back to article Lincolnshire council IT ransomware flingers asked for ... £350

Lincolnshire County Council's IT is back up and running after the council shut everything down last week following a ransomware attack in which the attackers turned out to have asked for a mere £350. Despite the BBC reporting that the council had been hit by a £1m ransom, a spokesperson told The Register that it had only been …

  1. Anonymous Coward
    Anonymous Coward

    Zero Day Exploit

    My big fat white yorkshire arse.

    More likely some big cheese demanded he didnt have the restrictions foisted upon mere mortals, or, the AV software was out of date.

    Either way, guffaw....

    1. Smoking Gun

      Re: Zero Day Exploit

      It sounds like CryptoWall. Those cyber crims are jolly nice fellows though.

      Had a client who got hit by it, we asked the crims to extend the deadline to allow the Bitcoin's to clear and they extended by 2 weeks, more than enough time to restore from backups and clear up the mess.

      Watch those Amazon emails with zip file attachments. Stay safe kids.

      1. Chloe Cresswell Silver badge

        Re: Zero Day Exploit

        Client in lincolnshire got hit with cryptowall 4 on tuesday. £360 was the ransom (1.306 btc)

      2. Anonymous Coward
        Anonymous Coward

        Re: Zero Day Exploit

        The way the BBC reported it, like it was some marvelous new thing that they'd never heard of before, like the Daily Mail TV channel

    2. Anonymous Coward
      FAIL

      Re: Zero Day Exploit

      "This was what's termed as a zero-day attack, which means when it hit us the security software providers hadn't seen it before."

      Called it! B-)

      Er, no. It does not mean any such thing. Your Serco parasite is lying to you, shit for brains.

    3. LucreLout
      Holmes

      Re: Zero Day Exploit

      Zero Day Exploit... My big fat white yorkshire arse.

      Well, that's quite a vision. Thanks.

      I'm hoping someone is going to use an FoI request to force disclosure of exactly which piece of malware this was such that we can determine for ourselves that this wasn't a zero day exploit, and more closely aligns with the zero competence exploit that we're all expecting.

      El Reg, unleash the investigative hounds!

    4. JeffUK

      Re: Zero Day Exploit

      I'm guessing the IT service providers, or the AV company told them it was 'It was a zero day, That's why it wasn't stopped' and they have no reason not to believe them.

      I've been told that an Excel macro virus was 'A Zero Day' just because the AV signatures didn't pick it up. The AV crowd have realised that if they define 'Zero Day' as 'Anything we miss' they can get away with murder.

  2. Downside
    Windows

    zero-day email

    ^^^^ her bit fat yorkshire thing ^^^

    Bet it was a simple forged email link posing as LinkedIn or Facebook. Seen it happen in even the most paranoid of companies, one thoughtless click and suddenly a Russian ferret is alive in the network encrypting your MSql servers.

    Turn it all off, restore from backups, virus check all the laptops, ta-da, back to normal.

  3. Blank-Reg
    Gimp

    Can I suggest that the Dimwit who opened the dodgy attachment (probably with an e-mail of coppier@lincolnshire.gov.uk (sic) ) has their wages deducted to pay the ransom.

    1. Lyndon Hills 1

      Forget the ransom

      Forget the ransom. The disruption to normal operations will have cost far more than 350 quid.

      1. DavCrav

        Re: Forget the ransom

        "Forget the ransom. The disruption to normal operations will have cost far more than 350 quid."

        And you have a guarantee that that would be a one-time-only deal, and you would get the files decrypted? Untrustworthy sorts, these criminals.

        Alternatively, chalk the cost up as a dress rehearsal training exercise, and it's fine.

        1. Anonymous Coward
          Anonymous Coward

          Re: Forget the ransom

          £350 is probably less than they spent on the third undersecretary to the janitor's deputy assistant's taxi fares last week.

          A cheap lesson at 100X the price.

          Pay it.

          See if you get your data back.

          Meanwhile, dismiss the clowns and assemble a small in-house team of competent IT professionals to do things properly.

      2. This post has been deleted by its author

    2. John G Imrie

      It really isn't fare

      to blame the secretary for clicking on the link after she has already informed her boss that this is a stupid idea when he is shouting at her that he needs that bloody document now.

      1. Anonymous Coward
        Anonymous Coward

        Re: It really isn't fare

        Quite right. Dock tomorrow's lunch expenses of the "CIO" (who's really to blame, however you look at it).

  4. Dr Who

    Judith sounds to me a lot like one of those CIOs who place a strong strategic focus on the Chief and Officer side of things (and don't you forget it mate!) but prefers to deploy a light touch approach to the Information part, which is after all jolly hard to understand and is probably best left to others.

    1. IsJustabloke
      Devil

      Like Jen from the IT Crowd but without the charm

  5. Anonymous Coward
    Anonymous Coward

    The scammers must have known the council was skint.

  6. bertyboy2

    Wow...CIO..?? really??

    "This was what's termed as a zero-day attack, which means when it hit us the security software providers hadn't seen it before.".......errm no it does not. Wow...CIO..?? really??

  7. Anonymous Coward
    Anonymous Coward

    Observed truths were are told should be "wrong"

    1) Car="BMW" OR "Audi" AND Color="White" or "Black"

    driver is a twat

    2) Double-barrelled surname in position of management

    ,,,,,

    1. Cronus
      Headmaster

      Re: Observed truths were are told should be "wrong"

      Hating on all BMW drivers and black people eh?

      1. Why Not?

        Re: Observed truths were are told should be "wrong"

        I think they meant the car colour was Black or White.Not sure what you added, (this may be what most people think about you).

        I think it was a little restrictive any colour Audi can have a muppet at the wheel.

        1. JimmyPage Silver badge

          Re: any colour Audi can have a muppet at the wheel

          true - as can any car. However, IME, a black or white *car* (which is how I read the OP) increase the odds to within a whisker of 99%.

        2. IsJustabloke
          Meh

          Re: Observed truths were are told should be "wrong"

          in my experience a muppet in an Audi will be a muppet in any car.

      2. x 7

        Re: Observed truths were are told should be "wrong"

        "Hating on all BMW drivers and black people eh?"

        round here a black or white BMW = drug dealer

        black or white Audi = wannabe drug dealer. Or a management reject

        1. Anonymous Coward
          Anonymous Coward

          Re: Observed truths were are told should be "wrong"

          Anyone calculated the probabilities for matte black RollsRoyce/Bently?

  8. Dan Wilkie

    0 Day. Really.

    Who's their security vendor so I can avoid them - I've seen Serco mentioned? Colour me surprised...

    Somehow I doubt that IF someone were to find themselves in possession of a 0 day, they would waste it on a scatter gun attack or indeed a targeted attack at a local council...

  9. Roger Greenwood

    Newsbiscuit article

    http://www.newsbiscuit.com/2016/02/01/lincolshire-council-have-pencil-sharpeners-hacked/

    Enjoy.

    1. an-ominous-mass
      FAIL

      Re: Newsbiscuit article

      Yet another link that fails when wisely using <no_script>

      Good try though.

  10. Crisp

    I'm not buying the "0-day exploit" story.

    I think it might have something to do with government offices using things like Windows XP well after its sell by date.

    1. Anonymous Coward
      FAIL

      Re: I'm not buying the "0-day exploit" story.

      Yeah, I was thinking that the "zero day" was probably pre millennial.

      I couldnt pay a council parking ticket not so long ago, because the online payment systems wouldnt work unless I had IE6 installed!!

      1. JeffUK

        Re: I'm not buying the "0-day exploit" story.

        Well; it was a zero-day at some point...

  11. SecBod

    Really?

    350 quid - maybe for an individual infection. Multiply that by the 300 devices and then turning it all off seems like a more reasonable recovery step. With those sorts of numbers you wonder if the crims might offer an enterprise discount, CIO's always like to demonstrate a saving!

  12. x 7

    $500?

    that really does sound like the fee per machine.

    more checks needed before publishing.............

  13. Anonymous Coward
    Anonymous Coward

    BBC?

    How did £350 become £1m please?

    1. David Gosnell

      Re: BBC?

      Presumably multiplied by the 300 machines they say were infected*. I doubt these scammers are nice and offer multi-seat site licensing etc.

      * And then a bit of BBC hype for good measure, worth an order of magnitude.

      1. Anonymous Coward
        Anonymous Coward

        Re: BBC?

        ...Presumably multiplied by the 300 machines they say were infected...

        350 * 300 is a mere £895,000 short of £1m.

        1. David Gosnell

          Re: BBC?

          Indeed, hence the BBC hype mention.

    2. Anonymous Coward
      Anonymous Coward

      Re: BBC?

      That'll be a Serco line item in the contract

      Rebuild laptop with Windows XP SP1 - £548

      Recover from alien-invasion style malware outbreak that 'zeros the firewall mainframe' - £1M

      etc etc.

  14. Vince

    What a load of rubbish. I imagine all that's happened here is that someone opened an attachment with a cryptolocker type of variant.

    It then sat there encrypting the stuff on the local drive, then carried on through the various network mapped drives. Because that's what it does. Perhaps more than one user did this, and so it took less time than it might on its own from a single machine.

    Either way, the non-targeted ransom, the descriptions given after you remove the bull suggest nothing more sinister than that. Yet more reasons why people should start taking security seriously. And that doesn't mean installing Norton, or Sophos or whatever your preferred flavour of useless anti-malware is.

    1. Roland6 Silver badge

      The real question is just how long was it sitting there encrypting stuff...

      I suspect it is this time lapse/disconnect between the cryptolocker app getting installed and either it being detected or in this case making itself known, that is causing problems and hence why people talk about zero day. Because obviously whatever downloaded it (a trojan downloader?) was able to be downloaded, install and execute without being detected by the security software (email scanner and/or PC security suite). Additionally, the payload (the cryptolocker app itself) wasn't triggering anything on download, install or execute.

      The good news is that this story has reached the BBC main News and so some in senior management will now be aware of security issues and perhaps might be receptive to some security consultancy...

  15. SnowCrash

    Had this at the beginning of November (so much for 0-day). Went straight through Messagelabs and McAfee and one person opened it (actually they replied to the email complaining the attachment didn't work).

    3 hours downtime while we isolated the workstation and restored from most recent shadow copy (only took that long as DFSr had to be disabled and cleaned).

    We were in the middle of migrating to Avast which caught this particular variant.

    Good news is much higher awareness of cyber security within the company.

    1. Captain Badmouth
      FAIL

      "Went straight through Messagelabs and McAfee..."

      McAfee, the anti-virus speed bump.

  16. TXITMAN

    Outsourced IT

    Looks like Lincolnshire outsourced IT early last year. Brilliant. http://thelincolnite.co.uk/2014/07/serco-will-move-to-lincoln-for-county-council-partnership/

    1. jason 7

      Re: Outsourced IT

      This one makes it all the better -

      http://www.lincolnshireecho.co.uk/New-boss-bids-save-jobs-pound-2m-Lincolnshire/story-12896445-detail/story.html

      £85,000 a year back in 2011 so probably £90,000 a year now to look after 'com-puters'.

      1. Anonymous Coward
        Anonymous Coward

        Re: Outsourced IT

        Paying an outsourced IT company, who are in business to make a profit off reselling an IT team, and then looking surprised when:

        1. It costs more

        2. Isn't as good as you'd been promised

        3. Is worse than you had before

        Muppets.

  17. jason 7

    As earlier comments...

    I read that on the BBC a couple of days ago and I laughed so hard some wee nearly came out.

    Amazing to see some lazy IT manager trying to divert the blame as though it was an alien invasion or something. I bet the backside covering and buck passing has been legendary over there the past few days.

    Seen a lot of people hit by this over the past 2-3 years. The main problem I can see is companies or groups using exchange servers with little or no email malware scanning. Push your email through the likes of Gmail etc.and it takes care of all that.

    I've been using FoolishIT's Cryptoprevent for some time now. Even the free default version can limit the damage if its kept up to date occasionally.

  18. bigfoot780

    Applocker

    Even just running with the default rules would block crypolocker. Also blocking exes on your filter.

  19. Anonymous Coward
    Anonymous Coward

    Zero day?

    Bollocks.

    Also, quite a few of the newer copycat variants of cryptowall have had serious flaws.

    A client of mine got infected last year but because they reported it swiftly I was able to hunt down the keys and decrypt it all myself.

    The key was stashed in a registry key and a rather helpful chap somewhere on the intertubes had released an open source tool for an older variant to decrypt with. I made some small tweaks and boom.

    My money is on incompetence and faffing.

    1. Doctor Syntax Silver badge

      Re: Zero day?

      "Also, quite a few of the newer copycat variants of cryptowall have had serious flaws."

      The authors of TeslaCrypt 3, which hit my cousin, has learned from the security analysts' work on 1 & 2 and it's new so maybe this is the zero day. So far there isn't a key recovery mechanism AFAICS but I think I've got back most if not all of my cousin's files.

  20. Anonymous Coward
    Anonymous Coward

    I put the swirly screen saver on my boss's PC once; she was convinced it was a virus eating her documents.

    NOT a Joke.

    1. Anonymous Coward
  21. Captain DaFt

    One has to wonder

    Was the tech specialist they're consulting This guy?

  22. Questioner

    Clueless?

    One of the news articles said the vulnerability was in the social care system, so I checked which system this is.

    Turns out Lincolnshire council has been implementing ServelecCorelogic Mosaic for the past 3 years!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like