DENVER – A week after the Colorado Department of Transportation was hit with a ransomware attack that they were still recovering from, the agency was struck again with what appears to be a new variant of the malicious software.
Once again, the system was immediately shut down, affecting nearly 2,000 employees who have had to "go back to pen and paper."
CDOT was first hit with ransomware the morning of Feb. 21. The servers infected with the ransomware were then taken offline to prevent further spread of the virus, and the FBI and other security agencies were brought in to help determine the root cause of the attack, according to a statement from the Governor's Office of Information Technology (OIT).
The hackers demanded Bitcoin in order to release the hijacked files and unlock the system, but David McCurdy, the OIT Chief Technology Officer said last week they had “no intention of paying ransomware.”
Brandi Simmons, a spokeswoman for the OIT, told Denver7 that ransomware attack was contained by Friday and OIT employees worked through the weekend and into the early parts of this week to bring back systems that went down because of the attack.
As of Thursday morning, about 20 percent of all affected computers were back online before employees were again targeted with a new variant of the SamSam ransomware, Simmons said.
The attack has forced between 1,500 and 2,000 CDOT employees to do things "the old-fashioned way," meaning they have to input data using pen and paper.
"We are taking this very, very seriously," said Simmons. "We believe it’s a different virus since we put in security measures against the other strain that did not protect against this new virus."
CDOT spokeswoman Amy Ford said this ransomware attack does not affect construction projects, which are still ongoing and have not been stopped due to the attack.
The ransomware also does not affect signs, variable message boards and “critical traffic operations,” Ford said.
OIT officials did not provide an estimated timeframe of when the systems would be restored. The case will be sent to forensics to determine how the ransomware attacked their systems.
Meanwhile, Joe Moles, the director of security operations at the cybersecurity company Red Canary, said these types of SamSam ransomware attacks aren't going away, as hackers target businesses, hospitals and governments, who often pay the ransom.
"It's easy money, typically. We’ve seen more and more companies paying the ransom because the cost of the ransom is cheaper than the cost of the recovery," said Moles, who said the CDOT attack could have been worse. "I think good for CDOT for not paying the ransom and for having the controls in place that the critical infrastructure was not affected. I think that’s the real takeaway is they had things set up in a way the road system was not impacted by this kind of compromise."