Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management
Louisiana Government Recovering From Ransomware AttackGovernor Describes 'Aggressive' Incident Response Efforts
Louisiana was restoring many online government services Tuesday after a Monday ransomware attack, according to Governor John Bel Edwards.
On Monday, the Office of Technology Services, which operates the state’s IT systems, discovered that ransomware affected some state servers. In response, security and IT teams took several websites and other online services offline to keep the ransomware from spreading to more agencies, according to Edwards, who posted updates on his Twitter account.
"The majority of the service interruption seen by employees and the public yesterday was due to our aggressive actions to combat the attack," Jay Dardenne, commissioner of administration, said Tuesday. "We are confident we did not have any lost data, and we appreciate the public’s patience as we continue to bring services online over the next few days."
The state did not pay the ransom that the attackers demanded, instead relying on back-up systems to restore affected online services and state websites, the governor said.
On Monday, the ransomware attack affected several state agencies, including the state's Office of Motor Vehicles, which appears to have been one of the first departments to notice something wrong, according to local news outlet The Advocate.
The attack appears to have affected all 79 Office of Motor Vehicles locations in the state, according to the news report. Keith Neal, director of project management for the Office of Motor Vehicles, noticed something wrong on Monday before all the computer systems started to lock-up as part of the attack, and then he called other state officials to report the incident, according to the Advocate.
In messages posted on its Facebook page, the Louisiana State Police noted that Office of Motor Vehicles employees planned to return to work by midday Tuesday but that day-to-day operations were still affected.
"The delayed opening will allow [Office of Motor Vehicles] employees and [Office of Technology Services] representatives ample time to ensure that all public systems are operational and ready for full service," the State Police reported Tuesday. "While many systems are back online, the public is asked to refrain from non-critical OMV tasks today as technicians continue to restore full service."
Portions of the Department of Children and Family Services’ official website remained offline Tuesday, with reports of child abuse and other issues having to be called in instead of registered online at the department's website, according to the Advocate. Other affected departments include the Department of Health, the Secretary of State's office and the Public Service Commission, according to the news report.
Phase 2 of an Attack?
In July, a malware attack against several of Louisiana's school districts led the governor to declare a state of emergency (see: Louisiana Declares Emergency After Malware Attacks).
Although details about this latest incident are still under investigation, Reuters, citing a person familiar with the investigation, reported that attackers used the Ryuk ransomware strain.
While the governor's office did not confirm the Reuters report, it did note that Monday's incident was related to the attacks from July.
In a series of tweets late Monday about the ransomware attack, Edwards said that some of the outages stemmed from the state's Office of Technology Services moving aggressively on Monday to contain the ransomware outbreak before it could spread, which appeared to have infected some state servers.
"[The Office of Technology Services] immediately initiated its security protocols and, out of an abundance of caution, took state servers down, which impacted many state agencies’ email, websites and other online applications," Edwards said. "The service interruption was due to OTS’ aggressive response to prevent additional infection of state servers and not due to the attempted ransomware attack."
OTS has confirmed that this attempted ransomware attack is similar to the ransomware targeted at local school districts and government entities across the country this summer. There is no anticipated data loss and the state did not pay a ransom. #lagov #lalege— John Bel Edwards (@LouisianaGov) November 18, 2019
On social media, Edwards says he expects most systems and online state services to return to normal later this week. The Louisiana State Police and federal authorities are investigating, he says.
Over the first nine months of the year, more than 600 ransomware attacks pummeled local governments, schools districts and healthcare providers across the U.S., according to a study released by Emsisoft (see: Just How Widespread Is Ransomware Epidemic?).
Fabian Wosar, the CTO of Emsisoft, says that local and state governments apparently are not doing enough to protect their systems from the types of intrusions that can start a ransomware attack.
"While it's certainly correct that no one is immune, the reality is that government entities could be doing a much better job of protecting their systems," Wosar tells Information Security Media Group.
"Consider that while a myriad of public entities have been impacted by ransomware this year, not one bank has been. That's not because banks aren't being targeted; it's because they practice better security and so are better able to defend against attacks."
Over the last year, security researchers have noted that attackers have taken advantage of weak email security to help spread ransomware. In most cases, phishing emails are used to plant the malware in a network after someone clicks a malicious link. Some cybercriminals are using the Remote Desktop Protocol feature in Windows to gain administrative control and then help the ransomware spread once the initial attack is underway, some security experts says.
In response to the growth of ransomware attacks, the U.S. Senate recently passed a bill that would create cyber incident response and threat hunting teams at the Department of Homeland Security to assist victims of ransomware and other cyberattacks (see: Bill Calling for DHS Cyber Incident Mitigation Teams Advances).
A similar bill is making its way through the House.
(Executive Editor Mathew Schwartz contributed to this report.)