Full Report
The RansomHub cybercrime operation took credit for publicly reported cyberattacks on the Coppell, Texas, government and the citywide parks agency for Minneapolis.
Analysis Summary
# Incident Report: RansomHub Ransomware Attacks on US Municipalities
## Executive Summary
The cybercriminal operation known as RansomHub claimed responsibility for two distinct, damaging ransomware attacks against US municipal entities: the City of Coppell, Texas, and the Minneapolis Park and Recreation Board (MPRB). Both incidents, occurring in late October/early November 2024, resulted in widespread technology disruptions, impacting essential services like libraries, permits, and utility billing systems. While the full scope of data compromise is pending investigation, initial indications suggest potential exposure of partial individual and vendor information in Coppell.
## Incident Details
- **Discovery Date:** Coppell publicly reported issues on October 23, 2024. MPRB warned residents last Wednesday (relative to the article date).
- **Incident Date:** Attacks occurred in the weeks leading up to late October/early November 2024.
- **Affected Organization:** City of Coppell, Texas; Minneapolis Park and Recreation Board (MPRB).
- **Sector:** Local Government/Municipal Services.
- **Geography:** Texas, USA; Minnesota, USA.
## Timeline of Events
### Initial Access
- **Date/Time:** Occurred prior to October 23 (Coppell) and "last Wednesday" (MPRB).
- **Vector:** Ransomware attack, method(s) unspecified, attributed to RansomHub.
- **Details:** Unknown specific entry point, but resulted in system-wide outages at both entities.
### Lateral Movement
- **Details:** Not detailed in the report, but widespread technology issues imply successful internal network progression to maximize impact across services.
### Data Exfiltration/Impact
- **Coppell:** WiFi, library services, permit/inspection platforms, and Municipal Court operations were disabled. Potential exposure of "partial, and potentially outdated, individual and vendor information."
- **MPRB:** System-wide phone outage reported; investigation underway to determine scope of accessed/breached data.
### Detection & Response
- **Coppell:** Detected when systems became unavailable starting around October 23 when the city released public notices. Response included extending utility payment deadlines and working to restore services.
- **MPRB:** Detected when technology systems were attacked, prompting IT to "immediately take action to prevent further impacts." Public alerts issued regarding phone and system outages.
## Attack Methodology
* **Initial Access:** Ransomware delivery (specific vector unknown).
* **Persistence:** Not detailed, assumed necessary for maintaining control during the ransom period.
* **Privilege Escalation:** Not detailed.
* **Defense Evasion:** Not detailed, though the success against municipal infrastructure suggests previous evasion techniques were effective.
* **Credential Access:** Not detailed.
* **Discovery:** Not detailed.
* **Lateral Movement:** Implied by the widespread service disruption across multiple governmental functions.
* **Collection:** Potential collection of partial individual and vendor information (Coppell).
* **Exfiltration:** Implied in the ransomware model; data potentially stolen prior to encryption/disruption.
* **Impact:** Encryption/disruption of critical municipal systems and infrastructure.
## Impact Assessment
- **Financial:** Not specified, but Coppell required extending utility payment deadlines.
- **Data Breach:** Potential exposure of partial/outdated individual and vendor information in Coppell. MPRB data breach scope is under investigation.
- **Operational:** Significant disruption to essential public services: library access, permit processing, court operations, utility payments, and internal/external phone systems.
- **Reputational:** Negative impact due to service outages affecting local residents in both jurisdictions.
## Indicators of Compromise
* **Network indicators:** (None specified/Defanged)
* **File indicators:** (None specified)
* **Behavioral indicators:** Widespread disruption across diverse IT services following a suspected ransomware event claimed by RansomHub.
## Response Actions
- **Containment:** MPRB IT "immediately took action to prevent further impacts."
- **Eradication:** Not detailed, but implied ongoing work to resolve the incident.
- **Recovery:** Gradual restoration of services at Coppell: Phone systems restored by Nov 1; Utility bills restored by Nov 14; Libraries restored by Nov 15; most operations reopened by Nov 20.
## Lessons Learned
- Municipalities, especially in high-risk areas like Texas, remain high-value targets for established ransomware operations like RansomHub.
- Dependence on shared or legacy systems can lead to lengthy recovery times (Coppell library service restoration took nearly a month).
- Response planning must account for communications failure (MPRB experienced phone line outages).
## Recommendations
- Implement multi-factor authentication across all environments, especially for remote access and critical administrative accounts.
- Conduct frequent, segmented, and tested backups, ensuring backups are isolated from the primary network infrastructure to prevent simultaneous encryption.
- Review and enhance network segmentation to limit the scope of lateral movement following initial compromise.
- Develop and regularly practice a comprehensive incident communication plan that accounts for primary communications channels (like phone systems) being unavailable.