Knoxville June 2020 Ransomware Attack

Knoxville Tennessee RansomwareThe city of Knoxville, Tennessee recently fell victim to a ransomware attack which took many of the city’s government websites and computer servers offline, rendering many public services inaccessible for nearly a week. Forensic analysis revealed that the city was hit by the “DoppelPaymer” ransomware variant, which steals data under the threat of online publishing if no payments are made.

Despite the attack, the city was able to maintain operations in most departments with only minor disruptions. Most notably, issues with the Knoxville Police Department that prevented officers from responding to some traffic accidents.

The cyber criminals were able to infiltrate Knoxville’s systems after a city employee fell victim to a phishing email concealing the ransomware variant. City officials did not disclose the amount of Bitcoin requested in the ransom. However,  they publicly announced their refusal to pay the ransom because the threat appeared to be isolated and did not affect the city’s backup servers.

“At this time, the City does not anticipate it will pay the ransom, requested in Bitcoin, to the threat actor. This decision is based on a number of factors, including the team-focused technical approach, redundant and diversified IT systems, and quality data backups,”

City of Knoxville

To pressure the city further, the group behind the attack published city of Knoxville files online, including employees’ personal information. City officials confirmed this online leak in a public statement.

“The data is being published on a site created by the threat actor to shame victims who choose not to pay the ransom and as additional leverage to seek payment of the ransom. We are working diligently, with the assistance of our third-party computer forensic specialists, to review the data published by the threat actor and confirm the full extent of data that is impacted.” 

City of Knoxville

The city has been tight lipped about their response and review of the data leak, but it appears that all employee computers and city services have since been fully restored.