Ransomware Completely Shuts Down Ohio Town Government

An anonymous reader quotes a report from TechCrunch: In another interesting example of what happens when you don't manage your backups correctly, the Licking County government offices, including the police force, have been shut down by ransomware. Although details are sparse, it's clear that someone in the office caught a bug in a phishing scam or by downloading it and now their servers are locked up. Wrote Kent Mallett of the Newark Advocate: "The virus, accompanied by a financial demand, is labeled ransomware, which has hit several local governments in Ohio and was the subject of a warning from the state auditor last summer. All county offices remain open, but online access and landline telephones are not available for those on the county system. The shutdown is expected to continue at least the rest of the week." The county government offices, including 911 dispatch, currently must work without computers or office phones. "The public can still call 911 for emergency police, fire or medical response," wrote Mallett.

Automatically fired

Everyone there should be replaced automatically when this happens. It would probably only happen once, and then never again.

Re:Automatically fired

No. Only everyone working in IT should be fired.

How about whomever overrode the IT department with regards to security?

"Nah, that makes it too hard to do our jobs. Just use one shared admin account that is always logged in on all machines, so we can just do whatever we need to..."

Re:Automatically fired

[GerryGilmore]

Sadly, a typical reaction today... Fire/LockUp/Execute Everyone Even Remotely Connected to Scandal-De-Jure...FFS, most of these same commenters also want to "shrink government", "cut taxes", etc. NONE of which is going to: improve training and testing; expand, fund and enforce standards across municipalities; enhance LEO capabilities to track and prosecute attackers. But - Hey! - we get to sound awful tough!!

Re:Automatically fired

[rubycodez]

Wrong, town would be without protection is all that would happen with your stupid juvenile solution. Most those people can't be expected to be IT experts, and in fact this situation proves that services can exist without a computer in sight.

Wrong to say backups are a solution, you could the malware nicely backed up too.

Re:Automatically fired

[K.+S.+Kyosuke]

Everyone there should be replaced automatically when this happens.

In theory, yes. But they probably don't have backups for them. ;)

Re:Automatically fired

[TechyImmigrant]

Wrong to say backups are a solution, you could the malware nicely backed up too.

Not if you do it in a way that is safe from ransomware.

1) Make your backup system safe from ransomware by limiting the software run on it and have only skilled IT people operate it.
2) Give the backup system the privilege to pull the backup data from the machines being backed up and to push the restore data.
3) Don't give the machines being backed up the privilege to push data to the backup system to ransomware can't corrupt the backups.
4) Restore every night so you know the restore will work. Have the backup system push a clean image and the applications to each PC and check the consistency of the databases and restore them if they are corrupted.
5) ????
6) Profit!

Re:Automatically fired

[CaptainDork]

Treason is vacuous in this context (and all others right now).

Article III, Section 3:

Treason against the United States, shall consist only in levying war against them, or in adhering to their enemies, giving them aid and comfort. No person shall be convicted of treason unless on the testimony of two witnesses to the same overt act, or on confession in open court.

The Congress shall have power to declare the punishment of treason, but no attainder of treason shall work corruption of blood, or forfeiture except during the life of the person attainted.

No one in this matter is a United States citizen who has declared war against the United States. The last time that happened was the Civil War.

The United States does not have any enemies. There is no list of enemies. The last time the United States had an enemies list was World War II.

This also explains why Snowden could not be charged with treason.

Re:Automatically fired

[El+Cubano]

most of these same commenters also want to "shrink government", "cut taxes", etc. NONE of which is going to: improve training and testing; expand, fund and enforce standards across municipalities; enhance LEO capabilities to track and prosecute attackers. But - Hey! - we get to sound awful tough!!

Actually, it is not difficult to accomplish both. For example, you could shrink government substantially by implementing a national retail sales tax (lots of conservative lawmakers have proposals, so there plenty of choices) and replacing the entire IRS with something like a 10-20 person office responsible for processing sales tax receipts (this would actually be super easy since sales tax is already collected in something like 99.9% of the US). You could also eliminate entire executive departments that don't actually do anything productive (like education; seriously, the more money the federal government spends on education, the worse it gets, so we should try something different). Those two changes alone would free up considerable funding to apply to the items you list and would result in a net smaller federal government that is also leaner (as defined by doing more of what government should do, like LEO, and less of what it shouldn't, like anything not specifically listed in the constitution). And that is without even touching the sacred cows of social security and medicare.

Re:Automatically fired

[PopeRatzo]

Treason is vacuous in this context

You're absolutely right. It's not treason. It's an act of war.

But you know the old saying, In Soviet USA, you ransom government.

Re:Automatically fired

[sjames]

That's why you need a rolling offline backup. You might lose the day before yesterday's backup, but you'll still have yesterday's.

Re:Automatically fired

[CaptainDork]

Nah.

It's other stuff like money laundering, extortion, illegally accessing a computer and "other," but not an act of war.

This is an act of war:

Act of War Law and Legal Definition

An act of war is an action by one country against another with an intention to provoke a war or an action that occurs during a declared war or armed conflict between military forces of any origin. The loss or damage caused due to such conflicts are excluded from insurance coverage except for life assurances.

I'm certain you'll be interested to know that the state of California has just taken steps to make ransomeware illegal.

Re:Automatically fired

[UltraZelda64]

Wait--so you're saying that being beaten with clue sticks too much could even be hazardous to your health when done in excess? I swear, is *anything* fucking safe these days?!?

Re:Automatically fired

[stealth_finger]

The United States does not have any enemies. There is no list of enemies. The last time the United States had an enemies list was World War II.

This also explains why Snowden could not be charged with treason.

Of course they do, now the list just reads muslims in scrawny handwriting and a squiggle that looks like it might say gays. Also did you forget about Russians, Korea, Vietnam, Desert Storm 1 & 2 and all the other jaunts the US military have been on since ww2?

Re:Automatically fired

[orlanz]

Ok, looking at the other poster's Wiki link, what I got on that report:
1/3 of tax revenues are wasted by govt ops
1/3 aren't collected because people don't pay what they owe
1/3 are used to pay interest on the national debt

It predicted that our debt will be 13Trillion by 2000 but that didn't occur till the Housing bubble burst in 2008. For a 15 year forecast, 8 years off ... is kind of bad. Nor does the report take into consideration or provide recommendations to the impact of Congress varying tax rates or the economy's performance.

1/3 is wasted. This is pretty much true of ALL large organizations. Not just governments. And before people bring up private vs public funds... If your primary customer is the government (Lockheed), you are a country's darling industry (GM, Chrysler, Steel workers), or just too big to fail (Chase, Wells Fargo, Citigroup) the emergency funds are all tax payers'. Even their suppliers are supported by tax payers.

1/3 is not paid. Right, you are arguing that the government steals our money, wastes it, and provides nothing in return. But the primary reason for nothing in return is that 1/3 don't pay what they owe? This would go up if we switched to only a sales tax like the grand parent says.

1/3 is used to pay national debt. Its silly how people talk about national debt; like its a singular metric used to define government inefficiencies. Its the flip side of but the same as how people argue about the performance of a company based on revenue increases; never taking into consideration the many other factors in play.

But paying off debt is easy; we can always just print money. But we don't, because it would hurt the US citizen the most. Because most of the national debt is to ourselves. Far more (2/3s) so than all the foreign nations & entities combined! But really, why are we complaining that others are willing to lend us money to invest in our economy? If they feel we are risky or bad, they will either make it unaffordable or not lend us. The debt stays in a band of efficiency all by itself. Go too high, we print money; go too low, interest rates tank.

The report is basically bullshit and Congress rightfully ignored it.

BTW, Tax Withholdings are actually mandatory by law since 1943. The President vetoed it, but Congress passed it. Meaning the State reps overrode the Federal in passing that law. Most states also have Tax Withholdings. So do some cities! Its a fair way for the public (aka government) to collect revenues to pay for the daily services you consume. The alternatives are to pay up front for the year's services, or the federal government takes a loan that is serviced by the year end collection. Without continuous collections to pay continuous services, the public would actually be more in debt. Additionally, most people aren't disciplined enough to actually save their salary to pay their taxes. So the number of people NOT paying their fair share would go up if all collections happened on Jan/April.

Finally, you can OPT out of most monthly Withholdings! You can elect allowances to reduce the Withholdings. You can even file an Exemption from all Federal Withholdings if you don't own taxes! But of course within a certain margin, you must still pay your total year's worth of taxes on a regular quarterly basis. But the power is entirely within your hands to push your tax payments to the last minute possible. You don't have to pay too much every month and get the extra back a year later.

Knowledge IS power!

Also, Ft Knox would be the epitome of "big central government". Federal Reserve is decentralized governance backed by tax payers. Individual banks would be like little governments.

Re:Automatically fired

[apoc.famine]

The problem with a sales tax is that it's inherently regressive. If you live paycheck-to-paycheck, something like 50% of your money gets taxed. (Assuming the other 50% is rent, debt payments, utilities, etc.) If you make upper middle-class or higher income, and you can bank or invest half of that, with the same ratio for the rest of it, you're getting taxed on 25% of your money.

The more you make, the less you're proportionally taxed. So someone making $20k/year may be taxed on $10k of it, while someone making $200k (10x as much) may only be taxed on $50k of it. (5x the tax for 10x the income.)

This is why tax codes get so crazy. If you want people to pay a proportional amount of their income in tax, you need the tax code. But that usually means that you need to tax the poor to unreasonable levels to get the money you need. So then more laws are needed to shift collections from the poor to the rich, so that you're extracting a reasonable amount from both groups. And then the rich don't like that, so they bribe (or are) lawmakers and get loopholes put in to shelter money, and, that's where we are today.

Re:Automatically fired

[budgenator]

Not if you do it in a way that is safe from ransomware.

If your going to do ransomware, you set it up so it infects the network well before it encrypts the file systems. The ransomware will then be on all of your backups so even if you rebuild from bare metal, as soon as you restore from backups your reinfected.

Re:Automatically fired

[moeinvt]

Check out the Fair Tax It's a consumption tax, but overcomes the regressive nature of a general sales tax by providing a tax "prebate" up to a certain income threshold.

Under the fair tax, the government would send everyone a check at the beginning of the year in the amount that a person with $X of income would pay in consumption taxes over the course of the year. If the tax was 8%, and the income threshold was $20k, every household would get a $1,600 check. Thus, a household at that exact income level would pay $0 in tax.

The fair tax also has the benefit of making domestic goods more competitive because taxes would not be baked in to the prices. Something like the fair tax is really the best way to go. Unfortunately, the voluminous income tax code is the politicians' favorite method of handing out favors to wealthy special interests, so we'll probably never see it happen.

Re:Automatically fired

[MachineShedFred]

Yeah, but those weren't actually declared wars. They were 'police actions' or 'armed conflicts' or some other trite bullshit.

Calling something what it actually is brings forth a whole new section of laws and regulations that nobody involved wants to deal with. So they skip it.

Re:Automatically fired

[MachineShedFred]

I see what you did there, but this is probably a bit closer to the real list.

Re:Automatically fired

[MachineShedFred]

Yeah, so this is why you put in place policies to restrict the amount of damage that can be done by ignorance, or a bad actor.

Step 1: Nobody should be logging in interactively as an administrative user. UNIX / Linux / OS X has sudo, Windows has 'run as administrator...'
Step 2: Everything should be running a firewall that has everything closed by default, and only things that need to receive traffic whitelisted. This firewall and it's rules should be actively monitored and maintained by some kind of automated configuration management.
Step 3: Any organization that is at all serious about network security should have an authenticated proxy server for outbound traffic, and that proxy should be the only thing allowed to talk to the Internet without a security review. Use this proxy to block known bad actors on the Internet.

That would drastically reduce the amount of exposure to attack, and it's unlikely that this county office has done any of them, much less all of them.

Re:Automatically fired

[TechyImmigrant]

The clean image should help with that.

Re:Automatically fired

[CaptainDork]

This.

Again, the last declaration of war was World War II - related. (There have been 11 total declarations of war in US history.)

There are also diplomatic reasons for a dislike of "declaring war" on a country, as it can often be perceived as holding an entire nation responsible for the actions of a few of its citizens. In the case of the most recent public opposition, those who support such actions have noted that, in the case of the wars in Afghanistan and Iraq, there was no 'target' for a legal declaration of war, rather political groups or individuals. On the other hand many argue that since an invading army seeks to occupy and cause havoc to a target country and its population and not just a political group or individual, the aforementioned justification is tenuous at best.

Re:Automatically fired

[stealth_finger]

That's true but you said the US has no enemies, not hasn't been at war. I would argue you can have lots of enemies without being at war with anyone, especially when conducting "police actions"

Re:Automatically fired

[CaptainDork]

I would argue ...

Not in court.

Re:Automatically fired

[rubycodez]

And someday find the malware infected you on day n+y where n is the number of days you have backed up

Re:Automatically fired

[rubycodez]

you are funny, you fail at the step one. That would be the step applied to normal production system but those STILL can get malware

Re:Automatically fired

[sjames]

You can play that game forever, ending with what happens if the quantum vacuum collapses to a lower state, what will you do then, Huh!, HUH!

Of course, would you rather restore to a state where you had your data but there's a virus about to wipe it again, then try to kill the virus or would you rather just lose it all with no chance?

Risk will NEVER be zero. The objective is to take a few steps that can reduce the risk by orders of magnitude. With N=2 backups, you greatly reduce your risks. Add in less archiving of your backup and immediate archiving of any data you know will be needed for years (such as video evidence of a crime), and you reduce the risks another few orders.

Imagine all the cowards

A government made up entirely of ACs. What a glorious immolation...

"This smouldering cinder patch was the result of the Great Social Experiment."

Bless your little souls

So in Licking....

[surfdaddy]

...things are not still Ticking!

Re:So in Licking....

[rtb61]

Actually technically speaking they are, this is really a high risk game, across international boundaries, it is extremely problematic. They will find a while bunch of agencies from around the world go after them and the penalties could be quite dramatic. Really, really, not a good idea, there will be a severe price to pay.

Ransomware Insurance

The capitalist response is to sell ransomware insurance, because techy solutions are all eggheaded and faggy.

Good idea for progressing on secessionist movement

If all it takes is a bit of ransomware to shut down government then the secessionist movement of New Hampshire has been doing it all wrong. For those who don't know about the migration of principled libertarians (ie no violence, theft, fraud, or coercion then there is no crime, and government shouldn't be using these things against peaceful people either) to New Hampshire and want more freedom and liberty in our life time then you need to check into this movement. Those who have moved to New Hampshire have a dream of independence for the region. There is a limit to how much government can be shut down once we gain control of the state due to the federal governments existence. For instance copy"right" violates people fundamental rights not to be interfered with given that there is no violence, theft (ie nothing is lost when a copy is made), fraud, or coercion in the case of copy"right" infringement. If you don't like the tyrannical police state and nanny state we live in check out the liberty migration movement (we don't need a majority, just an active minority in order to outnumber the opposing views, and the majority in NH are already not registered democrat or republican)t: http://www.freestateproject.com/ http://forum.shiresociety.com/ http://www.freekeene.com/ http://www.freetalklive.com/

Don't blame all employees

[omnichad]

If it's hitting central servers and shutting everything down, it's probably a weak RDP password with port 3389 wide open. That's what the last ransomware I saw involved.

Re:Don't blame all employees

[Tough+Love]

If it's hitting central servers and shutting everything down, it's probably a weak RDP password with port 3389 wide open.

And it's probably Windows. Backup strategy is just a contributing problem here. The central problem is using Microsoft products in inappropriate ways, like running servers.

Re:Don't blame all employees

[Tough+Love]

Have one Windows server to run AD and provide SMB shares, and move everything critical to Linux. Then get rid of the Windows laptops to improve the perimeter defence.

Re:Don't blame all employees

[Tough+Love]

You know the red stapler guy in Office Space? That would be the resident Windows sysadmins.

Re:Don't blame all employees

[wbr1]

The last one you saw does not equal probably for any others. Your sample size sucks. Mine is not much better, but the last 3 successful crypto attacks I have seen have been through drive by downloads and very well socially engineered emails with attachments.

Yes RDP open on 3389 is stupid, but believe it or not we have clients with legacy software that requires it. Only solution is to reduce attack surface. Frequently check accounts, change passwords etc. Oh, and the last successful RDP breaches I saw did not result in crypto, mostly ID theft and confidential data exfiltration.

Re:Don't blame all employees

[omnichad]

Your sample size sucks.

My research included the wider Internet - it's a lot more common than you think. If it's hitting an entire server, and not just network shares, and the computer isn't used for web browsing - you're not going to get it from a drive-by download.

believe it or not we have clients with legacy software that requires it. Only solution is to reduce attack surface.

Yeah, like with a VPN. Is there really any software that requires a remote RDP server but couldn't handle it through a VPN connection?

That presumably all-seeing NSA

[Applehu+Akbar]

Can a new administration with no concern for political correctness finally turn the NSA loose on finding ransomware perpetrators? Since we in here have decided that their Internet surveillance efforts are omnipotent, they should be able to trace a surveilled Bitcoin payment back to them. Then we hire local talent for "wet work" in killing them off in some eye-catching manner, dissuading others from entering the business.

Re:That presumably all-seeing NSA

[AHuxley]

Groups have considered that. The staging servers are in safe nations surrounded by layers of real people doing active counter surveillance.
Say the NSA finds a server in Australia, Canada, NZ or the UK? Lots of support over decades so information is passed and kept very secure.
A request is created by another US law enforcement agency to hide the NSA origins of the data found.
Another nation creates a 12 person police team to look at the people using the server. Say 3 person police team on duty, a few shifts per day to watch the area of interest.
The local inward looking, isolated cult like community soon notices the new vans, tracks, cars, new utility workers doing no real work or small groups of new people who just don't fit in that community. A new camera in a box on a utility pole facing a site.
Locals will then surround, chat down and confront the undercover police teams. Once photographed teams of undercover police are not much use in that area. Local police then have to help escort the now photographed "undercover" teams out of the area.
The server is moved only to start up in another safe area once the community works out who is of interest to that police team.
If an attempt was made to remove the servers by using cyber methods a nations internet provider or gov network would be altered and corrupt staff doing the clean up would find traces of new NSA cyber methods in the wild and report them globally as interesting new malware.
Most groups set up bait servers just to see what gov, mil, other groups, firms, contractors come looking and what methods they use.
Groups have layers of counter surveillance options just by selecting a no go part of a city where every police or undercover police action is very easy to spot as it enters that part of a city. The wider local community knows every face, every car, every normal government and city worker expected to be in the area.
Telco and local gov workers are also loyal to cult like criminal groups over generations of staff and warn of any changes to ISP, telephone networks when normal gov/police logging is requested on local phone numbers or ISP accounts.
Bribes, infiltration gives days or hours of any local police action. More secure federal police units on the move are spotted in most nations with enough warning to escape. Hardware is lost but teams regroup with funds to set up new servers.
The only way around such methods is satellite collection, mil grade surveillance aircraft looking at all wireless networks, or unexpected national telco upgrades that totally bypass all local staff. Teams of criminal informants recruited by federal law enforcement to try and renter their old communities hoping their stories and cover holds. Informants are a huge risk as criminal groups know their methods and hire as needed internally, not from people seeking to join.

Staff members with insights into no go communities are a huge risk too, are they loyal or can they ever be trusted? Law enforcement and the security services in most nations are been filled with many new "translators" and "experts" many of who will report back to their own faiths, cults, criminal groups or other nations.
Just finding a server is easy. Getting any more details is hard work. Even the new hiring practices of the police and security services now allow for surveillance to be discovered.

Re:That presumably all-seeing NSA

[Applehu+Akbar]

But....but...but doesn't the NSA have infinite powers to surveil the Internet without us even being aware of it?

In any case, we keep being told that those no-go neighborhoods don't exist. The refugee communities in Paris, Malmö and Calais will gladly throw open their doors to any authority needing to look into what they might be doing on the Internet, won't they?

Re:That presumably all-seeing NSA

[AHuxley]

The NSA can track any user on most networks. Finding a location is often not the issue for the US.
The problem for the USA is the methods have to be hidden and requests to local police just alert criminal groups.
The local police in other nations are corrupt or even members of the same criminal groups, faiths been watched.
Local police also sell information to the press who then alert criminals.
Mil, national or federal police in many other nations just cant do undercover work in closed communities or are totally reliant on generations of NSA like collection methods in their own nations.

Informants tell fictional stories to stay out of the legal system or to get paid. Criminals don't always carry cell phones when planning or doing crime making digital collection less useful. Police in other nations even sell informal lists or witness information in bulk.
Budget cuts, legal issues, political correctness or a lack of skills over decades often slows national police forces.
Criminal groups use this to hide in faith based and inward looking communities. Undercover police are easy to spot, police informants are not invited back in.
The other issue the NSA fears is most nations security forces have been hiring new staff. Security has been replaced by a political demands for diversity.
The entry level and translation services of many nations elite security forces are now been filled up with new staff who are loyal to other nations or faiths, criminals or cults.
Even requesting help from a lot of other nations security services is a huge risk thanks to years security leaks back to gangs, faith groups, criminals and other nations.

The issue then for the US is in finding anyone trust worthy to share the information they gather globally with.
So the NSA, CIA can find most interesting people on computer networks globally. How to use that information in time is getting more difficult for the US.
The long term issues for the NSA is the next generation of staff in once trusted 5 eye nations. Even if select staff in other nations can be trusted, new staff standards in other nations are now a security risk.

Re:That presumably all-seeing NSA

[crtreece]

I don't think you fully understand how transferring Bitcoins works, especially in a world with VPNs, proxies, and datacenters full of virtual hosts.

Re:That presumably all-seeing NSA

[budgenator]

"Now I can't be sure, but my buddy heard some ransomware dude that hit some town in New Jersey got renditioned to Gitmo as a terrorist by that fascist prick Trump. The week after, his mother's house blew up in a freak gas explosion while she was out grocery shopping and his sister got kidnapped and gang-raped by Muslim Refugees."
Now we'll just leak that narrative to "Slate" and next week we'll make sure that is trending on Facebook and Twitter.

Re:That presumably all-seeing NSA

[aicrules]

Committing criminal destruction of property is not political incorrectness...

Re:Oh, for fork's sake

[Ol+Olsoc]

We need to start having MASSIVE fines and petty jail time for this. training, phising warnings, attachment warnings- these things happen daily. Someone that still does this needs to be made to suffer. Then, maybe, people will take the warnings seriously. Is there a malicious negligence or depraved negligence charge we can level at them?

Because getting caught in a phishing scheme is not necessarily depraved indifference. Having to turn off an adblocker so you can get into Forbes.com is plenty enough to get you owned.

I've seen plenty of competent people get owned. Would you make a vow to commit suicide if you ever in your life got malware on your computer? I sure wouldn't.

Re:fool me once

[nobuddy]

When do the staff who failed to create an adequate backup strategy, or the brass who shut down the staff who wanted to do that, be similarly fired for gross incompetence?

this hits home. I had a remote site with critical data that had no backups. for 3 years I kept telling the CFO we need this budgeted to add backups. Always put off "till next quarter". Not even a small budget for a CD-R and manual backups. nada.

Then it happened. Failed system, data lost. No way to recover. Somehow, all my fault. I was fired for it. Presenting my emails and disaster recovery plan requests fell on deaf ears. I was IT, it was my responsibility to prevent.

Re:fool me once

[Ol+Olsoc]

Somehow, all my fault. I was fired for it. Presenting my emails and disaster recovery plan requests fell on deaf ears. I was IT, it was my responsibility to prevent.

Oh man - you were set up from the beginning. The bright side is that company isn't going to be around too long.

Actually, the article states that...

[nuckfuts]

County Auditor Mike Smith saw the bright side. “Apparently, our clock still works,” he told the Newark Advocate.

Re:The worst part about this...

[doesnothingwell]

I worked for Ohio government offices for 15 years, you'll never find a tighter bunch of inbred boot lickers anywhere. Politic and games abound like the time: (cue the flashbackeffect), I once had the departing elected prosecutor tell me to erase the server files. I did so but commented this must be legal as it is being requested by the ruling interpreter of law for the area.

Fast forward a week later and the new prosecutor want to know where the files are, so I told him and he was "not happy at all." I explain that ruling authority at that time ordered it so and suggest he take it up with the recently departed prosecutor, there was much posturing and sabre rattling.

If I had resided in his local area I would probably have spent some time in a cell. I had the files on backup tape in my desk so all was forgiven. Always cover your ass.

Backup/Backup/Backup/Backup/Backup

[felixrising]

I've had the dubious honour of dealing with and recovering from two attacks in the last two years. On both occasions we had one or more staff open a phishing email and execute the ransomware. On both occasions the ransomware successfully encrypted over 250000 files on file shares. We do have quite a reasonable level of protection in place, including 1) AntiVirus and Anti-Malware (useless in both accounts), 2) moderate level of security groups for users limiting access to only those files they require, with exception of a "temp share" which is a dumping ground for all kinds of stuff, but cleared automatically every 30 days, 3) file name/extension ACLs on windows shares that prevent files like .encrypted .EnCiPhErEd from being created on the file system 4) daily backups. In each case, we still had to do targeted purge/restore to get the files back. We never for a second thought about paying the ransom. I restored all files within 4-6 hours, using a mixture of scripts and manual review of folders and files. The best solution is have great back-ups... those backups should be regularly tested and monitored for success. With good backups, you can recover in a very short time frame....

Re:Backup/Backup/Backup/Backup/Backup

[swb]

I've moved to adding additional backups of servers at greater risk of ransomware encryption, every 2-4 hours depending on what the site's environment can handle in terms of capacity and added disk load, usually retaining these backups for 2-3 days.

This way if ransomware hits, I've got both an additional backup to the daily backup and a very recent backup in case key files were affected.

   

Re:Backup/Backup/Backup/Backup/Backup

[elistan]

I've had similar experiences for two ransom ware infections over the past few years - in each case it looked like it got in by the user browsing to a normal website that served up a malicious ad - we've since then switched to a different web filter appliance. Our antivirus didn't stop the encryption, but did detect and alert on the ransom notes. So we were able to shut down the offending PC quickly - it then got its drive pulled and wiped, as no data is stored locally. That lack of local files meant the malware quickly moved on to network shares before being shut down, but good backups meant we could recover in just a couple hours. Our antivirus now looks for 'unauthorized encryption' but we haven't seen it in action yet against actual malware - just false positives for a program we use that does encryption. We do annual DR tests so we know we have recovery capabilities.

Re:Backup/Backup/Backup/Backup/Backup

[ebvwfbw]

Did you follow up with education for the users? Should be done once a year. Set up an external site. I'm often very obvious with the site name. Password checker, health insurance discount site. Social the women too. Women are often really easy to social if you get the right bait.

sadly

[sad_]

nothing will be learned from this, and things continue as they were, only matter of time before it happens again. sick & tired of seeing this kind of story almost every day.
how many ransomware incidents would have happened if these orgs/govs/companies had their things in order?

Re:fool me once

[Ol+Olsoc]

The bright side is that company isn't going to be around too long.

Yeah, but the bad news is that the CEO is now president of the United States.

But he had a good friend putin a good word for him.

Re:Administrator Rights

[ebvwfbw]

Admin is handed out way too easy. Are you sure nobody else has admin rights? I manage a few thousand WIn boxes. Every one had to be audited recently and I found users had admin access that never even knew about the machine nor logged in. Application accounts too. Then if you also use group policies sometimes audit check policies have security changes, that gives someone admin rights. I've said a few times - here's a Windows box, guess how it's configured. I could say guess who has admin access.

I hope you're right in saying no users have admin access. I wish there were more people like you out there.