Wichita ransomware attack shuts down multiple services. What comes next?

Many of Wichita’s services are down while the city recovers from a cyberattack. The city hasn’t provided details, but experts identify some likely reasons how the attack succeeded.

by Trace Salzbrenner

Wichita finds itself tossed back in time for a couple of weeks by a cyberattack on City Hall that’s upended basic ways of doing business online.

So now residents need to head to Walmart or Dillons to pay their water bills.

Parents who want to enroll their kids in swimming lessons must go to a recreation center to sign them up in person.

And because the hack disabled fare boxes — and because efforts to get people to pay with cash were short-lived — riders temporarily don’t need to pay anything to board a city bus.

ransomware attack on May 3 and 4 throttled many services that the city government in Wichita does online. Hackers copied files from the city’s network, and the city shut down many online services, buying time to minimize the damage and make City Hall tougher to hack in the future. 

City Hall remains tight-lipped about the attack, directing all questions to the alert page on its website

John Godfrey, chief information security officer for Kansas, could not comment directly on Wichita. But he said no “one-size-fits-all” approach works for getting a city’s systems up and running again. 

“It depends on specifics,” Godfrey said. “It depends on how many systems were impacted, if you have cyber liability insurance, how long assessment and eradication needs to occur.”

But, Godfrey and other experts assert that a general recovery process exists after a cyberattack. Using that, one can infer what the city is doing to fix the attack. 

In the meantime, Wichita will temporarily claw its way back from the attack by leaning on paper records and performing more administrative chores by hand.

What kind of cyberattack happened to Wichita?

Hackers copied multiple records and threatened to release the data if the city doesn’t pay a ransom. The attack compromised payment information, police and traffic records, Social Security cards and state identification cards like driver’s licenses. 

The city has not confirmed the hackers’ identity, but Russian hacking group LockBit reportedly took credit for the attack and posted a deadline for the ransom on its website. After the deadline, the website stated that the group had sold the data. 

“I liken it to the old saying, right, “We don’t negotiate with terrorists,’” Godfrey said. “Ransomware is interesting because it’s successful only because people pay the ransom.” 

Multiple state and federal agencies recommend not paying the ransom because the data will often be released, sold or left encrypted after the ransom is paid. 

How did Wichita become compromised? 

The city said in a press release that the attack came through a known vulnerability that it had been working to address. 

“Our technical teams have been working around the clock,” the city says on its website. “We are coordinating with law enforcement to investigate this matter further.” 

No more information was given on the vulnerability or the type of attack.

“More than 90% of successful cyberattacks start with a phishing email,” said Geoff Jenista, regional chief for the federal Cybersecurity and Infrastructure Security Agency. “A cybercriminal can send an email to 1,000 employees of a large organization, and all it takes is for one person to open the email and click a link.” 

A click like that releases malicious code onto the target’s network. 

Why did the city have to shut down its online services?

Godfrey said that after a breach, online services often need to be shut down to stop malware from spreading to let security experts identify the type of software bug. 

Before bringing systems back online, he said, a target needs to check that its systems are malware-free, to strengthen system security and possibly to decrypt compromised data or recover it through backups. 

Late last year, Kansas courts reverted to paper filings after a cyberattack targeted the state’s judicial system.

Jenista said that sometimes multiple types of malware can be deployed, making the process longer.

“If you’ve seen one cyber incident, you’ve seen one cyber incident,” Jenista said. “Each attack is unique and may require a unique response.”

What comes next for Wichita after the cyberattack?

Wichita is currently in the assessment and recovery phase, which happens directly after an attack, according to Jenista, and can drag on. 

After a cyberattack targeted the Kansas judicial system, courts had to go without their online filing system for over two months, according to its annual report. Courts reverted to paper filings and had to create temporary teams to sift through documents by hand to continue services such as driver’s license reinstatements. 

Godfrey said that after most attacks, a reassessment happens. Attack targets look at how to improve their existing security. 

He said cities should consider adopting a “zero-trust policy.” 

“It’s the idea that bad things will occur,” Godfrey said, “and everyone’s access needs to be reviewed or adjudicated at the time of request.” 

Previously, most places would have a blanket assumption that all devices on an internal network were trustworthy. A zero-trust policy changes that, using software to double-check every device. 

“Cyberattacks targeting municipalities, businesses, organizations and individuals,” Jenista said, “are rampant.” 

Godfrey agrees. He suggests that every business and local government should invest more in cyberattack response, not just prevention. 

“It feels like every time you look left to right, there’s a new incident,” he said. “The frequency is not slowing down. I don’t imagine that it’s going to slow down for a while.”

Blaise Mesa contributed to this story.

This article was republished here with the permission of: The Beacon