Authorities in Pensacola, Florida, confirmed Tuesday that a cyberattack against the city government last weekend was the result of ransomware.
Pensacola officials were slow to identify the incident, which began early Saturday morning, as ransomware, though many of the symptoms were consistent with other ransomware attacks against local governments. The city’s phones, email servers, 311 line and online bill payment systems had been rendered nonfunctional, though emergency services were operational.
Jeff Bergosh, a member of surrounding Escambia County’s board of commissioners, wrote on his personal blog that the Florida Department of Law Enforcement is helping Pensacola respond to the attack, along with several federal agencies, including the FBI and Department of Homeland of Security. Bergosh also wrote that Escambia County’s IT staff has cut off connections between Pensacola’s municipal network and the county’s.
Kaycee Lagarde, a spokeswoman for Pensacola Mayor Grover Robinson, told StateScoop that email servers have been restored, though access is limited with most computers still disconnected from the city’s network. Most landline phones are functioning again, though other systems are still being assessed, she said.
“We don’t have an estimated time of completion, but [our IT department is] doing that as quickly as possible,” Lagarde said.
Pensacola had been on edge after a mass shooting Friday at a U.S. Navy air station in the city that left three people dead and eight wounded, fueling speculation about whether the cyberattack was connected, though the FBI on Monday said there was no link between the two incidents.
While Pensacola authorities have identified Saturday’s cyberattack as ransomware, they have been tight-lipped on other details. But according to the Pensacola News Journal, the Florida Department of Law Enforcement has found that the attack is similar to one carried out last month against Allied Universal, a facilities services firm with locations around the world, including Pensacola. That would seem to finger a virus known as Maze, which was first identified in May by the cybersecurity research firm Malwarebytes.
Maze is often delivered via spearphishing emails posing as government agencies like tax collectors or postal services, and has been seen in the United States, Italy and Germany.
In the case of Allied Universal, hackers using the Maze virus were able to steal some of the data they encrypted, including files containing email addresses, said Brett Callow of the cybersecurity company Emsisoft, which specializes in ransomware defenses. There is no evidence that the attacks on Allied Universal and Pensacola are linked, but Callow said more communication between IT organizations could prevent additional attacks.
“What it does demonstrate is better reporting and information sharing are needed,” Callow told StateScoop. “A security incident at one organization could put other organizations at risk.”
UPDATE: The hackers behind the Maze ransomware have claimed responsibility for the Pensacola attack. According to an article published Tuesday by Bleeping Computer, they are demanding $1 million in exchange for a decryption tool and not exposing the city’s compromised data.