Lincolnshire council IT ransomware flingers asked for ... £350 Lincolnshire County Council's IT is back up and running after the council shut everything down last week following a ransomware attack in which the attackers turned out to have asked for a mere £350. Despite the BBC reporting that the council had been hit by a £1m ransom, a spokesperson told The Register that it had only been …
It sounds like CryptoWall. Those cyber crims are jolly nice fellows though.
Had a client who got hit by it, we asked the crims to extend the deadline to allow the Bitcoin's to clear and they extended by 2 weeks, more than enough time to restore from backups and clear up the mess.
Watch those Amazon emails with zip file attachments. Stay safe kids.
"This was what's termed as a zero-day attack, which means when it hit us the security software providers hadn't seen it before."
Er, no. It does not mean any such thing. Your Serco parasite is lying to you, shit for brains.
Zero Day Exploit... My big fat white yorkshire arse.
Well, that's quite a vision. Thanks.
I'm hoping someone is going to use an FoI request to force disclosure of exactly which piece of malware this was such that we can determine for ourselves that this wasn't a zero day exploit, and more closely aligns with the zero competence exploit that we're all expecting.
El Reg, unleash the investigative hounds!
I'm guessing the IT service providers, or the AV company told them it was 'It was a zero day, That's why it wasn't stopped' and they have no reason not to believe them.
I've been told that an Excel macro virus was 'A Zero Day' just because the AV signatures didn't pick it up. The AV crowd have realised that if they define 'Zero Day' as 'Anything we miss' they can get away with murder.
^^^^ her bit fat yorkshire thing ^^^
Bet it was a simple forged email link posing as LinkedIn or Facebook. Seen it happen in even the most paranoid of companies, one thoughtless click and suddenly a Russian ferret is alive in the network encrypting your MSql servers.
Turn it all off, restore from backups, virus check all the laptops, ta-da, back to normal.
"Forget the ransom. The disruption to normal operations will have cost far more than 350 quid."
And you have a guarantee that that would be a one-time-only deal, and you would get the files decrypted? Untrustworthy sorts, these criminals.
Alternatively, chalk the cost up as a dress rehearsal training exercise, and it's fine.
£350 is probably less than they spent on the third undersecretary to the janitor's deputy assistant's taxi fares last week.
A cheap lesson at 100X the price.
Pay it.
See if you get your data back.
Meanwhile, dismiss the clowns and assemble a small in-house team of competent IT professionals to do things properly.
This post has been deleted by its author
Judith sounds to me a lot like one of those CIOs who place a strong strategic focus on the Chief and Officer side of things (and don't you forget it mate!) but prefers to deploy a light touch approach to the Information part, which is after all jolly hard to understand and is probably best left to others.
Who's their security vendor so I can avoid them - I've seen Serco mentioned? Colour me surprised...
Somehow I doubt that IF someone were to find themselves in possession of a 0 day, they would waste it on a scatter gun attack or indeed a targeted attack at a local council...
What a load of rubbish. I imagine all that's happened here is that someone opened an attachment with a cryptolocker type of variant.
It then sat there encrypting the stuff on the local drive, then carried on through the various network mapped drives. Because that's what it does. Perhaps more than one user did this, and so it took less time than it might on its own from a single machine.
Either way, the non-targeted ransom, the descriptions given after you remove the bull suggest nothing more sinister than that. Yet more reasons why people should start taking security seriously. And that doesn't mean installing Norton, or Sophos or whatever your preferred flavour of useless anti-malware is.
The real question is just how long was it sitting there encrypting stuff...
I suspect it is this time lapse/disconnect between the cryptolocker app getting installed and either it being detected or in this case making itself known, that is causing problems and hence why people talk about zero day. Because obviously whatever downloaded it (a trojan downloader?) was able to be downloaded, install and execute without being detected by the security software (email scanner and/or PC security suite). Additionally, the payload (the cryptolocker app itself) wasn't triggering anything on download, install or execute.
The good news is that this story has reached the BBC main News and so some in senior management will now be aware of security issues and perhaps might be receptive to some security consultancy...
Had this at the beginning of November (so much for 0-day). Went straight through Messagelabs and McAfee and one person opened it (actually they replied to the email complaining the attachment didn't work).
3 hours downtime while we isolated the workstation and restored from most recent shadow copy (only took that long as DFSr had to be disabled and cleaned).
We were in the middle of migrating to Avast which caught this particular variant.
Good news is much higher awareness of cyber security within the company.
I read that on the BBC a couple of days ago and I laughed so hard some wee nearly came out.
Amazing to see some lazy IT manager trying to divert the blame as though it was an alien invasion or something. I bet the backside covering and buck passing has been legendary over there the past few days.
Seen a lot of people hit by this over the past 2-3 years. The main problem I can see is companies or groups using exchange servers with little or no email malware scanning. Push your email through the likes of Gmail etc.and it takes care of all that.
I've been using FoolishIT's Cryptoprevent for some time now. Even the free default version can limit the damage if its kept up to date occasionally.
Bollocks.
Also, quite a few of the newer copycat variants of cryptowall have had serious flaws.
A client of mine got infected last year but because they reported it swiftly I was able to hunt down the keys and decrypt it all myself.
The key was stashed in a registry key and a rather helpful chap somewhere on the intertubes had released an open source tool for an older variant to decrypt with. I made some small tweaks and boom.
My money is on incompetence and faffing.
"Also, quite a few of the newer copycat variants of cryptowall have had serious flaws."
The authors of TeslaCrypt 3, which hit my cousin, has learned from the security analysts' work on 1 & 2 and it's new so maybe this is the zero day. So far there isn't a key recovery mechanism AFAICS but I think I've got back most if not all of my cousin's files.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
