Hoboken government recovering from ransomware attack as Conti-linked gang takes credit

The city of Hoboken is still recovering from a recent ransomware attack that required it to bring in several federal law enforcement agencies for assistance. 

In an update on Wednesday afternoon, the New Jersey city of more than 60,000 said it was making progress in its recovery and asked for “continued patience” while it restores all of its systems. 

“The City is actively working with the Hoboken Police Department, federal law enforcement agencies, and IT specialists to thoroughly investigate the cause and extent of the incident,” it explained. 

“The Hoboken Parking Utility service window has resumed accepting credit card payments, and the majority of City staff and departments can now be contacted via email. Response times may be delayed.”

Other departments, including the Office of Vital Statistics, can only be contacted by phone. The city did not respond to requests for comment about whether a ransom would be paid or whether Wi-Fi and email services at City Hall had been restored. 

The attack was confirmed one day before the Thanksgiving holiday, continuing a longstanding trend of ransomware gangs specifically going after governments and businesses when IT staff members are typically on vacation. 

On Sunday, the city said many citizen services like temporary “no parking” signs and other permits were still available in spite of the attack. But many services could only be obtained using cash or check payments. 

The ThreeAM ransomware gang said Wednesday that it was responsible for the attack, posting the city on its leak site. The gang did not say what data was stolen or how much was taken. 

Recorded Future ransomware expert Allan Liska said the gang is likely tied to the Conti family of ransomware gangs. Conti was one of the most prominent cybercriminal operations but shuttered after drawing global infamy for the near total shutdown of the Costa Rican government in 2022. 

The gang’s ransomware is written in the Rust coding language and is not based on older code, according to Liska.

“It’s been around for about a year and the attackers seem to be skilled, but it is not huge, which may mean the group isn’t using a ransomware-as-a-service model,” he said. 

“But they have hit some big targets like Brunswick Hospital Center. In the last year and three months it has listed about 50 victims on its extortion site.”

Experts from Chainalysis saw blockchain evidence tying members of ThreeAM to the Royal ransomware gang — which is responsible for several notable attacks including an incident that severely damaged the city of Dallas last year. 

Researchers at Symantec also saw some hackers deploying ThreeAM ransomware after failing to deploy the LockBit ransomware, illustrating the often murky cross-pollination within the cybercriminal ecosystem.