back to article Ouch: Brit council still staggering weeks after ransomware bit its PCs

A ransomware assault late last month is continuing to affect the operations of Copeland Borough Council in the northwest of England. The processing of planning applications is still being affected weeks after a major cyberattack hit the council in rural North West England. The planning application for a housing development of …

  1. Ken Moorhouse Silver badge

    Councillors...

    ...are considering the idea put forward that Flounderland has a certain ring to it.

  2. Phil Kingston
    Thumb Up

    I say kudos for a BCP that a) actually existed b) managed to maintain some semblance of front line services.

    1. Lysenko

      ...and I say brickbats for a BCP that needed to be invoked because of such a trivially easy to deflect threat, with an extra side order of brickbat for not having the systems wiped and re-imaged from backup inside 24 hours. You might almost think they don't have an Ansible scripting expect on the payroll! (OK, I exaggerate - they couldn't be that useless).

      1. Anonymous Coward
        Anonymous Coward

        Having witnessed the aftermath of a major ransomware attack - before you throw brickbats, be aware of one thing - if the police are involved they may insist that certain machines are left untouched whilst they are reviewing them for evidence.

        This process took 3 weeks in the case I witnessed and hampered the recovery efforts. Not blaming the plod as they are only doing their job, but it does make an instant recovery a lot more difficult if there are certain machines you can't touch.

  3. Anonymous Coward
    Anonymous Coward

    Random, malicious, professional?

    I'd have thought you could perm only two of those three.

    Then again, when you're writing excuses for your own incompetence its best to chuck in the kitchen sink. I see that it was "possibly international"....c'mon guys, say it was Russia. Everybody knows Putin doesn't want those eight houses on Cleator Moor to be built.

    1. katrinab Silver badge

      Re: Random, malicious, professional?

      Professional means they do it for money rather than just to show that they can

      Malicious means they intend to cause damage

      Random means there was no particular reason picking that rural council rather than someone else.

      So yes, I think it can be all three, and probably was.

      1. Trigonoceps occipitalis

        Re: Random, malicious, professional?

        "Professional" implies a certain level of training, skill, experience and, yes, remuneration. It may also imply membership of an institution established by charter.

        Doing it for money implies that you have a job.

  4. fnusnu

    Victim of what?

    The council added that it had been a victim of a “malicious and random professional attack.”

    Or rather of its own IT incompetence.

    1. Halfmad

      Re: Victim of what?

      Any organisation can be hit by ransomware, it's how quickly and effectively they deal with it that shows the underlying skills and understanding their own IT department have of the tech they are using IMHO.

      For this to drag on for weeks makes me think they're reliant on outsourced support in some way either for infrastructure or backups.

      1. Anonymous Coward
        Anonymous Coward

        Re: Victim of what?

        Any organisation can be hit by ransomware,

        But most are not badly hit. I've worked for a company with 90,000+ employees across the UK, Europe and US, with about 80-90% having a laptop or desktop. The breadth of the attack surface was immense, and this was a high profile household name with around 15m customers. We were running older versions of WIndows, crappy old browsers, but through proper planning, proper controls, proper security management the company didn't get hit by ransomware or related attacks, or rather it did, but they were ineffective, or controlled at the first point of infection.

        Councils and health services have no good excuses - even if you have to run old and unpatched software, there's mitigation strategies that work. Of course, their weak excuses are still much better than those for idiots like Maersk, who have the scale, money, commercial interest to avoid this type of attack, but didn't.

        1. Halfmad

          Re: Victim of what?

          Were? How recent was this?

          Absolutely attacks can be minimised, but that goes back to my initial point about how ICT can deal with it when it happens. I could lock down my own infrastructure far tighter than I have but that requires approval to do it and will require some money to be spent, money that many councils etc don't have to spare.

  5. Dan 55 Silver badge

    "Weeks"?

    If they've taken everything down then weeks is plenty of time to wipe and reimage systems.

    At the very worst you pay the ransomware, get the documents back, and rebuild everything.

    What's going on?

    1. David Neil

      Re: "Weeks"?

      At a guess, lack of staff to do the re-imaging, probably lack of internal knowledge to do full rebuilds of systems and lack of working backups to restore data.

      1. LewisRage

        Re: "Weeks"?

        No automation.

        Each desktop needs re-imaging by hand (perhaps a .WIM on a USB stick or a badly implemented WDS) which needs manual intervention to complete the build.

        Untested backup recovery. No one has heard of an RTO. There's no spare storage to bring up the backups on and no-one wants to just outright wipe the original machines.

        An IT department that consists of 4 helpdesk and 2 'sysadmins' who've never been given the time of money to implement proper systems. Or they are shared services and other councils/departments still need their attention.

        Constant internal wrangling because no-one is willing to make the bold decision in case it comes back to bite them.

        1. Alan Brown Silver badge

          Re: "Weeks"?

          "Untested backup recovery."

          or "backup to disk" - which were online and got encrypted too.

        2. Mark 85 Silver badge

          Re: "Weeks"?

          Constant internal wrangling because no-one is willing to make the bold decision in case it comes back to bite them.

          ^^^^^ Pretty much says it all. And it doesn't seem to matter which country it happened in, be it government or private industry, etc. It's have the balls to make the decision and then to hold the line on that decision. But.. profits, job fear, and pressure make weaseling out of a decision preferable.

        3. John Brown (no body) Silver badge

          Re: "Weeks"?

          "An IT department that consists of 4 helpdesk and 2 'sysadmins' who've never been given the time of money to implement proper systems. Or they are shared services and other councils/departments still need their attention."

          I've dealt with a number of council IT departments of the years, more than I care to think about, and you just nailed it. The guys do their best with limited staff and resources on a day to day basis but they definitely DO NOT have any other resources to call on when something big happens.

          One council I dealt with had the cash set aside to replace their ancient desktops just before the last financial meltdown and bought enough new desktops to replace the entire fleet, even renting a small warehouse unit to house them all while being deboxed, imaged and deployed. The financial crash happened, the deployment slowed down drastically 'till eventually not only did they have too many PCs after redundancies but barely had two people left to continue the deployment. Last I heard, the three year on-site warranty was expiring on PCs still in their original packaging.

    2. Dark Lord

      Re: "Weeks"?

      Six weeks since the press statement and still down. Wow, words fail me, it will soon be months! What's going on indeed, who are these guys!!!

  6. Will Godfrey Silver badge
    Big Brother

    Hmmm

    I wonder if there is a particularly contentions planning application in progress. Not that I'm suggesting anyone would use this to slow things down a wee bit while they consolidate their position.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmmm

      If you want to ramp up the conspiracy theory quotient then bear in mind that I think Sellafield is in Copeland!

  7. 0laf

    If you depreciate your IT services to the point you can't even do the basics like backups then really you've been hoisted by your own petard.

    Management don't like IT unless it involves shiny toys and words like transformation and digital. Workaday stuff like wires and email, nope just make it all go away and bring on the toys.

    1. Anonymous Coward
      Anonymous Coward

      These Ard things seem to cause no end of problems, why people keep them as pets if they are that dangerous is beyond me.

  8. HmmmYes

    NotCopingland?

  9. Lysenko

    But fear not !!

    The council has been prioritising "front line services" and clamping down ruthlessly on the inflated cost of coddled back office staff and systems which do not visibly deliver value to "Hard Working Families". So that's all right then.

  10. tiggity Silver badge

    Planning Applications

    There should always be "hard copy" documents for land related stuff (and the land registry itself will have a lot of info, a few local planning stuff just held by local council) so little excuse for delays there IMHO

    .. Though that "hard copy" approach not infallible, if the building houses those gets burnt down (which happened to friends of mine, fortunately they had retained 17 year old piece of paper signed by council buildings inspector who had passed the work they had done (inspector was dead by time they wanted to sell property) - none of teh old paperwork ever digitized by council.

    1. Anonymous Coward
      Anonymous Coward

      Re: Planning Applications

      No need for hardcopy although many councils still have those anyway. It's the lack of offsite backups that hurt most and increasingly some don't seem keen to use tapes as a media and rely on networked storage.

      1. Anonymous Coward
        Anonymous Coward

        Re: Planning Applications

        If cheaper is better do you get what you pay for?

    2. Alan Brown Silver badge

      Re: Planning Applications

      "Though that "hard copy" approach not infallible, if the building houses those gets burnt down "

      That's what fireproof safes are for. They're a lot easier to implement for paper than for media too.

  11. davenewman
    Mushroom

    Radioactive ransomare

    Isn't Sellafield in Copeland Borough Council's area?

  12. Anonymous Coward
    Anonymous Coward

    File-encrypting ransomware infects 'computers'

    This kind of thing would never happen of people stuck to the industry standard Micrsosoft Windows

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Even Russia's Evil Corp now favors software-as-a-service
    Albeit to avoid US sanctions hitting it in the wallet

    The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

    You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.

    As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Ransomware encrypts files, demands three good deeds to restore data
    Shut up and take ... poor kids to KFC?

    In what is either a creepy, weird spin on Robin Hood or something from a Black Mirror episode, we're told a ransomware gang is encrypting data and then forcing each victim to perform three good deeds before they can download a decryption tool.

    The so-called GoodWill ransomware group, first identified by CloudSEK's threat intel team, doesn't appear to be motivated by money. Instead, it is claimed, they require victims to do things such as donate blankets to homeless people, or take needy kids to Pizza Hut, and then document these activities on social media in photos or videos.

    "As the threat group's name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons," according to a CloudSEK analysis of the gang. 

    Continue reading
  • Beijing-backed attackers use ransomware as a decoy while they conduct espionage
    They're not lying when they say 'We stole your data' – the lie is about which data they lifted

    A state-sponsored Chinese threat actor has used ransomware as a distraction to help it conduct electronic espionage, according to security software vendor Secureworks.

    The China-backed group, which Secureworks labels Bronze Starlight, has been active since mid-2021. It uses an HUI loader to install ransomware, such as LockFile, AtomSilo, Rook, Night Sky and Pandora. But cybersecurity firm Secureworks asserts that ransomware is probably just a distraction from the true intent: cyber espionage.

    "The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the company argues.

    Continue reading

Biting the hand that feeds IT © 1998–2022