Careless Licking gets a nasty infection: County stiffed by ransomware A county in Ohio, US, has had to shut down its entire IT infrastructure due to a ransomware outbreak. Licking county has turned off all phones and computers on its government network in order to stop the spread of malware that had been locking down infected PCs and demanding payments. According to local news station WBNS, the …
Hmm yes I have a great idea lets name a county after a thing that for health purposes we try to train out of everyone starting as young children.
Oh well if we get infected out here in my home of Middle Sex County I fully expect The Reg to headline that with "Software Transmittable Disease" or similar.
I'm confused...how are these organizations getting to many computers infected at once. I've cleaned over a dozen of the various ransomware infections and they don't spread from PC to PC..they hit the local users PC and then start hitting network drives (which if the org is smart does shut down).
Do they have 1000 people all clicking the same stupid link at the same time or what?
I also don't understand why media keeps calling it a hack..its not a hack..its a stupid user clicking something in an email...no one came in from the outside to exploit them..they exploited themselves from the inside by a privileged user.
Like saying the bank was broken into by robbers when it was the night manager who walked into the open safe and fileld a backpack. That's not a breakin...that's theft from within.
From what I have read there are some versions of Ransomware and Trojans that will sweep through a network. It searches out the computers and then do the evil work.
What I do not understand is why many businesses, government offices, and corporations do not keep an isolated secondary backup system. Only when they are sure the systems are working safe and proper they connect the secondary backup system to do the updates. When all if finished this secondary backup system is disconnected. Along with this system they have to have an independent startup disk to allow access to the isolated backup.
With the investment of the dollars required, and employing the proper knowledgeable IT people it is possible to have a reliable recovery system in place.
Education of the staff about secure practices, employing proper protection, and screening all emails is safer answer. This also has a cost, but in the end this cost may work out much cheaper than having a complete system taken down. Most of these types of entries are caused by the users not being aware!
The ransomware is operating at the Firmware level, rewriting your bios, typically a VIA chip on your motherboard, and some firmware of hard drives. Western Digital and Samsung are especially effected, but Hitachi's and Fujitsu's are not from what I have seen. It works in both Windows XP, 7 & 8, and various versions of Linux, going back to Gutsy Gibbon on Ubuntu, but seems to affect debian distro's including Kali, Parted Magic, Linux Mint, Raspbian and also updates the firmware of RaspberryPi's.
Its a good bit of malware exploiting the IEE standards.
For example, if you put a bios password in place to prevent setup changes and/or OS loading, once you have loaded the OS, you'll note you can update the bios from within Windows or Linux, so the charade of bios security is non existent. With regards to hacking the firmware of hard drives, this practice goes back to the 90's and in my tests, the malware even works on Bios found in PC's built in 2004 infecting the hard drives firmware of those machines.
A bios will always load a USB device first and the latest UEFI standard even allows drivers to be remotely loaded/unloaded so theres nothing stopping this malware from spreading unnoticed as Antivirus simply doesn't look at firmware. Theres millions of device's that have been hacked, now you know why the Chinese wont allow their own branded android phone's to have the firmware be updated.
"The ransomware is operating at the Firmware level, rewriting your bios, typically a VIA chip on your motherboard"
No it isn't. The only malware that generally does that is government issued.
This is just Ransomware that is likely being spread by hackers manually once they have a foothold in a network from careless admins, and have captured some admin credentials....
I've cleaned over a dozen of the various ransomware infections and they don't spread from PC to PC..they hit the local users PC and then start hitting network drives (which if the org is smart does shut down).
Do they have 1000 people all clicking the same stupid link at the same time or what?
You're way out of date. Infections can and do spread via networks without users' action (except that first one clicking on a dodgy link or document infecting their PC). The infected PC then scans the LAN for any systems that run software with remotely exploitable vulnerabilities. Network file and printer sharing is also used. And especially ransomware will first try to infect as many systems as possible before activating its payload (and only some time after that will it actually lock the files and display its demands).
Thankfully I guess my clients infections have been out of date (or we've successfully prevented the nastier versions). I know there are lots of network propogation virus's, but we just haven't had any clients click a link or open an email and have it spread to anything but the file server yet.
I've cleaned cryptov3, Osiris, locky, some weird Russian named one) and one other one I've forgotten.
all these hit the local PC (or citrix server) and was relatively quick and easy to find with Windows file screens alerting and the home drives usually the very first drive to get hit (so we've known who got hit and from there we could find them relatively quickly)
Would suck to have those buggers jumping machine to machine. We typically put interactive users in the local administrators group (because lets face it, trying to tell small business they can't be local administrators is usually a hill not worth dying on) so maybe we've been preventing the spread without realizing it.
Rebuttal
I understand shutting them down to enable them to find the impacted machine and prevent any more chaos, however. Question still stands
According to local news station WBNS, the move was made Tuesday evening when officials found that more than one thousand county PCs had already been infected with the ransomware
How did they manage to infect 1000 PC's...not servers some user had access to...1000 other PC's on the network.
For one thing, more than one user could have opened the same phishing email that was sent to the county. Since the article isn't clear you can't be sure; but one thing you can count on - just as some other posts here point out, the cryptolocker type viruses don't necessarily need to spread as much as they need to seek machines to encrypt. They can do this using networking methods, and can even go out to the cloud to look for backup files to encrypt. Anyone of the machines would be looking for all other machines with files on it, especially servers.
The sad part is that no variant of ransomware I've heard of can get past a properly set up machine and/or LAN if the administrative tools are setup properly; but rarely is that preventative measure taken. All it takes is a server with an MMC and a good group policy configured on it to control encrypting permissions on the entire network. There is a software company called Foolish IT that does this for you, using a configuration tool, for a fee. For individuals you can download this tool for free, and use it if you have a professional license on a Windows OS. You have to manually check it for updates regularly as Foolish IT keeps ahead of the criminals. I wouldn't doubt that one who has a MSCE education and has experience editing group policy objects, could do it themselves. However it may take 100 or so, settings and actions to get a thorough job done. There may even be snap-ins for the MMC available at Microsoft , if one were to know where to look.
Another good alternative is buying an enterprise license for MBAM and install that on the server. It has a ransomware protection module that so far has been able to whip any variant that has come out so far. The only problem with that is probably that local governments are loath to spend any money like that on prevention - but unless you are VERY careful how you back up your systems, that is the only way to recover cheaply from such an attack. I say the money is well spent for prevention, and using both methods to keep such a nasty event from occurring in the first place. Unfortunately, even with training, I wouldn't be confident you could keep all users from pulling such a stunt as clicking on the wrong email - the phishers are just getting too clever, and could possibly even fool a professional such as myself ( I've seen some doozies)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
