Cyber Incident Victim: City of Stuart
Date:
Apr 2019
Location:
United States of America
Summary
A ransomware attack impacted the City of Stuart's municipal systems, forcing servers and computers offline. The Ryuk strain infected machines, with evidence suggesting initial access via a phishing email targeting an isolated desktop computer rather than brute-force methods. Critical functions like payroll, utilities, and budgeting were restored, but email systems remained inaccessible for employees, and emergency services (police and fire departments) stayed offline during recovery efforts. Restoration of all services was anticipated within approximately ten days. Investigators analyzed the infected device to confirm the intrusion vector, though the ransom demand specifics were not disclosed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 13, 2019, the City of Stuart, Florida, experienced a ransomware attack that disrupted municipal operations. The Ryuk ransomware strain infected city servers and computers, forcing critical systems offline. City Manager David Dyess confirmed the attack began with the compromise of a desktop computer lacking external connectivity, ruling out a brute-force attack as the initial vector. Investigators focused on a phishing email as the likely entry point, though forensic analysis of the infected machine was ongoing to confirm the exact intrusion method. The incident mirrored Ryuk attacks previously observed in Jackson County, Georgia, and Albany, New York, though the specific Bitcoin ransom demand for Stuart was not disclosed. Immediate impacts included the shutdown of servers supporting core municipal functions, with emergency services, administrative operations, and communication channels severely affected.
Recovery efforts prioritized restoring essential services, with payroll, utilities, and budgeting systems returning to operation first. However, city employees remained without email access, and police and fire department systems stayed offline during the initial recovery phase. Dyess projected full restoration of services within approximately ten days following the attack, based on progress reported by TCPalm. The investigation continued to analyze the infected desktop to definitively establish the attackās origin and propagation path. No data theft or secondary exploitation beyond the ransomware encryption was reported in available updates. Municipal operations relied on contingency measures while technicians worked to rebuild compromised infrastructure.