Cyber Incident Victim: Colorado Department of Transportation

The Colorado Department of Transportation (CDOT) experienced two ransomware attacks within a two-week period in February and March 2018. The initial SamSam ransomware attack paralyzed CDOT systems on or around February 22, 2018, forcing the agency to begin recovery operations. During this recovery effort—while approximately 20% of affected machines had been restored—a second variant of SamSam ransomware struck CDOT on March 1, 2018. This recurrence prompted immediate shutdown of all computer systems again, including those recently restored. Both attacks targeted Windows OS machines running McAfee antivirus software, with the second variant demonstrating enhanced evasion capabilities that bypassed existing security tools. CDOT employees were ordered to power down computers and revert to manual pen-and-paper operations as the agency disconnected its network from the internet entirely.

The attacks caused significant operational disruption but did not impact critical infrastructure like construction projects, traffic signs, or variable message boards. CDOT's Office of Information Technology acknowledged the ransomware's evolving nature hindered their defenses. Response efforts involved multiple agencies, including the Colorado National Guard and FBI, collaborating to restore systems and investigate the incidents. Network isolation remained in place during recovery, with no internet connectivity permitted until threat sources were identified. At the time of reporting on March 7, 2018, full restoration timelines and total impacts remained unquantified. The attackers demanded Bitcoin payments in both incidents, though payment status and data compromise specifics were not disclosed in available reports.