Delaware, USA – August 19, 2019 – The Texas Department of Information Resources reported a coordinated ransomware attack on Government Agencies. The attack occurred on Friday, August 16, at least 23 agencies were hit by ransomware, most of which are smaller local governments. The list of victims has not yet been disclosed, but the report said that the State of Texas systems were not affected by the cyberattack. At the moment, all efforts are devoted to restoring the systems, the Texas Division of Emergency Management and Texas Military Department are also involved in this process.
While there are few details about the incident, the Department of Information Resources informed that all attacks were the work of one threat actor. According to ZDnet, the systems were infected with Nemucod ransomware, which adds .jse extension to encrypted files. This ransomware strain appeared about a year ago and was named for the Trojan that delivers this malware. Nemucod ransomware was not previously used in large-scale attacks and has a strange “defect” – it does not leave ransom note after encrypting files, so it is not known whether this is the rise of another “large” player to squeeze Ryuk, MegaCortex, and Sodinokibi, or Nemucod was used to wipe traces of malicious activity instead of financial gains. Over 50% of ransomware attacks target the United States, and after a series of successful attacks and colossal ransom payments, the US Conference of Mayors stated to no longer pay attackers for decrypting files, but unfortunately, this did not reduce the intensity of the attacks, and the main players continue to improve their weapons. You can use your SIEM and Ransomware Hunter rule pack to spot signs of ransomware attack at every stage of Cyber Kill Chain: https://my.socprime.com/en/integrations/ransomware-hunter-arcsight