Lowell still recovering from recent cyberattack
The city government of Lowell is still struggling toward normalcy nearly three weeks after a cybersecurity breach forced the shutdown of computer servers and telephones in multiple city agencies.
Lowell officials have said little about the attack, which was first reported by the city on April 25. City manager Thomas Golden Jr. and chief information officer Mirán Fernandez did not respond to multiple requests for comment. Mayor Sokhary Chau is currently visiting his native country of Cambodia, according to his chief of staff, who declined to comment on the cyberattack.
The most recent public statement about the attack, on May 5, said only that phone service had been restored to a number of city offices, including the mayor’s office and the police and fire department headquarters. Emergency 911 service was never affected.
On April 27, Lowell officials posted a statement: “This continues to be an ongoing investigation with multiple state and federal agencies involved, who are helping us with forensic assessment of the cyber-related incident.”
On Thursday, a sign on the city clerk’s window said they were still unable to issue marriage certificates, business certificates, or dog licenses.
The city hasn’t provided details about the nature of the attack. But a cybercrime organization called “Play” that’s believed to be based in Russia has claimed credit for it.
The organization operates a website on the “dark web,” a part of the Internet that’s inaccessible to standard browsers and search services. The Play site, which can be accessed through a special browser, lists Lowell among the organization’s victims, which apparently include about 75 organizations around the world, ranging from BMW’s operations in France to the sheriff ’s department in Palo Alto, Iowa.
Play claims to have compromised “private and personal confidential data, passports, IDs, finance, payroll, departments documents, budget and etc.” It encrypts the data stored in the victim’s computer systems, making it inaccessible until they pay a ransom to get the decryption key. It’s a double-barreled threat, because Play also makes copies of this vital data and threatens to publish the information online if the ransom is not paid.
“Play is a relatively new ransomware group,” said Allan Liska, a ransomware researcher at Somerville-based cybersecurity firm Recorded Future. “They’ve been around nine, 10 months.”
But Liska says the Play malware group is small potatoes. “They’ve been successful, but they’re certainly not the most successful group,” said Liska. “We consider them mid-tier. They’ve certainly made a few million dollars.” He said that larger and older ransomware groups have raked in far more money.
Lowell officials haven’t said whether they’ve received a ransom demand, or if any of the city’s data were compromised. But there has been a rash of significant ransomware attacks in Massachusetts in recent months.
In late December, Bristol Community College was knocked offline by ransomware. In January, similar attacks hit the public schools of Nantucket and Swansea. Northern Essex Community College was victimized in March. In April, Vantage Travel, the Boston-based international travel company, said it took a hit; so did Point32Health, the parent company for Tufts Health Plan and Harvard Pilgrim Health Care.
The attacks keep coming, even though cybersecurity companies have developed a host of tactics for fending off ransomware. These include careful segmentation of networks to limit the spread of malware, better spam filters to block infected e-mails, and constant data backups.
The real problem for most organizations is finding the right people to install and oversee these security systems. “Cybersecurity is very complex,” said Liska. “You need to have well-trained defenders inside your network.”
Finding these experts is difficult even for large corporations. Many smaller organizations such as city governments and school systems can’t pay enough to attract top talent.
“Schools can’t afford to hire cybersecurity people and also offer lunches to underserved communities,” Liska said. That’s why some major ransomware gangs have specialized in targeting schools and municipalities.
Florida and North Carolina have passed laws forbidding state government agencies from paying ransomware gangs, and the Biden administration is considering a federal ban on such payments. But in the past, the administration has shied away from the idea, fearing that this would simply cause victims to refrain from reporting ransomware attacks, and then quietly pay the ransom.