back to article Careless Licking gets a nasty infection: County stiffed by ransomware

A county in Ohio, US, has had to shut down its entire IT infrastructure due to a ransomware outbreak. Licking county has turned off all phones and computers on its government network in order to stop the spread of malware that had been locking down infected PCs and demanding payments. According to local news station WBNS, the …

  1. DNTP

    Licking county

    Hmm yes I have a great idea lets name a county after a thing that for health purposes we try to train out of everyone starting as young children.

    Oh well if we get infected out here in my home of Middle Sex County I fully expect The Reg to headline that with "Software Transmittable Disease" or similar.

    1. allthecoolshortnamesweretaken

      Re: Licking county / Middlesex county

      I guess their homepages are banned by some ISPs...

      "I've 'eard of unisex, but I've never 'ad it." -- Man in a vintage Monty Python sketch I can't be asked to look up right now

  2. MAH

    I'm confused...how are these organizations getting to many computers infected at once. I've cleaned over a dozen of the various ransomware infections and they don't spread from PC to PC..they hit the local users PC and then start hitting network drives (which if the org is smart does shut down).

    Do they have 1000 people all clicking the same stupid link at the same time or what?

    I also don't understand why media keeps calling it a hack..its not a hack..its a stupid user clicking something in an email...no one came in from the outside to exploit them..they exploited themselves from the inside by a privileged user.

    Like saying the bank was broken into by robbers when it was the night manager who walked into the open safe and fileld a backpack. That's not a breakin...that's theft from within.

    1. Palpy

      Careless licking indeed.

      I remember that from my salad days...

      "...how are these organizations getting to many computers infected at once..."?

      Answer:

      "...all phones and computers on its government network..."

    2. Jerry G.

      From what I have read there are some versions of Ransomware and Trojans that will sweep through a network. It searches out the computers and then do the evil work.

      What I do not understand is why many businesses, government offices, and corporations do not keep an isolated secondary backup system. Only when they are sure the systems are working safe and proper they connect the secondary backup system to do the updates. When all if finished this secondary backup system is disconnected. Along with this system they have to have an independent startup disk to allow access to the isolated backup.

      With the investment of the dollars required, and employing the proper knowledgeable IT people it is possible to have a reliable recovery system in place.

      Education of the staff about secure practices, employing proper protection, and screening all emails is safer answer. This also has a cost, but in the end this cost may work out much cheaper than having a complete system taken down. Most of these types of entries are caused by the users not being aware!

      1. tr1ck5t3r

        The ransomware is operating at the Firmware level, rewriting your bios, typically a VIA chip on your motherboard, and some firmware of hard drives. Western Digital and Samsung are especially effected, but Hitachi's and Fujitsu's are not from what I have seen. It works in both Windows XP, 7 & 8, and various versions of Linux, going back to Gutsy Gibbon on Ubuntu, but seems to affect debian distro's including Kali, Parted Magic, Linux Mint, Raspbian and also updates the firmware of RaspberryPi's.

        Its a good bit of malware exploiting the IEE standards.

        For example, if you put a bios password in place to prevent setup changes and/or OS loading, once you have loaded the OS, you'll note you can update the bios from within Windows or Linux, so the charade of bios security is non existent. With regards to hacking the firmware of hard drives, this practice goes back to the 90's and in my tests, the malware even works on Bios found in PC's built in 2004 infecting the hard drives firmware of those machines.

        A bios will always load a USB device first and the latest UEFI standard even allows drivers to be remotely loaded/unloaded so theres nothing stopping this malware from spreading unnoticed as Antivirus simply doesn't look at firmware. Theres millions of device's that have been hacked, now you know why the Chinese wont allow their own branded android phone's to have the firmware be updated.

        1. TheVogon

          "The ransomware is operating at the Firmware level, rewriting your bios, typically a VIA chip on your motherboard"

          No it isn't. The only malware that generally does that is government issued.

          This is just Ransomware that is likely being spread by hackers manually once they have a foothold in a network from careless admins, and have captured some admin credentials....

        2. TheVogon

          "if you put a bios password in place to prevent setup changes and/or OS loading, once you have loaded the OS, you'll note you can update the bios from within Windows or Linux"

          No you can't. It asks you for the password...

        3. TheVogon

          "A bios will always load a USB device first"

          And again nope. It will load according to whatever your boot order is set to. Which for many corporates will disable boot from USB...

    3. IrwinBusk

      Just because something used to be true does not mean it remains true. Everyone who has ever worked in network security and A/V knows this. New variants DO infect other workstations on the domain. Most commonly via dcom on port 135.

    4. Stoneshop
      Devil

      Infections via local LAN

      I've cleaned over a dozen of the various ransomware infections and they don't spread from PC to PC..they hit the local users PC and then start hitting network drives (which if the org is smart does shut down).

      Do they have 1000 people all clicking the same stupid link at the same time or what?

      You're way out of date. Infections can and do spread via networks without users' action (except that first one clicking on a dodgy link or document infecting their PC). The infected PC then scans the LAN for any systems that run software with remotely exploitable vulnerabilities. Network file and printer sharing is also used. And especially ransomware will first try to infect as many systems as possible before activating its payload (and only some time after that will it actually lock the files and display its demands).

      1. MAH

        Re: Infections via local LAN

        Thankfully I guess my clients infections have been out of date (or we've successfully prevented the nastier versions). I know there are lots of network propogation virus's, but we just haven't had any clients click a link or open an email and have it spread to anything but the file server yet.

        I've cleaned cryptov3, Osiris, locky, some weird Russian named one) and one other one I've forgotten.

        all these hit the local PC (or citrix server) and was relatively quick and easy to find with Windows file screens alerting and the home drives usually the very first drive to get hit (so we've known who got hit and from there we could find them relatively quickly)

        Would suck to have those buggers jumping machine to machine. We typically put interactive users in the local administrators group (because lets face it, trying to tell small business they can't be local administrators is usually a hill not worth dying on) so maybe we've been preventing the spread without realizing it.

  3. MAH

    Rebuttal

    I understand shutting them down to enable them to find the impacted machine and prevent any more chaos, however. Question still stands

    According to local news station WBNS, the move was made Tuesday evening when officials found that more than one thousand county PCs had already been infected with the ransomware

    How did they manage to infect 1000 PC's...not servers some user had access to...1000 other PC's on the network.

    1. Palpy

      Well, MAH, I couldn't say.

      Not a network admin. Certainly some malware variants aggressively seek out network connections and spreads thereby. But 1000 seems excessive.

    2. Mark 85

      I'm betting it's not a 1000. I'd bet it's under 100, but to be safe, shut them all down and check each and everyone and hope like hell you didn't miss the laptop that someone took home that has the infection.

    3. JCitizen
      Coffee/keyboard

      @MAH

      For one thing, more than one user could have opened the same phishing email that was sent to the county. Since the article isn't clear you can't be sure; but one thing you can count on - just as some other posts here point out, the cryptolocker type viruses don't necessarily need to spread as much as they need to seek machines to encrypt. They can do this using networking methods, and can even go out to the cloud to look for backup files to encrypt. Anyone of the machines would be looking for all other machines with files on it, especially servers.

      The sad part is that no variant of ransomware I've heard of can get past a properly set up machine and/or LAN if the administrative tools are setup properly; but rarely is that preventative measure taken. All it takes is a server with an MMC and a good group policy configured on it to control encrypting permissions on the entire network. There is a software company called Foolish IT that does this for you, using a configuration tool, for a fee. For individuals you can download this tool for free, and use it if you have a professional license on a Windows OS. You have to manually check it for updates regularly as Foolish IT keeps ahead of the criminals. I wouldn't doubt that one who has a MSCE education and has experience editing group policy objects, could do it themselves. However it may take 100 or so, settings and actions to get a thorough job done. There may even be snap-ins for the MMC available at Microsoft , if one were to know where to look.

      Another good alternative is buying an enterprise license for MBAM and install that on the server. It has a ransomware protection module that so far has been able to whip any variant that has come out so far. The only problem with that is probably that local governments are loath to spend any money like that on prevention - but unless you are VERY careful how you back up your systems, that is the only way to recover cheaply from such an attack. I say the money is well spent for prevention, and using both methods to keep such a nasty event from occurring in the first place. Unfortunately, even with training, I wouldn't be confident you could keep all users from pulling such a stunt as clicking on the wrong email - the phishers are just getting too clever, and could possibly even fool a professional such as myself ( I've seen some doozies)

  4. Inventor of the Marmite Laser Silver badge

    unable to process checks.

    CHEQUES, please

    1. Doctor Syntax Silver badge

      "CHEQUES, please"

      Yes please, preferably big ones. Oh, I see what you mean. Given where it happened I suppose we have to allow for local customs.

  5. Herby

    Maybe they will get serious...

    About the malware and its perpetrators and actually go after them. Last I heard extortion was illegal.

    Maybe it needs to infect a government agency, say the FBI or some such.

    1. Anonymous Coward
      Anonymous Coward

      Re: Maybe they will get serious...

      Call me cynical, but I dont expect anything to happen until a Russian government agency gets infected...

      1. Swarthy
        Big Brother

        Re: Maybe they will get serious...

        Call me cynical, but I dont expect anything to happen until a Russian government agency gets infected...
        And then we will never hear of the infection (or its writers) ever again....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like