Full Report
In an update on Wednesday afternoon, the New Jersey city of more than 60,000 said it was making progress in its recovery and asked for “continued patience” while it restores all of its systems.
Analysis Summary
# Incident Report: Hoboken City Ransomware Attack
## Executive Summary
The City of Hoboken, New Jersey, suffered a significant ransomware attack, confirmed just before the Thanksgiving holiday, leading to the disruption of several city services. The ThreeAM ransomware group claimed responsibility, potentially linked to the Conti lineage. Response efforts involved federal agencies and IT specialists to restore systems, though service restoration remains staggered, impacting payment methods and departmental contact availability.
## Incident Details
- **Discovery Date:** Confirmed one day before the Thanksgiving holiday (Implied start/discovery date around that period).
- **Incident Date:** Undisclosed, but confirmed just before the Thanksgiving holiday (late November).
- **Affected Organization:** City of Hoboken, New Jersey.
- **Sector:** Local Government.
- **Geography:** New Jersey, USA.
## Timeline of Events
### Initial Access
- **Date/Time:** Attacked before the Thanksgiving holiday.
- **Vector:** Not explicitly stated, but characteristic of ransomware attacks targeting operational vulnerabilities.
- **Details:** The attack occurred when IT staff might typically be on vacation.
### Lateral Movement
- **Details:** Not specified in detail, but implied by the scope of disruption across city systems.
### Data Exfiltration/Impact
- **Details:** City services were impacted, requiring cash/check payments in some areas, and affecting contact methods for departments like Vital Statistics. The ThreeAM gang posted the city on its leak site, but the type/volume of stolen data is unknown.
### Detection & Response
- **Details:** Incident was confirmed on Sunday (before Thanksgiving). The city immediately engaged the Hoboken Police Department, federal law enforcement agencies, and IT specialists for investigation and recovery.
## Attack Methodology
- **Initial Access:** Undisclosed.
- **Persistence:** Undisclosed.
- **Privilege Escalation:** Undisclosed.
- **Defense Evasion:** Undisclosed.
- **Credential Access:** Undisclosed.
- **Discovery:** Undisclosed.
- **Lateral Movement:** Undisclosed.
- **Collection:** Undisclosed; ThreeAM claimed data was taken.
- **Exfiltration:** Undisclosed.
- **Impact:** Disruption of municipal services, including payment processing and departmental communications; data potentially stolen.
- **Attribution/Tools:** Attribution to the ThreeAM ransomware gang, which experts suggest may be tied to the Conti family. The ransomware is reportedly written in the Rust coding language.
## Impact Assessment
- **Financial:** Unknown (No ransom details or recovery costs disclosed).
- **Data Breach:** Type/volume unknown; data potentially accessible by ThreeAM.
- **Operational:** Significant disruption; Parking Utility resumes credit card payments, most staff reachable via email, but some departments (e.g., Vital Statistics) are phone-only, leading to delayed response times.
- **Reputational:** City requested "continued patience" from its residents following the public disclosure.
## Indicators of Compromise
- **Network indicators:** None defanged provided.
- **File indicators:** ThreeAM ransomware executable (written in Rust).
- **Behavioral indicators:** Deployment of ransomware resulting in system unavailability coinciding with holiday periods.
## Response Actions
- **Containment:** In progress; ongoing investigation led by municipal, federal, and external IT specialists.
- **Eradication:** Ongoing system restoration efforts.
- **Recovery:** Resumption of specific services (e.g., Parking Utility credit card payments); most staff accessible via email; operations remain delayed.
## Lessons Learned
- Attackers targeted the municipality immediately preceding a major holiday (Thanksgiving).
- The ransomware variant (ThreeAM) shows potential ties to established, high-profile criminal groups (Conti/Royal lineage).
- Cross-pollination exists in the cybercriminal ecosystem (ThreeAM seen deployed after LockBit attempts failed).
## Recommendations
- Enhance monitoring and staffing levels, particularly around major holidays, to maintain cybersecurity vigilance.
- Review and test backup and recovery procedures specifically for Rust-based ransomware variants if confirmed as a persistent threat.
- Update threat intelligence regarding ThreeAM and its associated tooling forks (Conti/Royal).