COLONIE — Albany International Airport announced this week that its administrative computers had been locked down by a crypto virus on Christmas Day.
Airline, air traffic control and Transportation Security Administration computers all were not affected, so safety and security were never at risk, the Albany County Airport Authority said in a news release issued Friday.
No personal or official data were removed or even accessed from the computers the authority uses to run the airport, so no one was at risk of identity theft. But the authority’s computer data was rendered inaccessible until the authority paid the ransom demanded by the hackers.
“We are back to normal, we were back to normal by [Jan. 6],” airport spokesman Doug Myers said Friday. “We have all our files. We’re relying now on the FBI and the state of New York to investigate.”
The New York State Cyber Command and FBI are both involved in the probe, and computer systems contractor ABS Solutions assisted the authority with recovery.
The authority was alerted to the attack by Schenectady-based LogicalNet, its computer management provider.
Around 2 a.m. Dec. 25, one of LogicalNet’s servers was compromised by hackers, and the virus was transmitted to the company’s clients, a handful of whom got locked out in the same manner the airport authority did, according to LogicalNet President and CEO Tush Nikollaj, but most were able to recover by using their backup systems.
The airport authority had a backup system, he said, but it shared a drive with the main system, which he explained defeats part of the purpose of having a backup, by making both machines vulnerable to the same attack.
Myers on Friday afternoon said the airport has severed its relationship with LogicalNet. Nikollaj said his company has been working with the airport authority on recovery since the attack and in fact had an employee on site Friday morning. So he was surprised to read that LogicalNet had been dropped when he read about it Friday morning in the Times Union’s coverage of the crypto virus attack. He said he will meet Monday afternoon with the airport executive team to discuss the matter.
LogicalNet is both a tenant of The Daily Gazette Company at its Schenectady headquarters and also the manager of the paper’s information technology services.
James Grandy, vice president of digital operations for The Gazette, said the company’s computers were infected but operations were not affected by the Christmas morning attack. Two of the Gazette’s many servers were locked up, but proper backups were in place. Restoration was time-consuming but easy, he said.
Even if the data were lost, The Gazette would not have paid a ransom, he said, because doing so encourages future attacks and carries no guarantee that the hacker — a criminal probably beyond the reach of U.S. law enforcement — would restore access to the encrypted data.
Myers said the airport authority paid the ransom on the advice of an outside expert whose previous experience with this particular hacker suggested they would keep their end of the bargain. “Within four hours we got the key,” he said.
The authority wouldn’t disclose how much it paid in ransom, only that it was less than $100,000 (paid in the cryptocurrency Bitcoin). The out-of-pocket cost for the ransom will be less, though: “We have cyberinsurance that covers us,” Myers said. “We have a $25,000 deductible.”
Additional expenses are likely as the authority upgrades its computer system and possibly adds personnel.
As cyberattacks go, it was about as benign as could be: No personal data for employees or travelers was stolen, nor were aircrews or passengers ever in danger, nor was there even an attempt to slow or inconvenience air travel at one of the busiest times of the year.
It apparently was just an attempt to grab money from an entity that had the means to pay.
It is for this reason, Nikollaj said, that hackers target managed service providers such as his company: Small- to mid-sized companies are increasingly outsourcing their IT management to avoid the expense of maintaining that level of expertise on staff. One successful attack on an MSP can infect dozens or even hundreds of clients.
Two days before LogicalNet was hit, a much-larger MSP in California, Synoptek, suffered a ransomware attack that affected many of its thousand-plus customers. Earlier in the month, Colorado-based Complete Technology Solutions was hit, and over 100 of its clients — all dentists’ practices — were affected. Currency exchange giant Travelex was attacked on New Year’s Eve.
Each of these companies were hit by a variant of the Sodinokibi crypto virus, as was LogicalNet.
“It’s very nasty,” Nikollaj said. “They’re getting very sophisticated.”
He said LogicalNet had been aware of the increasing threat to MSPs.
“We know that, we’ve been trying to protect ourselves.” Most of the protections worked Christmas morning, he said, but enough failed to cause a crisis. Those failures are being addressed, he said.
He defended the damage control efforts by LogicalNet in the wake of the hack as swift and effective. He said the infection at the airport authority was exacerbated by age and configuration of the equipment there as well as the fact that it was co-managed by authority personnel, so LogicalNet served in an advisory role at times.
In a prepared statement, he said:
“To say that we were solely responsible for security at the airport and the failure of their backup systems is not a fair statement. We provide services using systems chosen and implemented by the airport’s IT department. While the attack vector for this incident came through our management system the effects for the airport were different than many of our customers. Some of the backup systems that failed to protect and preserve the airport data were selected and implemented before our relationship with the authority and without our recommendation.”
THE RANSOM NOTE
The following note was inserted in multiple locations within The Daily Gazette computer network during a ransomware attack around 2:30 a.m. Dec. 25. (Portions with computer coding or web addresses are deleted here.) The Gazette opted not to pay, and instead used a backup system to recover the kidnapped data.
---=== Welcome. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!