{ "id": "dbd7f30a-e9ba-4c78-8a82-bd9c5324f868", "created_at": "2026-04-06T00:11:25.97778Z", "updated_at": "2026-04-10T13:12:48.432762Z", "deleted_at": null, "sha1_hash": "6efd1ecb3f82367ec8349b0ef98734a4c92a793c", "title": "New Orleans latest apparent victim of Ryuk ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46085, "plain_text": "New Orleans latest apparent victim of Ryuk ransomware\r\nBy Benjamin Freed\r\nPublished: 2019-12-16 · Archived: 2026-04-05 16:26:11 UTC\r\nA cyberattack last week against the New Orleans city government likely involved the ransomware known as Ryuk,\r\nbased on affected files shared on the malware-analysis website VirusTotal. Colin Cowie, founder of the\r\ncybersecurity research firm Red Flare Security, was first to spot lines of code both referencing functions of New\r\nOrleans’ municipal agencies and the Ryuk virus.\r\nCity officials acknowledged the attack late Friday afternoon when they declared a state of emergency and shut\r\ndown more than 4,000 computers and servers across the government. New Orleans’ official websites remained\r\noffline through Monday morning, and several more services were still affected. Municipal courthouses were\r\nclosed Monday, and the city’s Healthcare for the Homeless service was unable to see patients because workers\r\ncannot access electronic health files, according to Mayor LaToya Cantrell’s office. Emergency services, including\r\nthe city’s 911 line, were mostly unaffected, but some agencies have opened Gmail accounts to handle non-emergency requests while the city’s email server is offline.\r\nAt a press conference Saturday, New Orleans Chief Information Officer Kim LaGrue said she expects data loss to\r\nthe ransomware attack to be “very minimal,” which she credited to her department’s relatively quick movement\r\nafter detecting malicious activity on the city’s network Friday morning. LaGrue’s team first noticed suspicious\r\nactivity at 5 a.m. Friday, and by 11 a.m. the team was shutting down systems citywide. LaGrue also said the city\r\nkeeps offline backups of its files and applications.\r\n“We’ve minimized data loss because part of our strategy is to always monitor for these risks,” she said.\r\n“Investigating and looking for suspicious activity is something we do all the time. We are now looking to recover\r\nfrom a very resilient platform.”\r\n[ransomeware_map ]\r\nClick here to open the map in a larger window.\r\nLaGrue added that the ransomware attack is under investigation by state and federal law-enforcement agencies, as\r\nwell as the Louisiana National Guard.\r\n“The forensic investigation is still in progress,” she said. “There is much that we are still to learn about this attack,\r\nthe mechanisms and what was significantly compromised.”\r\nWhile government officials have not said anything about the source of the cyberattack or how great of a ransom\r\ndemand they received, third-party research pointing to Ryuk would make New Orleans the latest in a growing\r\nstring of municipal governments to be attacked by the malware, which has elicited some of the largest ransomware\r\npayouts. Actors using Ryuk are known to have collected $400,000 from Jackson County, Georgia; nearly\r\nhttps://statescoop.com/new-orleans-latest-apparent-victim-of-ryuk-ransomware/\r\nPage 1 of 2\n\n$600,000 from Riviera Beach, Florida; $490,000 from Lake City, Florida; $130,000 from LaPorte County,\r\nIndiana; and $100,000 from the public school district in Rockville Centre, New York.\r\nBut recent research from Emsisoft, a New Zealand firm that specializes in ransomware, indicates that\r\ngovernments should think twice about paying for a decryption key to regain access to their files. Emsisoft’s work\r\nshows that Ryuk is designed to only partially encrypt larger files to ensure it spreads quickly, which can lead the\r\ndecrypter to corrupt data in some cases. “Depending on the exact file type, this may or may not cause major\r\nissues,” the researchers wrote.\r\nRyuk was also seen in an attack last month against the state of Louisiana that prompted Gov. John Bel Edwards to\r\nissue his second emergency declaration of the year because of a cyberattack. The virus frequently works in concert\r\nwith banking trojans that steal financial information and credentials from recipients of phishing emails who open\r\nmalicious links. When one of the trojans, TrickBot, determines that a compromised network can be infected with\r\nransomware, the Ryuk virus is delivered and begins encrypting files.\r\nDuring the Saturday press conference, LaGrue said there is evidence last week’s cyberattack began because city\r\nworkers’ credentials had been compromised.\r\n“We’ve never confirmed any credentials were given out,” LaGrue said. “But when we look at how our\r\nenvironment was permeated, it was through a compromise of credentials that belong to city employees.”\r\nSource: https://statescoop.com/new-orleans-latest-apparent-victim-of-ryuk-ransomware/\r\nhttps://statescoop.com/new-orleans-latest-apparent-victim-of-ryuk-ransomware/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://statescoop.com/new-orleans-latest-apparent-victim-of-ryuk-ransomware/" ], "report_names": [ "new-orleans-latest-apparent-victim-of-ryuk-ransomware" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434285, "ts_updated_at": 1775826768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6efd1ecb3f82367ec8349b0ef98734a4c92a793c.pdf", "text": "https://archive.orkl.eu/6efd1ecb3f82367ec8349b0ef98734a4c92a793c.txt", "img": "https://archive.orkl.eu/6efd1ecb3f82367ec8349b0ef98734a4c92a793c.jpg" } }