City of Wichita Public Services Disrupted After Ransomware Attack

The City of Wichita is investigating a ransomware attack that happened over the weekend and shut down many of the city's networks and services, with no current end in sight to as to when systems will be restored.

The attack happened on Sunday when ransomware encrypted "certain" unspecified city systems, according to an alert on its website, rendering many core city online services temporarily inaccessible.

Officials have enabled business-continuity measures in response to the attack and are "working with third-party specialists to safely and securely restore the computer network," as well as investigating its original with law enforcement, according to the alert, which was released the same day as the attack.

Such quick release of an alert informing citizens of a cyber incident is not always the norm, security experts note. However, with the damage so extensive — affecting everything from the city's airport to its water service to public transit — informing the public can be a helpful way to prepare them for disruptions, notes Malachi Walker, security advisor at security firm DomainTools.

"The transparency displayed by the City of Wichita in disclosing the ransomware attack is incredibly important so that those impacted can be on alert and make necessary responses," he says in an email to Dark Reading.

Numerous Systems Affected

Those disruptions indeed seemed numerous, if a "frequently asked questions" section in the city's alert that addresses people's chief concerns is any indication.

With systems down, the city will be going to cash-based systems for paying water bills, riding the bus, attending cultural events, and paying for landfill services, among several others that typically offer digital payment options.

The city also will be unable to live-stream city council meetings and advised people to attend in person if they were interested in the proceedings. Both the Wi-Fi service and the departure screens at Wichita's Dwight D. Eisenhower National Airport also are not functioning due to the attack, though flights are operating as normal.

There also is evidence that critical city infrastructure was affected by the attack, as officials advised in alert that those who have had their water shut off bring payment or proof of payment to City Hall and their water will be reconnected.

Moreover, the city is waiving late fees and penalties for people who have difficulty paying water bills until the incident is resolved, though residents can still pay via cash, mail, or by going directly to Wichita City Hall. New accounts also can be set up at the city hall, while auto-payments are suspended for the time being, according to the alert.

Ongoing Investigation

The city's IT department is working with law enforcement and security partners to investigate, though specific details of the attack remain murky and the city said there is currently "no timetable for when systems could be coming back online."

"We appreciate your patience as we work through this incident as quickly and as thoroughly as possible," according to the alert, which will be updated as the situation changes.

Ransomware attacks have become all-too-commonplace these days, although there was evidence earlier this year that some — particularly those against industrial control networks — are on the decline. Indeed, global law-enforcement actions have been proactive and successful in breaking up known ransomware groups, though it seems new ones appear to crop up almost as soon as one is dismantled.

Still, each ransomware attack should be treated with an individual seriousness, particularly when so many public services are affected, as is the case in Wichita, notes Colin Little, security engineer at cybersecurity firm Centripetal.

"In this day and age, it is all too easy to say 'Yep, another cyber attack,' but that this statement needs to be confirmed in a press release boldly underlines the gravity of this event," he says in an email. "That these services are executing business continuity measures suggests police and fire services will be degraded and in one of the largest cities in the US that is a big deal."

Next Steps for Future Prevention, Protection

Key now for the investigation is to get to the bottom of who the attackers are and what specific tactics they used so officials can bolster the security of networks in the future, security experts say.

Tom Kellermann, senior vice president of cyber strategy at security firm Contrast Security, suggested that Russia state-sponsored actors may be behind the attacks, as they have "punitively escalated their destructive attacks against U.S. cities as revenge" for a recently passed Congressional aid package for Ukraine. However, no culprit for the attack has yet been identified.

Finding out the initial access point also is key to the investigation to safeguard networks in the future, notes another expert.

"Was it social engineering, unpatched software or firmware, or something else?" says Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4. "If they can't identify how the ransomware first got initial access it's going to be a lot harder to prevent it from happening again."

It's also important to identify if encrypted data also was exfiltrated by attackers so officials can notify the public if there may be further consequences that may occur from the incident, such as the sharing of their info on the Dark Web or future attacks, Walker says.