Full Report
GLOVERSVILLE, N.Y. (NEWS10)– On Saturday, the city of Gloversville announced it was hit by a ransomware attack. According to officials, a digital ransom note was discovered by the city’s finance commissioner on March 14. During the negotiation process, legal and security teams recommended the city to pay the ransom. The original demand was $300,000, but the city council approved a $150,000 payment to the Threat Actor Group and all the stolen data was recovered and de-encrypted.
Analysis Summary
# Incident Report: Gloversville Ransomware Attack
## Executive Summary
The City of Gloversville, NY, suffered a ransomware attack resulting in the compromise of sensitive employee data. The incident was detected via a digital ransom note, leading to engagement with law enforcement and third-party security experts. After negotiation, the city paid a reduced ransom of \$150,000 (down from \$300,000) to recover all encrypted data and mitigate disclosure risk.
## Incident Details
- **Discovery Date:** March 14 (Date the ransom note was discovered)
- **Incident Date:** Unknown (Ransomware deployed prior to March 14)
- **Affected Organization:** City of Gloversville
- **Sector:** Government/Municipal
- **Geography:** Gloversville, NY, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to March 14, 20XX
- **Vector:** Not explicitly detailed in the provided text.
- **Details:** Attackers gained access and deployed ransomware, leaving a digital ransom note.
### Lateral Movement
- **Details:** Attackers likely moved through the network to compromise payroll records and employee data, as these were listed as compromised data types. (Specific techniques not detailed.)
### Data Exfiltration/Impact
- **Details:** Personal information of all city employees, including payroll records, direct deposit information, and account numbers of past and present employees, was compromised.
### Detection & Response
- **Detection:** March 14, discovered by the city’s finance commissioner upon finding the digital ransom note.
- **Response Actions:**
1. Incident reported immediately to the FBI, New York State Police, and Homeland Security cyber experts.
2. On March 18, the city retained a specialized cybersecurity and legal firm.
3. Negotiation with the Threat Actor Group commenced.
4. Security and legal teams recommended payment.
5. City Council approved paying \$150,000.
6. Data encryption was reversed, and all stolen data was recovered.
7. Over 3,000 affected employees were notified and offered one year of credit monitoring and identity theft protection.
## Attack Methodology
*The provided text does not detail specific TTPs, only the outcome.*
- **Initial Access:** Unknown (Inferred: Likely exploitation of a known vulnerability, phishing, or compromised credentials).
- **Persistence:** Unknown
- **Privilege Escalation:** Unknown
- **Defense Evasion:** Unknown
- **Credential Access:** Unknown (Implied, necessary to access payroll and employee data).
- **Discovery:** Unknown
- **Lateral Movement:** Unknown (Implied, needed to access sensitive employee/payroll systems).
- **Collection:** Data related to employee PII, payroll, and bank accounts was collected.
- **Exfiltration:** Implied, as it was a ransomware attack likely involving potential double extortion.
- **Impact:** Data encryption and potential data exfiltration/exposure resulting in a ransom demand.
## Impact Assessment
- **Financial:** \$150,000 paid in ransom; cost of cybersecurity/legal retainer/monitoring services incurred (not quantified).
- **Data Breach:** Compromised personal information of all city employees, including payroll records, direct deposit information, and account numbers (affecting over 3,000 employees).
- **Operational:** Encryption/disruption of systems, requiring external remediation efforts and negotiations.
- **Reputational:** Public disclosure required, leading to required employee notification and identity theft monitoring service provision.
## Indicators of Compromise
*(No specific technical IOCs such as hashes, domains, or IP addresses were mentioned in the supplied context.)*
- **Network indicators:** N/A
- **File indicators:** Digital ransom note found on systems.
- **Behavioral indicators:** Unauthorized system encryption operation.
## Response Actions
- **Containment measures:** Unknown (Implied immediate isolation upon discovery to stop encryption spread, then engagement with experts).
- **Eradication steps:** Unknown (Implied removal of threat actor presence following data recovery).
- **Recovery actions:** Paid \$150,000 ransom, successfully recovered and de-encrypted all stolen data. Notified all 3,000+ affected employees and provided credit monitoring.
## Lessons Learned
- The decision to pay the ransom was made based on recommendations from legal and security advisors, likely to ensure data recovery and minimize regulatory/reputational damage from PII exposure.
- Incident response involving multi-agency cooperation (FBI, NY State Police, Homeland Security) was initiated swiftly.
- The threat actor group is potentially trackable, suggesting potential future recovery of funds or successful attribution (suspects thought to be from Eastern Europe).
## Recommendations
- Implement endpoint detection and response (EDR) solutions to detect encryption activity earlier than physical discovery of a note.
- Review and enhance access controls, particularly around sensitive data systems like payroll and HR databases, to limit the scope of potential lateral movement.
- Ensure robust, offline, and immutable backups are maintained to reduce reliance on paying ransom for data recovery.
- Conduct comprehensive forensic analysis (even after paying) to fully identify the Initial Access Vector and close security gaps.