Hackers paradise: the Louisiana ransomware disaster is by no means over
Enlarge / Louisiana State Capitol, Baton Rouge, Louisiana, at dusk.
Louisiana has reduced part of its services as it recovers from a targeted ransomware attack using the Ryuk malware on November 18. The State’s Office of Motor Vehicles has reopened offices in a limited way on Monday. But OMV and other relevant agencies – including the Ministry of Health and the Ministry of Public Security – face a number of potential hurdles to restore all services, according to people familiar with Louisiana’s IT activities.
The ransomware payload was apparently spread across agencies by exploiting Microsoft Windows Group Policy objects, meaning that the attackers had access to administrator rights for multiple Active Directory domains. This is symptomatic of TrickBot malware attacks, which use GPOs and PsExec (a Microsoft remote management tool) to spread the load.
This is the second major cyber security incident this year in Louisiana, linked to Ryuk ransomware. In July, Governor John Bel Edwards declared a state of emergency and set up the state’s cyber response team to assist seven parish school districts. There have been many other Ryuk attacks this year involving the use of TrickBot and in some cases the Emotet Trojan – an attack referred to by some experts as a “Triple Threat” malware-based attack. At least two cities in Florida and the judicial council and administrative office of the courts in Georgia were also hit by “Triple Threat” attacks.
Watch the gap
According to testimony from Deputy Chief Information Officer Neal Underwood for the Louisiana Joint Legislative Budget Committee, only 10% of the 5,000 state servers were affected by the ransomware attack, and a total of about 1,500 computers out of 30,000 systems from the state were “damaged” by the ransomware. As a precaution, others were taken offline as part of the response to the attack. And OMV officials and a spokesperson for the Louisiana State Secretary’s office – who had to close systems tied to election data during the recounting of votes in the Louisiana elections – stated that no data was lost during the attack.
But that statement was perhaps early and certainly did not apply to all Louisiana agencies. Some data may be lost because in some cases the file backups of agencies were not current. In a letter in response to a public inquiry shared with Ars, a Louisiana Department of Public Safety attorney stated that the request could not be completed because the records required for the response were not available “due to the recent ransomware attack on the computer of the state systems. “
Enlarge / An email from a Louisiana Department of Public Safety lawyer explaining why a request for freedom of information could not be processed – ransomware
Some offices of the OMV are still not re-opened because their personal computers have been disconnected from the office network because they have not yet been checked for malware. And significant amounts of data – including records for the state’s Medicare and Medicaid system – may have been lost because backups maintained by the Louisiana Department of Health data center vendor were more than six months old. While the state outsourced the activities of the LDH data center, database servers and other systems remained accessible to Louisiana Office of Information Technology administrators.