back to article North Dorset Council hit by ransomware, flips the bird at miscreants

North Dorset District Council in England's southwest is working with police to identify the source of a ransomware infection in this week. It is the latest outbreak of file-scrambling malware in what IT security experts believe to be a growing problem for local authorities in the UK. According to an email seen by The …

  1. allthecoolshortnamesweretaken

    Good for North Dorset!

  2. Dan Wilkie

    Public sector always get hit because you have a large organisation of users many of whom lack basic security awareness. Coupled with high turnover and transient staff, you'll always end up with this kind of incident. What makes the difference is how you respond, and how could your incident response processes are.

    By Public Sector standards, it seems like North Dorsets are pretty good!

    1. tmTM

      not to mention

      The practise of promoting idiot people out of the way, eventually one or several end up in control of something potentially quite important.

      Looks like North Dorset got it right, good on them.

    2. Anonymous Coward
      Anonymous Coward

      re: "many of whom lack basic security awareness"

      It's called competence.

      Unfortunately, many people who should know better believe in "good enough is good enough".

  3. Bc1609

    Well done Dorset

    I suppose they've learnt from experience that paying the Dane-geld will never get rid of the Dane. Took them a couple of invasions, granted, but they got it right in the end.

  4. Dan 55 Silver badge
    Devil

    "Some of these organisations do not have the latest backup [systems] installed"

    They don't have any, otherwise they could roll back to the day/week before for the affected files.

    1. sjaddy

      Re: "Some of these organisations do not have the latest backup [systems] installed"

      Depends on the ransomware, some sit there dormant for a little while before "showing" off to the end user. That way they have a chance to have encrypted some of the documents in the backup.

      If the encryption kicked off on the PC and immediately displayed the request for bitcoin then yes a restore would work.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Some of these organisations do not have the latest backup [systems] installed"

        "Depends on the ransomware, some sit there dormant for a little while before "showing" off to the end user. That way they have a chance to have encrypted some of the documents in the backup."

        Could be identified by looking for suspicious activity - i.e. sudden influx of backup data from a specific backup job, be that volume of data or number of files. You will get more false flags than genuine incidents, but it depends on how seriously you take the risks and how much time and effort you want to put in.

        Automation will help spot an exception but whether it's a false flag or not will likely need human intervention, there are *unfortunately/fortunately* (it's your perspective) a few HPE staff coming onto the job market who probably have the right security clearances to check.

  5. Anonymous Coward
    Anonymous Coward

    Are they looking for the idiot that clicked on a link in an e-mail? If not why not?

    1. I. Aproveofitspendingonspecificprojects

      I hope you don't think that the African civil rights agencies that keep telling me about the unfortunate young black girls having to walk miles in the rain and snow to get drinking water for a village too indolent to move to where there is water holds suspicious links?

  6. Pascal Monett Silver badge

    "providing organisations have the correct security measures in place"

    Yes, I do believe that that is a sine qua non condition.

    Good on them for having done so. And damn right to be smug about it too. Now can we have a report on their IT infrastructure, to make a blueprint for all the ones who don't have it right ?

    Maybe some of others will see the light.

  7. myhandler

    Flips the bird???

    This is Dorset, England - not the US

    1. Roger Mew

      Raise the churchillian I think.

    2. To Mars in Man Bras!
      FAIL

      Flicks the Vs

      *"...This is Dorset, England - not the US..."*

      I know. But El Reg's journalists so desperately want to sound American. I think they think it makes them cool, or something.

      1. Anonymous Coward
        Anonymous Coward

        Re: Flicks the Vs

        Presumably the reason all for the "great job!" responses.

        Councils in the UK aren't known for being high calibre.

  8. Loud Speaker

    The latest backup technology?

    I have had tape backup since 1973, and my mother had it before me. LTOx works fine, and has been around for at least 10 years. I doubt many people still use 556BPI 7-track tape.

    Today's tar is only marginally better than 10 year old versions - it is compatible with tar from 1996 (possibly older, but I no longer have any tapes older than that to prove it).

    Of course, if you use proprietary backup software instead of open source, you probably won't be able to read your old tapes - I should know - I wrote some of it!

  9. Anonymous Coward
    Anonymous Coward

    the flip side

    word "backup" might become less of a mythical creature for public it services ;)

  10. Anonymous Coward
    Anonymous Coward

    What I don't get is why organisations don't use whitelists. Yes, you can still have access to Amazon to do your shopping during your lunch break but if an idiot clicks on a dodgy link, it should be blocked and IT notified of who is stupid enough to click dodgy links so they can be trained properly how to use a computer or have the facility removed from them.

    1. Alister

      @AC

      What I don't get is why organisations don't use whitelists.

      This is almost certainly not how the infection was introduced, it is much more likely to have been an infected attachment in an email.

      And whilst you can try to minimise the risks there, (and software is available to catch most known infections) if you are in a public service environment like a local council, you cannot just block all emails with attachments, or from unknown addresses, as you will receive hundreds of perfectly legitimate emails which look just like the dodgy ones.

      1. Anonymous Coward
        Anonymous Coward

        Yes, it's almost definitely not how the infection was introduced but some sort of sandbox/kiosk for users to do their private browsing from would be far better than allowing relatively unfettered 'net access from a 'work' PC and surely it's not that difficult to at least quarantine executable attachments, I was able to do that with email servers back in 2000 so I feel it should be a fairly simple task even in these advanced days.

        1. Reality Dysfunction

          Quarantining executable attachments would include every doc, docm, xls, xlsm, pdf, rtf .

          This probably covers at least a few thousand a day,are they going to employ an entire call centre to look at these emails and evaluate them and release them every day?

          And that' just the basic office executable attachments, ignoring the more esoteric and links.

          Also having run the major malicious TeslaCrypt, Locky attachments and Angler links my organisation received through testing last week no major AV vendors identified them for the first 12 hours.

          Links for these things are often to a hacked subdomain of a valid site in order to defeat category based web filtering, they then go on a round robin of scripts based on the identity of the browser to evade checks.

          If you are in a Large Organisation, even with filtering, application control, AV, Appsense and email content control the only thing between you and ransomeware is Luck.

          1. Rich 11

            If you are in a Large Organisation, even with filtering, application control, AV, Appsense and email content control the only thing between you and ransomeware is Luck.

            And user education, but staff turnover constantly works to undermine that. Unfortunately, staff induction sessions don't take place before the new person sits down at a computer.

            1. rally_champ

              >user education

              As Reality Dysfunction says above: Links for these things are often to a hacked subdomain of a valid site in order to defeat category based web filtering.

              How would user education prevent that?

              My dad's pc was infected with TeslaCrypt a couple of weeks ago and as far as I can tell he got infected through a sub-domain in one of his regular far-east supplier's website. His free McAfee failed to protect him and his external back-up was also encrypted. I wiped his hdd and did a fresh install of Win7. Fortunately all his docs were retrievable from Hotmail and I have copies of all his (good) photos.

    2. Jess

      Re: What I don't get is why organisations don't use whitelists

      Or even strip out any scripts (etc) from any non whitelisted domain.

      1. I. Aproveofitspendingonspecificprojects

        Re: What I don't get is why organisations don't use ahem... Linux nodes

        no text

    3. Anonymous Coward
      Anonymous Coward

      While this is noble in intention, the idiots you speak of are legion. The overwhelming majority of these workers I've encountered literally have rudimentary skills only to facilitate doing their job and little else - click this button, that button, 'go to that screen' etc. You're talking about constant re-training of an entire workforce.

      IMHO the social engineering risk to security is equal to the technological in public organisations and while you could in theory have great security training, there's never any guarantee that it's going to sink in for the great majority - some of whom still resent even having to use a computer full stop.

  11. TonyJ

    AppSense

    This is exactly one of the reasons I love AppSense Application Manager and it's trusted user model.

    Your average joe/jane user cannot launch any untrusted executable.

    Worth every penny in the long run.

    And no - I am in no way affiliated with them.

    1. Anonymous Coward
      Anonymous Coward

      Re: AppSense

      This is exactly one of the reasons I love AppSense Application Manager and it's trusted user model.

      Surely you can do this with a well setup Windows security policy rather than having to use third party software?

      1. Loud Speaker

        Re: AppSense

        well setup Windows security policy

        You might want to look up "Oxymoron".

      2. TonyJ

        Re: AppSense

        ..."

        Surely you can do this with a well setup Windows security policy rather than having to use third party software?..."

        Sort of but then you're managing dozens or more of program hashes (for dependent executables and binaries too) or you revert to executable names as updates will alter the hashes and then users can simply rename files.

        I should really caveat that - it's been several years since I looked into it on a purely Windows based offering. AppSense just works. And can log.

  12. Adam JC

    ESET

    I think it's worth mentioning that ESET provide the AV software that a large proportion of LA and Councils use.

    That said, I'm impartial as we use and resell ESET at work and I can't fault it apart from their little booboo the other day with the false positives (Which didn't really do anything other than disrupt browsing experiences somewhat, for an hour or so).

    1. Anonymous Coward
      Anonymous Coward

      Re: ESET

      OK, but didn't ESET bork their own systems recently though?

  13. Anonymous Coward
    Anonymous Coward

    A role for the ISP's here?

    * Its going to take years (if ever) to get the 'cryptolocker' message out to councils, hospitals, ngos and other orgs, never mind small-biz and home-users....

    * In past discussions, people asked if ISP's could directly help more (for a fee), especially since Governments are forcing them to snoop on us anyway...

    * Couldn't ISP's build-in virus / malware filters into download data-streams?

    * If its technically possible, would it require Phorm like intrusion into everybody's lives?

    1. AlbertH

      Re: A role for the ISP's here?

      Certainly not! ISPs should interfere with data as little as possible. The governmental snooping act will fail. "Phorm" only have their claws stuck into users stupid enough to connect through Virgin (On The Ridiculous).

      1. John Brown (no body) Silver badge

        Re: A role for the ISP's here?

        "Phorm" only have their claws stuck into users stupid enough to connect through Virgin (On The Ridiculous)."

        FWIW, Phorm and VM never got past the talking stages and have pulled out of the UK completely some years ago. Phorm currently have a share trading embargo and an almost zero value while they try (and hopefully fail) to secure further funding.

        1. Vic

          Re: A role for the ISP's here?

          Phorm currently have a share trading embargo and an almost zero value

          Yeah, I was gutted when I read that. Gutted. Really.

          Vic.

      2. Anonymous Coward
        Anonymous Coward

        Re: A role for the ISP's here?

        Ok, forget ISP involvement. But if everything is left up to the user or their org then nothing will get done. All it takes one vulnerable machine or one dumb user to open an attachment and data is cryptolocked forever!

        So, how about making web-browsers block users from opening email attachments?

        Or having Windows / Linux / iOS, quarantine files downloaded from the web by default?

  14. TeeCee Gold badge

    If there are any crooks reading this......

    .....here's a great idea for a money spinner.

    Provide the service from somewhere untouchable. The service is that, when hired, you track down by any means the scrote who dumped ransomware on your client. You then blowtorch his feet until he discloses the decryption keys and finally dump him in concrete somewhere.

    The beauty here is that while this is undoubtably illegal and highly profitable, nobody's going to look into it too hard.....especially if you make sure the aforementioned concrete is not going to be disturbed for a long time.

    1. Anonymous Coward
      Anonymous Coward

      Re: If there are any crooks reading this......

      Why waste expensive concrete? Make them dig a deep hole and stand in it. Backfill it up to waist level for the "negotiation" phase. Then (irrespective of the outcome of the negotiations) complete the backfill.

      Simple, cheap, environmentally friendly, total investment - one spade, reusable for the next job.

      Edit: Apparently I have ten minutes to make this post better. And there was me thinking it was small and perfectly formed in the first place.

    2. Vic

      Re: If there are any crooks reading this......

      The beauty here is that while this is undoubtably illegal and highly profitable, nobody's going to look into it too hard.....especially if you make sure the aforementioned concrete is not going to be disturbed for a long time.

      Is this the real reason for HS2? It would be much more popular than what we're being told at the moment...

      Vic.

  15. Emaildoctor

    Email management training reduces such risks

    When was the last time North East Dorset Council provided any education and training on cyber crime and email best practice? Most such organisation do not see the value in email management training and this is what happens.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like