall all software on 650 workstations and servers, essentially rebuilding the borough’s entire IT infrastructure from scratch. The recovery effort was supported by 20 different public and private organizations. During this period, employees had to “go back in time” by using typewriters, calculators, library books for reference, and writing many documents by hand.
Recovery Progress
As of the week of the report, the recovery process was still ongoing, but at least 110 employees had regained access to computers, and phone service along with some internal services had been restored.
Wyatt is convinced that the borough was targeted by a well-organized and sophisticated attack, stating, “This wasn’t some kid living in his mom’s basement.”
Data Loss and Investigation
The attack did not affect the official Matanuska-Susitna website, nor were user data or payment card information stored with third-party providers compromised. Some data was recovered from backups, though some backups were from the previous year, and certain information—such as emails—was lost.
A recently published report (PDF) confirmed that the malware responsible was BitPaymer ransomware. The report also revealed that the attackers had infected the network with the Emotet banking trojan and gained access via Active Directory, raising concerns that some data may have been compromised and stolen during the attack.
Wider Impact and Ransom Refusal
BitPaymer had previously attacked hospitals in Scotland in 2017, making international headlines. In early 2018, ESET analysts theorized that BitPaymer may have been created by the same hackers behind the Necurs botnet and Dridex banking trojan.
Other cities in Alaska, including Valdez, and in other U.S. states also suffered similar attacks. The Valdez authorities published an official statement about a “virus” at the end of July, but did not specifically mention BitPaymer or any other ransomware. According to Wyatt and investigators, the borough was victim number 210, suggesting that there are at least 209 other unreported cases.
Official statements indicate that Matanuska-Susitna’s leadership decided not to pay the ransom. Wyatt stated that the encrypted data would be stored for years if necessary, but he hopes that the FBI and other experts involved in the investigation will eventually be able to provide decryption keys and restore the information.