Feds track down organization responsible for City of Tulsa ransomware attack, systems slowly coming back

  • The City of Tulsa’s computer systems will be impacted by a ransomware attack for at least three more weeks, and some systems will be down for more than a month.
  • In an update with local news reporters, Tulsa Mayor G.T. Bynum said federal investigators have tracked down the organization responsible for planting ransomware in the City of Tulsa’s computer systems.
  • Bynum said the city refused to communicate with the “cyber terrorists” who had demanded they be contacted to discuss a ransom. Instead, the city decided to take its own corrective action and start the long and thorough process of reclaiming its systems without paid assistance by the hackers.

TULSA, Okla. — It could take more than a month for some of the City of Tulsa’s computer systems to come back to normal operating levels after ransomware was detected earlier this month.

Tulsa Mayor G.T. Bynum said the city refuses to pay anyone who attacks the city’s network in order to extort the city into paying money in exchange for having its systems handed back over to them. Instead, using protocols, programs, and the information technology specialists on hand for moments like this, the city will work to reclaim its network and re-secure it on its own, a process that could take a few weeks for some systems and more than a month for others.

“We are not going to spend taxpayer dollars on paying any ransoms or demands,” Bynum said.

A FOX23 viewer sent in a photo of city I.T. workers taking multiple computers out of a single city building.

Tulsa’s Chief Information Officer Michael Dellenger told FOX23 that the photo sent in to us showed why the process would take so long.

Every single computer the city uses and is connected in with the network is being scanned and cleaned for any malicious software that may be tied to the attack or may have been placed in a computer for future attempts at holding the city’s servers for ransom.

“That’s just what we’re going to have to do right now,” Dellenger said explaining why every single computer, estimated to be in the hundreds of units, will need their own individual screenings.

It is the screenings that will be part of the long recovery process. The rest of the process will be internal, technical work.

“We have our I.T. teams working twelve hour shifts, twenty four hours a day working to get this under control,” Bynum said.

The city’s utility bill paying website remains down, and residents are asked to save up the money they would use to make their payments, so they can get back on track when the website to pay their bills is restored. Residents may need to make multiple payments at once when the system becomes operational again.

Bynum said no one will have their city utilities cut off because of non-payment while the bill paying system is down.

“We’re not going to cut off a resident’s utilities for something that isn’t their fault,” he said.

He also said federal investigators have tracked down the specific group responsible for the attack, but because he didn’t want to give them credit and hinder the prosecution of the case that is now underway against the attackers, he did not reveal who the group is.

Bynum called the group “cyber terrorists” and said other groups should take note that the City of Tulsa will not pay any money to anyone. They are not ashamed to be transparent about issues like this, and the city will not pay “hush money,” he said.

The group installed ransomware in late April, and the program began to operate and come online in early May. A city firewall and other security protocols kicked in to let the city’s technology department know that an attack was taking place. At that time, Dellenger said, a demand to contact the hackers was sent, but the city ignored it and began to start the long process of cleaning up the mess that was made.

The investigation into how someone granted access to the harmful software is still underway, but city leaders said they suspect someone may have opened a phishing-type e-mail that could have come in the disguise of official city business when someone clicked on it and opened it.