Full Report
Attack by Ryuk ransomware disrupts nearly all municipal services in Canadian city of Saint John
Analysis Summary
# Incident Report: Ryuk Ransomware Attack on the City of Saint John
## Executive Summary
In November 2020, the City of Saint John, New Brunswick, fell victim to a significant Ryuk ransomware attack that paralyzed nearly all municipal digital services. The incident forced the city to take its entire network offline, including its website, email, and emergency payment systems, to contain the spread. While critical emergency services like 911 remained operational via backup protocols, the city faced a long recovery process and opted not to pay the ransom.
## Incident Details
- **Discovery Date:** November 15, 2020
- **Incident Date:** November 13–15, 2020
- **Affected Organization:** City of Saint John
- **Sector:** Government / Municipal Services
- **Geography:** New Brunswick, Canada
## Timeline of Events
### Initial Access
- **Date/Time:** Circa mid-November 2020.
- **Vector:** Likely Phishing / Emotet/TrickBot infection.
- **Details:** While not explicitly detailed in every city report, Ryuk traditionally gains entry via "commodity" malware like Emotet or TrickBot spread through malicious email attachments.
### Lateral Movement
- **Details:** Attackers utilized administrative tools and credential harvesting to navigate the municipal network, identifying high-value servers and data storage units before deploying the encryption payload.
### Data Exfiltration/Impact
- **Details:** Massive encryption of servers and workstations. While the city stated there was no immediate evidence of data exfiltration for the purpose of extortion, the encryption rendered all municipal data inaccessible.
### Detection & Response
- **How it was discovered:** IT staff identified significant network irregularities and system failures over the weekend of November 14–15.
- **Response actions taken:** The city proactively shut down its entire IT infrastructure (Network "Kill Switch") to prevent the ransomware from reaching isolated segments.
## Attack Methodology
- **Initial Access:** Often initiated via TrickBot or Emotet via phishing.
- **Persistence:** Use of scheduled tasks and service creation.
- **Privilege Escalation:** Mimikatz and exploitation of vulnerabilities like Zerologon (common in Ryuk campaigns of this era).
- **Defense Evasion:** Disabling antivirus software (Windows Defender) and deleting Shadow Copies.
- **Credential Access:** Harvesting credentials from memory and domain controllers.
- **Discovery:** Scanning for network shares and Active Directory structure.
- **Lateral Movement:** Native tools (RDP, PowerShell, SMB).
- **Collection:** Targeting financial records and sensitive municipal data.
- **Exfiltration:** Not the primary focus of early Ryuk, but later versions were known to use tools like rclone (unconfirmed in this specific case).
- **Impact:** Encryption of files using RSA-2048 and AES-256; disruption of billing, transit, and online services.
## Impact Assessment
- **Financial:** Estimated recovery costs exceeded $2.9 million (CAD), partially covered by insurance (approx. $2 million).
- **Data Breach:** No confirmed public leak of sensitive citizen data, but internal system configurations were compromised.
- **Operational:** Total shutdown of SaintJohn.ca, online building permit systems, water billing, and parking ticket payment systems.
- **Reputational:** High public visibility due to the prolonged outage of public-facing services.
## Indicators of Compromise
- **File Indicators:** `.ryuk` extension on encrypted files; `RyukReadMe.txt` ransom notes.
- **Behavioral Indicators:** Unexpected use of `vssadmin.exe` to delete shadow copies; unauthorized administrative logins during off-hours.
- **Network Indicators:** Traffic to known Ryuk C2 infrastructure (e.g., [hxxp]://185[.]25[.]204[.]xxx).
## Response Actions
- **Containment:** Disconnected the city's internal network from the internet and shut down all local servers.
- **Eradication:** Full wipe and rebuild of infected workstations and servers from clean backups.
- **Recovery:** Incremental restoration of services, prioritizing emergency systems then public-facing payment portals.
## Lessons Learned
- **Segmentation:** The speed of the spread suggested a need for more robust internal network segmentation to prevent "all-or-nothing" outages.
- **Backup Integrity:** Having offline or immutable backups is the only reason the city could refuse the ransom payment.
- **Human Factor:** Phishing remains the primary entry point; ongoing staff awareness is critical.
## Recommendations
- **Multi-Factor Authentication (MFA):** Implement MFA on all remote access points and privileged accounts to hinder lateral movement.
- **Endpoint Detection and Response (EDR):** Deploy EDR tools to identify behavioral anomalies (like shadow copy deletion) before encryption begins.
- **Incident Response Planning:** Regularly test "Isolation" procedures to ensure speed of containment in future events.