St. Louis suburb investigating network security incident

The local government of a St. Louis, Missouri suburb is investigating a “network security incident” that is believed to have started last month but is still affecting systems.

A spokesperson for Ballwin, Missouri – a town of 31,000 about 30 minutes west from the center of St. Louis – told Recorded Future News that IT officials discovered the incident on March 16 but said the investigation is “currently ongoing.”

The attack affected “certain systems” within their network environment but the spokesperson would not say which.

“We immediately shut down affected systems, and have engaged third party forensic specialists to investigate the extent of the activity. We have also notified law enforcement,” Ballwin City Clerk Megan Freeman said.

“We have not yet determined the extent of the unauthorized activity, including whether any personal or confidential information was involved. If individual personal information is involved, we will notify affected individuals in accordance with relevant state and federal laws.”

Ballwin officials released a similar statement to local news outlets days after the incident was discovered and said they were working with their insurance provider to restore downed systems.

They told KMOV that none of the city’s cloud-based systems carrying financial files were accessed. But several online platforms that were used for paying city bills were not working for weeks.

Ransomware groups have made a point of going after poorly-resourced local governments across the United States in 2022, targeting small governments in New Jersey, Colorado, Oregon, New York and several other states.

Emsisoft ransomware expert Brett Callow said at least 26 local governments in the U.S. have been impacted by ransomware already this year, and at least 16 of them are known to have had data stolen.

On Tuesday, the Royal ransomware gang took credit for the attack, adding the city to its list of victims.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory in March warning vulnerable organizations of an increased threat posed by Royal ransomware. The guidance is the second warning the U.S. government has issued about Royal ransomware in recent months.

The ransomware strain has been involved in a number of recent high-profile incidents, including cyberattacks targeting the Iowa branch of the Public Broadcasting Service, U.S. hospitals, and one of the most popular motor racing circuits in the U.K. It also has a reputation for targeting various critical infrastructure sectors, such as manufacturing, communications, and education, CISA said.