June 27, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
New ‘Pathfinder’ Attack Targets Intel CPUs to Disclose Encryption Keys and Data
May 13, 2024Researchers Discover ‘LLMjacking’ Campaign Aimed at Cloud-Hosted AI Models – Active IOCs
May 13, 2024New ‘Pathfinder’ Attack Targets Intel CPUs to Disclose Encryption Keys and Data
May 13, 2024Researchers Discover ‘LLMjacking’ Campaign Aimed at Cloud-Hosted AI Models – Active IOCs
May 13, 2024
Severity
High
Analysis Summary
The ransomware attack on the City of Wichita, Kansas, represents a serious incident with significant implications for both the city government and its residents. The attack, claimed by the LockBit ransomware gang, occurred on May 5th, 2024, prompting the city to initiate its incident response procedures and shut down its computer network to contain the threat.
This decision was made to prevent the ransomware from spreading further and to conduct a thorough assessment of affected systems to ensure they are secure before restoring services. The city has taken proactive measures by engaging third-party security experts and collaborating with federal and local law enforcement authorities to investigate and contain the incident.
A security breach noitfication reads, "We regret to report that certain online City services may be unavailable as we thoroughly review and assess an incident that affected some of our computer systems. As part of this assessment, we turned off our computer network."
While the city has not disclosed specific details about the ransomware variant involved or the identity of the ransomware gang responsible, the LockBit ransomware group has claimed responsibility for the attack and set a ransom payment deadline of May 15, 2024. As a result of the attack, certain online city services have been rendered temporarily unavailable, impacting residents and businesses relying on these services.
The disruption underscores the critical importance of robust cybersecurity measures and incident response protocols for government entities to mitigate the impact of cyber threats and safeguard sensitive data. The ongoing disruption caused by the attack is evident from the city's updates indicating that many systems remain offline as security experts work diligently to identify the source and extent of the incident. The lack of a definitive timeline for restoring all systems to production highlights the complexity and severity of the attack which may require extensive efforts to remediate and recover affected infrastructure.
The involvement of the LockBit ransomware gang, particularly in light of recent law enforcement actions against its leader Dmitry Yuryevich Khoroshev, underscores the evolving nature of cyber threats posed by ransomware groups. This incident serves as a stark reminder of the persistent risk posed by cybercriminals targeting critical infrastructure and underscores the importance of collaborative efforts between government agencies, law enforcement, and cybersecurity professionals to defend against such threats.
The city's response to the attack highlights the importance of transparency with affected stakeholders while prioritizing the security and integrity of its systems to minimize disruption and restore normal operations as swiftly and safely as possible.
Impact
- Sensitive Data Theft
- Financial Loss
- Operational Disruption
Remediation
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Enable two-factor authentication.
- In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.
- Updates for operating systems, applications, and firmware should be installed as soon as possible.
- Check the active directories, servers, workstations, and domain controllers for new or unfamiliar accounts.
- To create safe distant connections, consider installing and utilizing a virtual private network (VPN).