The Department of Information Resources (DIR) has announced that there are 22 victims, with evidence pointing to a single person responsible for the attacks.
Steady recovery
Things seem to be on the right track as certain entities have resumed their normal activity, DIR reports the situation in an update. More than 25% of victims have shifted from the reaction and evaluation phase to recovery and remediation. The names of all municipalities affected by the attack remain unknown, but two of them publicly announced the hit. The City of Borger issued a statement stating that its financial operations and services had been affected. The city can not recognize utility payments or other payments and the vital statistics facilities (certificates of birth and death) are offline. This ransomware attack is another town impacted by Keene. Also, this administration cannot process payments for cards or utility disconnections. The threat actor, Mayor Gary Heinrich, said, required $2.5 million for the key to decrypt locked files.
MSP is the common denominator
Heinrich NPR who said the threat actor used the Ransomware via the Managed Service Provider (MSP) software used to support the administration. For entities which cannot handle the IT infrastructure themselves, MSPs are a convenient solution. This would not be unusual for smaller local governments that might lack qualified personnel for such a task. An external service provider generally uses software that enables remote access to the network of a client. The MSP can therefore monitor the operation and fix problems, and install system updates or applications. Heinrich says that the City of Keen utilizes the same external business providing IT support facilities for many other municipalities affected. As a successful compromise for ransomware operators, MSPs have begun to be a frequent target for multiple customers.