Good for North Dorset!
North Dorset Council hit by ransomware, flips the bird at miscreants
North Dorset District Council in England's southwest is working with police to identify the source of a ransomware infection in this week. It is the latest outbreak of file-scrambling malware in what IT security experts believe to be a growing problem for local authorities in the UK. According to an email seen by The …
COMMENTS
-
Friday 4th March 2016 12:10 GMT Dan Wilkie
Public sector always get hit because you have a large organisation of users many of whom lack basic security awareness. Coupled with high turnover and transient staff, you'll always end up with this kind of incident. What makes the difference is how you respond, and how could your incident response processes are.
By Public Sector standards, it seems like North Dorsets are pretty good!
-
-
Friday 4th March 2016 12:24 GMT sjaddy
Re: "Some of these organisations do not have the latest backup [systems] installed"
Depends on the ransomware, some sit there dormant for a little while before "showing" off to the end user. That way they have a chance to have encrypted some of the documents in the backup.
If the encryption kicked off on the PC and immediately displayed the request for bitcoin then yes a restore would work.
-
Monday 7th March 2016 12:09 GMT Anonymous Coward
Re: "Some of these organisations do not have the latest backup [systems] installed"
"Depends on the ransomware, some sit there dormant for a little while before "showing" off to the end user. That way they have a chance to have encrypted some of the documents in the backup."
Could be identified by looking for suspicious activity - i.e. sudden influx of backup data from a specific backup job, be that volume of data or number of files. You will get more false flags than genuine incidents, but it depends on how seriously you take the risks and how much time and effort you want to put in.
Automation will help spot an exception but whether it's a false flag or not will likely need human intervention, there are *unfortunately/fortunately* (it's your perspective) a few HPE staff coming onto the job market who probably have the right security clearances to check.
-
-
-
Friday 4th March 2016 13:22 GMT Pascal Monett
"providing organisations have the correct security measures in place"
Yes, I do believe that that is a sine qua non condition.
Good on them for having done so. And damn right to be smug about it too. Now can we have a report on their IT infrastructure, to make a blueprint for all the ones who don't have it right ?
Maybe some of others will see the light.
-
Friday 4th March 2016 13:45 GMT Loud Speaker
The latest backup technology?
I have had tape backup since 1973, and my mother had it before me. LTOx works fine, and has been around for at least 10 years. I doubt many people still use 556BPI 7-track tape.
Today's tar is only marginally better than 10 year old versions - it is compatible with tar from 1996 (possibly older, but I no longer have any tapes older than that to prove it).
Of course, if you use proprietary backup software instead of open source, you probably won't be able to read your old tapes - I should know - I wrote some of it!
-
Friday 4th March 2016 13:57 GMT Anonymous Coward
What I don't get is why organisations don't use whitelists. Yes, you can still have access to Amazon to do your shopping during your lunch break but if an idiot clicks on a dodgy link, it should be blocked and IT notified of who is stupid enough to click dodgy links so they can be trained properly how to use a computer or have the facility removed from them.
-
Friday 4th March 2016 15:40 GMT Alister
@AC
What I don't get is why organisations don't use whitelists.
This is almost certainly not how the infection was introduced, it is much more likely to have been an infected attachment in an email.
And whilst you can try to minimise the risks there, (and software is available to catch most known infections) if you are in a public service environment like a local council, you cannot just block all emails with attachments, or from unknown addresses, as you will receive hundreds of perfectly legitimate emails which look just like the dodgy ones.
-
Friday 4th March 2016 16:30 GMT Anonymous Coward
Yes, it's almost definitely not how the infection was introduced but some sort of sandbox/kiosk for users to do their private browsing from would be far better than allowing relatively unfettered 'net access from a 'work' PC and surely it's not that difficult to at least quarantine executable attachments, I was able to do that with email servers back in 2000 so I feel it should be a fairly simple task even in these advanced days.
-
Saturday 5th March 2016 07:29 GMT Reality Dysfunction
Quarantining executable attachments would include every doc, docm, xls, xlsm, pdf, rtf .
This probably covers at least a few thousand a day,are they going to employ an entire call centre to look at these emails and evaluate them and release them every day?
And that' just the basic office executable attachments, ignoring the more esoteric and links.
Also having run the major malicious TeslaCrypt, Locky attachments and Angler links my organisation received through testing last week no major AV vendors identified them for the first 12 hours.
Links for these things are often to a hacked subdomain of a valid site in order to defeat category based web filtering, they then go on a round robin of scripts based on the identity of the browser to evade checks.
If you are in a Large Organisation, even with filtering, application control, AV, Appsense and email content control the only thing between you and ransomeware is Luck.
-
Saturday 5th March 2016 08:01 GMT Rich 11
If you are in a Large Organisation, even with filtering, application control, AV, Appsense and email content control the only thing between you and ransomeware is Luck.
And user education, but staff turnover constantly works to undermine that. Unfortunately, staff induction sessions don't take place before the new person sits down at a computer.
-
Saturday 5th March 2016 17:20 GMT rally_champ
>user education
As Reality Dysfunction says above: Links for these things are often to a hacked subdomain of a valid site in order to defeat category based web filtering.
How would user education prevent that?
My dad's pc was infected with TeslaCrypt a couple of weeks ago and as far as I can tell he got infected through a sub-domain in one of his regular far-east supplier's website. His free McAfee failed to protect him and his external back-up was also encrypted. I wiped his hdd and did a fresh install of Win7. Fortunately all his docs were retrievable from Hotmail and I have copies of all his (good) photos.
-
-
-
-
-
Saturday 5th March 2016 11:26 GMT Anonymous Coward
While this is noble in intention, the idiots you speak of are legion. The overwhelming majority of these workers I've encountered literally have rudimentary skills only to facilitate doing their job and little else - click this button, that button, 'go to that screen' etc. You're talking about constant re-training of an entire workforce.
IMHO the social engineering risk to security is equal to the technological in public organisations and while you could in theory have great security training, there's never any guarantee that it's going to sink in for the great majority - some of whom still resent even having to use a computer full stop.
-
-
-
-
Friday 4th March 2016 23:01 GMT TonyJ
Re: AppSense
..."
Surely you can do this with a well setup Windows security policy rather than having to use third party software?..."
Sort of but then you're managing dozens or more of program hashes (for dependent executables and binaries too) or you revert to executable names as updates will alter the hashes and then users can simply rename files.
I should really caveat that - it's been several years since I looked into it on a purely Windows based offering. AppSense just works. And can log.
-
-
Friday 4th March 2016 16:46 GMT Adam JC
ESET
I think it's worth mentioning that ESET provide the AV software that a large proportion of LA and Councils use.
That said, I'm impartial as we use and resell ESET at work and I can't fault it apart from their little booboo the other day with the false positives (Which didn't really do anything other than disrupt browsing experiences somewhat, for an hour or so).
-
Friday 4th March 2016 22:30 GMT Anonymous Coward
A role for the ISP's here?
* Its going to take years (if ever) to get the 'cryptolocker' message out to councils, hospitals, ngos and other orgs, never mind small-biz and home-users....
* In past discussions, people asked if ISP's could directly help more (for a fee), especially since Governments are forcing them to snoop on us anyway...
* Couldn't ISP's build-in virus / malware filters into download data-streams?
* If its technically possible, would it require Phorm like intrusion into everybody's lives?
-
-
Saturday 5th March 2016 13:49 GMT John Brown (no body)
Re: A role for the ISP's here?
"Phorm" only have their claws stuck into users stupid enough to connect through Virgin (On The Ridiculous)."
FWIW, Phorm and VM never got past the talking stages and have pulled out of the UK completely some years ago. Phorm currently have a share trading embargo and an almost zero value while they try (and hopefully fail) to secure further funding.
-
Sunday 6th March 2016 00:14 GMT Anonymous Coward
Re: A role for the ISP's here?
Ok, forget ISP involvement. But if everything is left up to the user or their org then nothing will get done. All it takes one vulnerable machine or one dumb user to open an attachment and data is cryptolocked forever!
So, how about making web-browsers block users from opening email attachments?
Or having Windows / Linux / iOS, quarantine files downloaded from the web by default?
-
-
-
Saturday 5th March 2016 14:06 GMT TeeCee
If there are any crooks reading this......
.....here's a great idea for a money spinner.
Provide the service from somewhere untouchable. The service is that, when hired, you track down by any means the scrote who dumped ransomware on your client. You then blowtorch his feet until he discloses the decryption keys and finally dump him in concrete somewhere.
The beauty here is that while this is undoubtably illegal and highly profitable, nobody's going to look into it too hard.....especially if you make sure the aforementioned concrete is not going to be disturbed for a long time.
-
Sunday 6th March 2016 17:43 GMT Anonymous Coward
Re: If there are any crooks reading this......
Why waste expensive concrete? Make them dig a deep hole and stand in it. Backfill it up to waist level for the "negotiation" phase. Then (irrespective of the outcome of the negotiations) complete the backfill.
Simple, cheap, environmentally friendly, total investment - one spade, reusable for the next job.
Edit: Apparently I have ten minutes to make this post better. And there was me thinking it was small and perfectly formed in the first place.
-
Sunday 6th March 2016 22:59 GMT Vic
Re: If there are any crooks reading this......
The beauty here is that while this is undoubtably illegal and highly profitable, nobody's going to look into it too hard.....especially if you make sure the aforementioned concrete is not going to be disturbed for a long time.
Is this the real reason for HS2? It would be much more popular than what we're being told at the moment...
Vic.
-