US cities disclose data breaches after vendor’s ransomware attack

Cuba Ransomware

A ransomware attack against the widely used payment processor ATFS has sparked data breach notifications from numerous cities and agencies within California and Washington.

Automatic Funds Transfer Services (AFTS) is used by many cities and agencies in Washington and other US states as a payment processor and address verification service. As the data is used for billing and verifying customers and residents is wide and varied, this attack could have a massive and widespread impact.

The attack occurred around February 3rd when a cybercrime gang known as ‘Cuba ransomware’ stole unencrypted files and deployed the ransomware.

The cyberattack has since caused significant disruption to AFTS’ business operations, making their website unavailable and impacting payment processing. When visiting their site, people are greeted with a message, stating, “The website for AFTS and all related payment processing website are unavailable due to technical issues,” as shown below.

Automatic Funds Transfer Services (AFTS)​​​​​​​ website
Automatic Funds Transfer Services (AFTS) website

BleepingComputer discovered that the attack was conducted by a cybercrime operation known as ‘Cuba Ransomware’ after the hackers began selling AFTS’ stolen data on their data leak site.

Like other human-operated ransomware, Cuba will breach a network, spread slowly through servers while stealing network credentials and unencrypted files, and finally end the attack by deploying the ransomware to encrypt devices.

According to the data leak page, the Cuba gang claims to have stolen “financial documents, correspondence with bank employees, account movements, balance sheets, and tax documents.”

Cuba ransomware data leak page for AFTS
Cuba ransomware data leak page for AFTS

If the ransomware gang cannot find a buyer for the data, they will likely release it for free, allowing the data to be used by other threat actors.

Affected cities and agencies

Due to the large amount of potential data allegedly stolen by the Cuba Ransomware operation, cities utilizing AFTS as their payment processor or address verification service have begun disclosing potential data breaches.

The potential data exposed varies depending on the city or agency, but may include names, addresses, phone numbers, license plate numbers, VIN…