Update 3/6/2018: This just keeps getting worse. Approximately 20% of the CDOT systems were back up and running, when more malicious activity was detected. The ransomware variant, SamSam, that originally took down the DOT’s systems began morphing to reinfect systems. Brandi Simmons, a representative for the state’s Office of Information Technology states,
“The tools we have in place didn’t work. It’s ahead of our tools.”
The issue is — the tools they’re using, implement a blacklist technology. The blacklist will only block known bad files. Once a hackers morphs the known bad file, it becomes unknown, or unclassified. Therefore, allowing the malicious file to execute under the blacklist.
Perhaps it is time the CDOT began using a security solution that uses a default-deny approach, which only permits known trusted files to execute. This means, no matter how many times SamSam, or any other malicious variant, morphs — it will still be blocked from infecting systems.
Ransomware Corrupts Colorado Department of Transportation Systems
The Colorado Department of Transportation has been offline since Wednesday following a ransomware attack. The ransomware that infected the system was a variant of the SamSam ransomware. The Colorado DOT was running McAfee at the time of the solution. Officials stated they reported the infection to the security solution vendor, and they issued a patch to prevent further execution. But why didn’t it stop it to begin with? McAfee uses a blacklist technology as its primary method of malware detection — meaning, unless it is a known bad file, it will execute. Unfortunately, new variants of cyber threats are released every second. Simply put, the blacklist cannot keep up.
According to The Denver Post, DOT officials stated they do not plan to pay the ransom demands. At this time, they are hopeful they can restore the systems using their backup files.
Other Ransomware Attacks
For a list of ransomware attacks that have already taken place in 2018, you may click here. We have also created a ransomware map, see below, of the ransomware attacks that have taken place in the U.S.