Cybercriminals used Ryuk ransomware in the New Orleans cyber-attack

Ryuk is also used in other attacks against many large enterprises including the Mexico based Oil company Pemex

Ryuk ransomware is behind the New Orleans cyber-attack, according to a malware scanning online database. The executable files of the malicious ransomware were uploaded one day after the cyber-attack. Later, a cybersecurity researcher from Red Flare Security confirmed about Ryuk ransomware involvement in the city of New Orleans cyber-attack through a tweet.


Ryuk Ransomware was used in many previous cyber-attacks. For instance, the cyber-attack on Georgia's court system and two Florida cities. Or the attack which compromised Louisiana's Office of Technology Services (OTS), including the networks of the Office of Motor Vehicles (OMV) and the Department of Health. Ryuk is also used in other attacks against multi-national enterprises including the Mexico-based Oil company Pemex.

The impact

Once the officials noticed the attack, they asked all their officials to shut down their terminals to reduce the damage. Chief Information Officer Kim LaGrue explained at an evening press conference on November 13 that they managed to disconnect most of their machines connected to the internet, a standard practice to save data from a massive data breach.

According to the latest report, all the public services have retuend to normalcy though the city hall offices would continue using pen and paper for maintaining documents for the next few days. The Police department and emergency services like 911 and 311 are up and running. But the Operations at the Department of Safety and Permits is expected to get back in an active state starting this week.

Emergency situation in New Orleans

Mayor of the city of New Orleans has confirmed the cyber-attack has impacted around 4,000 terminals and 400 servers, while ordering an emergency operations center on Monday, Dec.16. All of those machines have to be disinfected before coming back to an active state.

In another quick follow-up, she said, "Services are down, however a temporary web page has been deployed to allow residents to make 3-1-1 requests for service; pay sales, use, and parking taxes; and pay parking and camera tickets."

The involvement of Botnets in the attack

A new report claims the bad actors used Emotet and Trickbot botnets to distribute the ransomware infection to most of the machines. The Emotet malware mostly uses spam emails with a link to compromise the victim, and then install the Trickbot malware to do the damage.
There are no reported ransom demands yet from the authorities of the city of New Orleans.

Representative Image Reuters