BitPaymer Malware made Mat-Su Alaska Gov’t to Reuse Typewriters

Electromagnetic pulse (EMP) attacks can render our advanced technology to recede as back to pre-industrial revolution stage. In other words, we in the corporate world will be forced back to using typewriters, as our computers are damaged beyond repairs. Dusting-off the old typewriters to replace broken computers happened recently in Matanuska-Susitna’s local government. A borough measuring 63KM in the state of Alaska, the restoration of typewriters in its government offices was not due to an EMP attack, but because of BitPaymer ransomware.

Known in the antivirus community as HPmal/Ransom-Y and Troj/Agent-AXEG, BitPaymer is a ransomware that exploits the NTFS alternate data stream storage feature to bypass detection. Once it infects a computer, it systematically encrypts both user files and 3rd party application programs using an RSA-1024 public key. All the encrypted files are renamed to .locked files, as it also involves encrypting the “Program Files” folder; the malware also corrupts Windows applications, rendering the computer useless.

Government employees of the Mat-Su borough were forced to reuse the old typewriters for producing documents in order to continue operations. They also issued handwritten receipts for government services rendered while waiting for the 500 desktop workstations to get reimaged and 120 servers to be operational again. Mat-Su’s government offices maintain 150 servers overall; the ransomware rendered 80% of their servers non-operational from July 21 to 22, 2018.

“Last Tues, July 24, the Borough first disconnected servers from each other, then disconnected the Borough itself from the Internet, phones, and email, as it recognized it was under cyber attack,” said Patty Sullivan, Mat-Su’s Public Affairs Director. While investigating the BitPaymer ransomware attack, the IT team discovered that the infection started May 3, but it took until late July for it to become obvious to Mat-Su’s employees.

“Without computers and files, Borough employees acted resourcefully. They re-enlisted typewriters from closets, and wrote by hand receipts and lists of library book patrons and landfill fees at some of the 73 different buildings,” added Sullivan as she describes the overall situation in the Mat-Su offices during the BitPaymer ransomware attack.

As a remote borough in a remote Alaska state, Matanuska-Susitna is not a place that can be considered as an attractive target to be deliberately attacked by cybercriminals. But it does not mean that it is immune from any virus infections. Erick Wyatt, Mat-Su’s IT Director explained: “(This is) a multi-pronged, multi-vectored attack. not a single virus but multiple aspects of viruses together including trojan horse, Cryptolocker, time bomb, and dead man’s switch. This is a very insidious, very well-organized attack, it’s not a kid in his mom’s basement.”

The Mat-Su borough officials and employees were made aware of the actions being taken in order to fix the server and workstation downtime. The borough is also lucky, as the official website of Mat-Su is hosted externally, hence it was spared from the ransomware infection. IT Director Sullivan has also assured the people of Mat-Su that everything will be evaluated to determine the scope of the issue and create policies that shall better protect Mat-Su’s government from any possible future cyber attacks. “Since then, infrastructure is steadily being rebuilt, computers cleaned and returned, and email, phones, and Internet connection becoming restored,” concluded Sullivan.