The city of Knoxville, Tennessee, shut down large portions of its computer network on Thursday after being hit overnight by a ransomware attack, it was widely reported on Thursday.
The attack was first noticed by members of the Knoxville Fire Department around 4:30am Thursday, the Knoxville News Sentinel reported. Shortly after that, Knoxville’s Chief Operations Officer David Brace sent employees an email notifying them of the breach.
“Please be advised that our network has been attacked with ransomware,” he wrote. “Information Systems is currently following recommend[ed] protocols. This includes shutting down servers, our internet connections and PC’s. Please do not log in to the network or use computer applications at this time.”
Earlier in the day, the city’s website was unreachable. By evening, access to the site was restored after city employees moved it from its normal domain—www.knoxvilletn.gov—to the ad hoc one cityofknoxville.hosted.civiclive.com. Officials said the fire and police departments were operating as normal, although police were no longer responding to minor traffic accident reports.
Brace said that city servers were hit but that city IT officials believe the threat has been isolated. He said that no backup servers were affected and that much of the city’s work flows could be re-routed through them. The county of Knoxville, meanwhile, said on Twitter that it had no evidence its systems were affected.
Knoxville finds itself in the company of a growing list of municipalities that have been hit by the scourge of ransomware. Two of the better known incidents of ransomware infecting cities happened in 2018 in Atlanta and Baltimore, resulting in costs of $7 million and $18 million respectively.
Knoxville is the 51st US state or municipal entity to be affected by ransomware this year, Brett Callow, a researcher at security firm Emsisoft, told Ars. In 2019, his firm tracked 113 state and municipal governments agencies that were infected by ransomware. There’s not enough information yet to determine which of the many ransomware strains was used in the attack against Knoxville.
Brace, the Knoxville COO, said there was no evidence that financial or personally identifiable information had been accessed. Coming at such an early stage in the investigation, the statement means little. In recent months, ransomware groups have begun publicly auctioning off sensitive data accessed on compromised machines when victims are reticent to pay the ransoms. It’s a fair bet that any Knoxville data that was encrypted was also downloaded and can now be used in whatever way attackers choose.