The Ernest N. Morial Convention Center, one of the cornerstones of New Orleans’ multibillion-dollar tourism economy, is the latest victim in a string of cyberattacks against city and state computer systems that have had serious consequences for government officials and the public.
New Orleanians were left unable to pay property taxes or obtain permits online for several weeks starting in mid-December, and earlier Louisiana drivers had to wait days or weeks to reinstate and renew certain licenses through the state Office of Motor Vehicles.
But on Saturday, no signs were posted to alert Convention Center patrons to the attack. Instead, the center’s huge lobby was buzzing with typical activity; conventioneers were surprised to hear that there had been a cyberattack.
Officials said that while the center’s computers had been hit by malicious software that left its data locked up and inaccessible, the “front of house” convention operations were relatively unaffected.
In the lobby, nothing seemed amiss. “Everything is fine,” said a crowd of women from Wisconsin Dairy Queens attending the DQ Expo 2020. They said that on Friday, their day had gone exactly according to plan, down to a taste test of a new delicacy: vanilla cones dipped in cotton candy. Their schedule for Saturday was also unchanged, they said.
Outside of Exhibition Hall B, girls in cheerleading dresses and bright hair ribbons practiced routines for the “Mardi Gras Nationals,” hosted by Mardi Gras Spirit Events.
At a nearby table lined with laptops, Sarah Baxter signed in the competition’s teams, who had come from 14 states. They hadn’t been notified about the attack, she said, but she didn’t think it was affecting their event in any way.
One of the cheerleader coaches wrinkled his forehead in thought. “How would we know if we were affected by it?” he asked. “Would we see something different here?”
Early that morning, Baxter’s team had experienced a glitch, when only one of their four laptops was able to access a wireless Internet router provided by the center. A workman had come with a new Internet “hub,” and they’d linked all four of their laptops to its Wi-Fi signal by about 8 a.m.
“It took about 10 minutes to fix,” said Baxter, who was unsure whether the problem had anything to do with the cyberattack.
“There is nothing visible. That’s why they call it cyber,” said Tim Hemphill, the Morial Center’s vice president of sales and marketing. He said that the Internet glitch was likely unrelated to the cyberattack, which left the center’s administrative data encrypted and inaccessible but did not affect the weekend’s operations.
For instance, the workers who washed windows and provided security for that day’s events were able to punch in through a third-party system that wasn’t affected by the attacks, Hemphill said. The center’s electronic signs, lighting, presentation systems and heating-cooling systems were also unaffected, he said.
The only aspect of conventions that may be affected in the near future is the way that electricity and audiovisual equipment are sold to exhibitors. “Those orders are processed online,” Hemphill said.
This weekend’s orders had already been handled, but orders will likely be processed on paper, not by email, for the Society of Thoracic Surgeons convention that begins next weekend, Hemphill said.
Convention Center officials said in a press release Friday evening that hackers had injected ransomware into the center’s computer networks Thursday.
“Even with our extreme vigilance and system redundancies, we were victimized by a criminal element seeking to harm the center, our clients and our vendors,” Convention Center President Michael Sawaya said.
Ironically, in response to the recent, high-profile cyberattacks on other public agencies, Convention Center leaders had required all employees to complete four hours of online cybersecurity training. “We were reacting to it, trying to beef up our internal protocols,” said Hemphill.
Officials do not believe center employees’ personal data were compromised as a result of the attack. And though someone on the center’s staff had received a “very cryptic” ransom note demanding a payment in the cybercurrency Bitcoin, the demand was unclear and the Convention Center had not complied, Hemphill said.
But because the forensic investigation has just begun, much is unknown.
Hemphill said that a quick recovery depends on the organization’s remote recovery server and whether that will be accessible once the ransomware is unlocked.
“If it’s not resolved until further out, we’ll have to deal with other impacts,” said Hemphill, who expressed concern about digital files for convention calendars and contracts. “But we don’t think that will happen.”
Besides the attacks on city and state government computers late last year that caused a host of problems, a handful of nearby school districts have also weathered attacks in recent months.
They join 113 government agencies across the U.S. whose systems have been infiltrated over the past year by foreign and domestic cyber criminals seeking a quick payout, according to the Emsisoft Malware Lab, a team of cybersecurity researchers that has created more than 60 free ransomware decryption tools. In addition, 764 health care providers and 89 universities, colleges and school districts have been hit, according to the lab’s December report, “The State of Ransomware in the U.S.: Report and Statistics 2019.”
Some government agencies have restored their data by complying with ransom demands, though that’s a controversial solution. “Payments are the fuel that drive ransomware. The only way to stop ransomware is to make it unprofitable, and that means the public sector must practice better cybersecurity so that ransoms need not be paid,” according to the Emsisoft report.
Though it may seem like cyberattackers are targeting Louisiana, that is unlikely, said Brett Callow, a threat analyst with Emsisoft. “Most ransomware attacks are random.” he said. “It’s a bit like someone firing off a machine gun and the people who aren’t wearing a bulletproof vest get hit.”
Cyber attackers send mass, spam email messages with malicious attachments that hit victims who don’t have strong security. Governments typically have more lax security and so they are increasingly affected by such attacks, Callow said.
The Convention Center has cybersecurity insurance and filed a claim as soon as officials verified the attack this week. Its insurer, Travelers Insurance, provided the center with a data breach response team to investigate and remediate the attack.
“Once we file the claim with the insurance company, they take over and send in a negotiation team,” Hemphill said. “There is also a ‘breach coach’ who acts like a kind of grief counselor and talks us through the various steps.”
Convention Center servers were protected by anti-virus software, Sawaya said, but the ransomware appears to have been sophisticated enough to outmaneuver it.
The attack seems to have been a variation of the so-called Ryuk attack that has locked up computers across the nation and is believed to have roots in Russia, Hemphill said, noting that the cybersecurity upgrades that they’d made and the training they’d offered were not enough to combat the newest variation of the fast-changing malware. “It is hard for cybersecurity protocols to keep up with it,” he said.
Staff writers Jessica Williams and Anthony McAuley contributed to this report.