On May 5th, 2024, the city of Wichita, Kansas, experienced significant disruptions after a LockBit ransomware attack targeted its government systems. The attack forced the shutdown of several critical services, including payment systems and operations at Wichita’s Dwight D. Eisenhower National Airport. LockBit’s relentless campaign continues to spread chaos, with this latest attack showcasing the vulnerability of local governments to ransomware incidents.
The Attack: Disruption Across Wichita
LockBit’s ransomware attack on Wichita’s government led to a widespread shutdown of essential services. Payment systems used by citizens to pay municipal fees were taken offline, and airport operations were severely impacted. The city’s reliance on interconnected IT infrastructure meant that the attack had far-reaching consequences, causing delays and service outages that affected residents, businesses, and travellers.
Wichita’s government, like many local administrations, depends on digital systems for everything from public transportation to utility payments and airport management. A ransomware attack in such a context can cause logistical chaos, disrupt civic operations, and severely impact public trust.
LockBit’s Tactics: How the Attack Unfolded
The LockBit ransomware group employed its usual techniques to infiltrate Wichita’s systems. The group is notorious for its use of T1486 – Data Encrypted for Impact, where critical systems are encrypted to lock out the organisation. In Wichita’s case, the encryption forced the city to take its systems offline to prevent further spread and damage, essentially paralysing key services.
One of the standout features of LockBit’s operations is their reliance on double extortion, where not only are systems encrypted, but sensitive data is exfiltrated and held for ransom. If the ransom demands are not met, the group typically threatens to leak the data publicly. While it is not yet confirmed whether sensitive government data was exfiltrated in this instance, LockBit’s previous activities suggest this may be part of the attack.
Initial access was likely gained through phishing emails or exploiting vulnerabilities within Wichita’s systems, potentially using techniques like T1566.002 – Spearphishing Link, a common method used by ransomware groups to gain a foothold in their targets. Once inside, LockBit likely moved laterally within the network, possibly exploiting flaws in network segmentation to maximise the impact, a hallmark of the group’s tactics.
Impact on Wichita’s Operations
The immediate impact of the ransomware attack was felt across several key government operations. Citizens were unable to access the payment portals for services like utilities and taxes, causing frustration and delays. More critically, Wichita’s Dwight D. Eisenhower National Airport faced operational challenges, including disruption of airport services and potential delays in flight schedules. For a local government, disruptions of this nature can result in millions in economic losses and erode public confidence in the city’s ability to manage critical infrastructure securely.
The city was quick to respond by taking systems offline, but this move further compounded operational delays. Incident response teams are currently working to restore normal services, though recovery from such attacks can take weeks, if not months, especially when dealing with sophisticated ransomware like LockBit.
LockBit’s Continued Threat to Local Governments
This attack is the latest in a series of incidents involving LockBit, which has increasingly targeted public institutions, leveraging their dependence on operational continuity to extort hefty ransoms. Local governments like Wichita have become high-value targets due to their reliance on IT systems and the potentially devastating consequences of prolonged outages.
LockBit’s affiliates often exploit outdated systems and unpatched vulnerabilities. Common techniques include T1133 – External Remote Services to exploit poorly secured remote access points and T1078 – Valid Accounts, where they use stolen credentials to navigate the network.
Public sector organisations face particular challenges when it comes to cybersecurity. Limited budgets, aging infrastructure, and a general shortage of cybersecurity expertise make them attractive targets for ransomware groups like LockBit. Even when defences are in place, the rapidly evolving nature of ransomware tactics makes it difficult for municipalities to stay ahead of threats.
Lessons for Local Governments: Mitigation and Prevention
The Wichita ransomware attack offers several important lessons for other local governments and public sector institutions:
- Robust Incident Response Plans: Local governments must have well-defined incident response plans to handle ransomware attacks. This includes backup systems, communication strategies, and clear protocols for restoring services.
- Regular Software Patching: Ensuring that all systems, especially those related to critical infrastructure like airports, are up-to-date with the latest security patches can help prevent attackers from exploiting known vulnerabilities.
- Comprehensive Security Training: Phishing remains one of the primary methods of ransomware delivery. By providing regular training to employees on recognising phishing emails, local governments can reduce their chances of falling victim to these attacks.
- Network Segmentation: Segregating essential systems from less critical ones can limit the spread of ransomware if an attack occurs, helping to isolate the impact and simplify recovery.
- Multi-Factor Authentication (MFA): Implementing MFA across all systems, especially for remote access services, can help prevent ransomware attackers from gaining access through stolen credentials.
The LockBit ransomware attack on Wichita’s government is yet another stark reminder of the growing threat that ransomware poses to local governments. With payment systems and airport services brought to a halt, the attack has had a significant impact on the city’s operations. The attack highlights the need for robust cybersecurity measures in the public sector, especially in critical infrastructure such as airports and municipal payment systems.
As ransomware groups like LockBit continue to refine their tactics, local governments must take proactive steps to defend against these sophisticated threats. The consequences of inaction can be severe, ranging from operational disruption to the potential exposure of sensitive public data.
Further Reading
- Understanding Ransomware Attacks on Local Governments – CISA guidance on mitigating ransomware risks
- LockBit: The Ransomware That Targets Critical Infrastructure – Dark Reading’s analysis of LockBit’s tactics and targets
- Wichita Government’s Response to the Ransomware Attack – Official statement and updates from Wichita government
- Airport Cybersecurity: Threats and Best Practices – International Air Transport Association’s guidance on securing airport operations from cyber threats