Cyber Incident Victim: Colorado State Government
Date:
Aug 2022
Location:
United States of America
Summary
A Colorado municipality experienced a ransomware attack by a foreign group demanding $5 million in cryptocurrency, refusing payment and restoring systems from backups. The incident disrupted municipal operations, forcing closures of City Hall and communications systems for over a week, with FBI assistance in recovery. The BlackCat ransomware variant, known for its aggressive use of Rust programming to evade detection, also compromised another local government entity, causing unrecoverable data loss including inmate financial records. Both victims declined ransom payments, aligning with state guidance discouraging such actions to avoid funding cybercrime. State cybersecurity resources supported recovery efforts while emphasizing enhanced protective measures, though officials acknowledged persistent threats from evolving hacker tactics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 29, 2022, the City of Wheat Ridge, Colorado, experienced a ransomware attack attributed to a foreign entity likely based in Eastern Europe. The attackers deployed BlackCat ransomware, encrypting municipal data and systems while demanding a $5 million ransom payable in Monero cryptocurrency. The city immediately shut down its phone and email servers to contain the breach, forcing the closure of City Hall to the public for over a week. After three weeks of assessment, Wheat Ridge officials confirmed they would not pay the ransom, relying instead on viable backups to restore operations. The FBI assisted in the investigation, though the city noted the ongoing process of determining whether resident, business, or employee data was compromised. Restoration efforts proceeded without capitulating to the hackers’ demands, with city IT teams prioritizing system recovery.
The attack on Wheat Ridge followed a similar BlackCat ransomware intrusion against Fremont County, Colorado, on August 15, 2022, which crippled all county systems. Fremont County’s website remained offline for over a month post-attack, and its inmate accounting systems were declared unrecoverable, resulting in lost deposits to prisoner accounts unless residents could provide transaction receipts. Like Wheat Ridge, Fremont County refused to pay any ransom, citing alignment with federal and state guidance discouraging payments to avoid funding cyberterrorism. Colorado’s Governor’s Office of Information Technology deployed resources to Fremont County for five weeks to assist with recovery and security hardening. Both municipalities declined to specify initial attack vectors, though Wheat Ridge ruled out employee error as the cause. In response to the attacks, Wheat Ridge implemented two-step verification for all employee devices and deployed system-wide monitoring software, while Fremont County focused on restoring critical operations. The incidents underscored BlackCat’s notoriety as a sophisticated ransomware variant written in Rust programming language, which enhances its stealth and resilience against detection. Previous Colorado ransomware targets, including Lafayette in 2020 and Regis University in 2019, had opted to pay ransoms, though Lafayette subsequently strengthened its cybersecurity protocols. State officials emphasized ongoing vigilance given the inevitability of future attacks despite defensive improvements.