Incident: Ransomware Attack on City of Pensacola, Florida: Impact and Response

Published Date: 2019-12-12

Postmortem Analysis
Timeline 1. The software failure incident in the city of Pensacola, Fla. due to a ransomware attack happened over the weekend, as reported in the article [94094]. 2. The article was published on 2019-12-12. 3. Estimating from the information provided, the software failure incident in Pensacola, Fla. occurred on the weekend before December 12, 2019.
System 1. City of Pensacola's network 2. Email servers 3. Computers connected to the network 4. Allied Universal's data and files 5. Government agencies, educational establishments, and healthcare providers' systems 6. Lake City, Fla.'s systems 7. Baltimore's systems [94094]
Responsible Organization 1. The operators behind Maze Ransomware claimed responsibility for the cyberattack on the city of Pensacola [94094]. 2. The ransomware attack on Allied Universal, which used the same software as the attack on Pensacola, was also attributed to the Maze Ransomware operators [94094].
Impacted Organization 1. The city of Pensacola, Fla. [94094] 2. Allied Universal [94094]
Software Causes 1. Ransomware attack using Maze Ransomware, which encrypted critical data and files, blocking access until a ransom was paid [94094]. 2. Data stolen in addition to files being encrypted during the ransomware attack on Allied Universal, potentially enabling the attack on the city of Pensacola to succeed [94094].
Non-software Causes 1. Lack of strong cybersecurity measures in government agencies and organizations [94094] 2. Insufficient data management and protection practices [94094]
Impacts 1. Critical data and files were encrypted and locked, blocking access until a ransom was paid, leading to limited access to email for city employees and the inability to use computers or the internet until the issues were resolved [94094]. 2. The ransomware attack affected at least 20 local Texas agencies and the state government, crippling their operations [94094]. 3. Data was stolen in addition to files being encrypted in the ransomware attack on Allied Universal, indicating a potential security breach and data compromise [94094]. 4. The ransomware attack on the city of Pensacola may have been enabled by data stolen during the attack on Allied Universal, highlighting the need for stronger cybersecurity measures and information sharing [94094]. 5. A total of 948 government agencies, educational establishments, and healthcare providers were impacted by ransomware attacks so far in the year, indicating a widespread and increasing trend of cyber threats [94094].
Preventions 1. Implementing robust cybersecurity measures such as regular security audits, network monitoring, and intrusion detection systems could have potentially prevented the ransomware attack on the city of Pensacola [94094]. 2. Conducting regular cybersecurity training for employees to raise awareness about phishing attacks and other common entry points for ransomware could have helped prevent the incident [94094]. 3. Maintaining up-to-date software and security patches on all systems to address known vulnerabilities that ransomware attackers often exploit could have mitigated the risk of a successful attack [94094]. 4. Implementing a comprehensive data backup and recovery plan to ensure critical data can be restored in case of a ransomware attack could have reduced the impact of the incident [94094]. 5. Enhancing information sharing and collaboration between different organizations and agencies to alert each other about potential threats and attacks could have helped prevent the spread of ransomware incidents like the one experienced by the city of Pensacola [94094].
Fixes 1. Enhancing cybersecurity measures and protocols within the city's IT infrastructure to prevent future ransomware attacks [94094]. 2. Implementing regular cybersecurity training for city employees to increase awareness and prevent potential security breaches [94094]. 3. Establishing better data backup and recovery systems to mitigate the impact of ransomware attacks by ensuring critical data can be restored without paying a ransom [94094]. 4. Strengthening collaboration and information sharing between government agencies, educational establishments, and healthcare providers to collectively combat ransomware threats and share best practices [94094].
References 1. City spokesperson Kaycee Lagarde [94094] 2. Escambia County Commissioner Jeff Bergosh [94094] 3. Cybersecurity site BleepingComputer [94094] 4. Brett Callow, spokesperson with the anti-virus company Emsisoft [94094]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: - The ransomware attack on the city of Pensacola, Fla. is reported to have used the same software as an attack against Allied Universal, a security company that has an office in Pensacola [94094]. - The attack on Allied Universal was described as pernicious because data was stolen in addition to files being encrypted [94094]. (b) The software failure incident having happened again at multiple_organization: - The article mentions that so far in the year, a total of 948 government agencies, educational establishments, and healthcare providers have been impacted by ransomware attacks [94094]. - It also highlights previous incidents such as the Ryuk attack on Lake City, Fla. in June and the RobbinHood ransomware attack on Baltimore in May [94094].
Phase (Design/Operation) design (a) The software failure incident in Pensacola, Florida, was due to a ransomware attack that encrypted critical data and files, blocking access until a ransom was paid [94094]. The attack impacted the city's network, leading to the disconnection of many computers until the issues could be resolved. The ransomware attack was identified as Maze Ransomware, and the attackers demanded a $1,000,000 ransom for a decryptor. The incident highlighted the need for stronger cybersecurity measures in government organizations to prevent such attacks in the future. (b) The operation of the city of Pensacola was affected by the ransomware attack, leading to limited access to email for city employees and the inability to use computers or the internet until the issues were resolved [94094]. Despite the limitations, emergency dispatch and 911 services were not impacted and continued to operate. The attack did not directly affect these critical services, indicating that they were able to function independently of the compromised network.
Boundary (Internal/External) within_system (a) within_system: The software failure incident in Pensacola, Fla. was a ransomware attack that originated from within the system. The attack encrypted critical data and files, blocking access until a ransom was paid [94094]. The ransomware used in the attack was identified as Maze Ransomware, and the operators behind Maze claimed responsibility for the cyberattack and demanded a $1,000,000 ransom for a decryptor [94094]. Additionally, the attack on Allied Universal, which used the same software as the attack on Pensacola, resulted in data being stolen in addition to files being encrypted, indicating an internal system vulnerability [94094].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The software failure incident in Pensacola, Fla. was caused by a ransomware attack, where critical data and files were encrypted and locked, blocking access until a ransom was paid [94094]. - The ransomware attack in Pensacola was identified as Maze Ransomware, and the operators behind Maze claimed responsibility for the cyberattack and demanded a $1,000,000 ransom for a decryptor [94094]. (b) The software failure incident occurring due to human actions: - The ransomware attack on Allied Universal, which used the same software as the attack in Pensacola, resulted in data being stolen in addition to files being encrypted, indicating human involvement in the attack [94094]. - The spokesperson with the anti-virus company Emsisoft highlighted the need for better cybersecurity management by governments to prevent such attacks, suggesting human actions as contributing factors to the incident [94094].
Dimension (Hardware/Software) software (a) The software failure incident in Pensacola, Florida, was due to a ransomware attack, which is a type of cyberattack that encrypts critical data and files, blocking access until a ransom is paid [94094]. This incident was not caused by hardware failure but rather by malicious software infiltrating the city's network and encrypting files. (b) The ransomware attack on the city of Pensacola was a software failure incident caused by the Maze Ransomware, as identified by cybersecurity site BleepingComputer [94094]. The attack involved the encryption of files and the demand for a $1,000,000 ransom for a decryptor, indicating that the failure originated in the software used by the attackers.
Objective (Malicious/Non-malicious) malicious, non-malicious (a) The software failure incident in Pensacola, Florida, was malicious in nature as it was a ransomware attack. The attack involved encrypting critical data and files, blocking access until a ransom was paid. The attackers behind the Maze Ransomware claimed responsibility for the cyberattack and demanded a $1,000,000 ransom for a decryptor [94094]. Additionally, the ransomware attack on Allied Universal, which used the same software as the attack on Pensacola, involved data being stolen in addition to files being encrypted, indicating a malicious intent [94094]. (b) The software failure incident in Lake City, Florida, where the city fell victim to a Ryuk attack, was non-malicious in nature. The attack resulted in a $460,000 ransom demand, which was covered by an insurance policy. However, not all data was recovered, and the city's IT director was fired as a consequence of the incident [94094].
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions (a) The software failure incident in the city of Pensacola, Fla. due to a ransomware attack can be attributed to poor decisions related to cybersecurity management. The incident highlighted the poor job governments do in managing their cybersecurity, as stated by Brett Callow, a spokesperson with the anti-virus company Emsisoft [94094]. The attack on Allied Universal, which used the same software as the attack on the city, resulted in data being stolen in addition to files being encrypted, indicating a lack of robust cybersecurity measures [94094]. (b) The software failure incident in the city of Pensacola, Fla. due to a ransomware attack can also be linked to accidental decisions or unintended consequences. The attack led to critical data and files being encrypted and locked, blocking access until a ransom was paid, indicating an unintended consequence of the attack [94094]. Additionally, the attack on Allied Universal, which may have enabled the attack on the city to succeed, could be seen as an unintended consequence of data being stolen during the ransomware attack [94094].
Capability (Incompetence/Accidental) unknown (a) The software failure incident in Pensacola, Florida, was a ransomware attack that encrypted critical data and files, blocking access until a ransom was paid [94094]. The attack was identified as Maze Ransomware, and the operators behind Maze claimed responsibility for the cyberattack and demanded a $1,000,000 ransom for a decryptor. The attack on Allied Universal, which used the same software, resulted in data being stolen in addition to files being encrypted [94094]. (b) The ransomware attack on the city of Pensacola was not accidental but a deliberate cyberattack carried out by malicious actors using Maze Ransomware [94094]. The attackers demanded a significant ransom for decrypting the files, indicating a premeditated and intentional act rather than an accidental occurrence.
Duration temporary (a) The software failure incident in the city of Pensacola, Fla. due to the ransomware attack can be considered as a temporary failure. The incident led to the city disconnecting much of its network until the issues could be resolved [94094]. City employees only had limited access to email, and most landlines were restored, indicating that the impact was not permanent. Additionally, emergency dispatch and 911 services were not impacted and continued to operate [94094]. (b) The ransomware attack on the city of Pensacola, Fla. can also be seen as a temporary failure as the city remained operational but with limitations since computers and internet access were unavailable until the issues were resolved [94094]. The incident caused disruptions but did not result in a permanent shutdown of services.
Behaviour omission, value, byzantine (a) crash: The software failure incident in Pensacola, Fla. was a result of a ransomware attack, which led to the city disconnecting much of its network until the issues could be resolved [94094]. (b) omission: The ransomware attack in Pensacola caused limited access to email for city employees since IT had computers disconnected from the network [94094]. (d) value: In the ransomware attack on Allied Universal, data was stolen in addition to files being encrypted, indicating a failure in the system performing its intended functions correctly [94094]. (e) byzantine: The Maze ransomware operators claimed responsibility for the cyberattack on Pensacola and demanded a $1,000,000 ransom for a decryptor, showcasing inconsistent and malicious behavior [94094].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence death, property, delay, non-human, theoretical_consequence, other (a) death: People lost their lives due to the software failure - The article mentions a shooting incident at the Naval Air Station Pensacola where three people were fatally shot [94094]. (b) harm: People were physically harmed due to the software failure - There is no direct mention of people being physically harmed due to the software failure in the articles. (c) basic: People's access to food or shelter was impacted because of the software failure - There is no mention of people's access to food or shelter being impacted due to the software failure in the articles. (d) property: People's material goods, money, or data was impacted due to the software failure - The ransomware attack resulted in critical data and files being encrypted and locked, blocking access until a ransom was paid [94094]. (e) delay: People had to postpone an activity due to the software failure - The city of Pensacola had limited access to email and was somewhat limited in operations due to computers and internet being unusable until the issues were resolved [94094]. (f) non-human: Non-human entities were impacted due to the software failure - The ransomware attack affected the city's network, email servers, and computers, impacting the city's operations [94094]. (g) no_consequence: There were no real observed consequences of the software failure - There were observed consequences of the ransomware attack on the city of Pensacola, including limited access to email and computers, encryption of critical data, and disruption to operations [94094]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The article discusses the potential consequences of data being stolen during the ransomware attack on Allied Universal enabling the attack on the city to succeed, illustrating the need for stronger reporting requirements and better information sharing [94094]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The ransomware attack impacted the city's ability to use computers and the internet, affecting their operational efficiency [94094].
Domain information, government (a) The failed system in the incident was related to the information industry as it affected the city of Pensacola, Fla., causing disruptions in the city's network and IT systems, limiting access to email and internet for city employees [94094]. Additionally, the ransomware attack impacted critical data and files, which are essential for the functioning of the city's operations and services. (l) The incident also falls under the government sector as the city of Pensacola, a government entity, was the target of the ransomware attack. The attack disrupted government operations, leading to limited access to computers and internet for city employees, affecting services provided by the city [94094].

Sources

Back to List