back to article The Pwn Star State: Nearly two dozen Texas towns targeted by tiresome ransomware

Twenty-three towns in Texas have been targeted with ransomware in what appears to be a coordinated attack. On Friday, the Texas Department of Information Resources (DIR), which handles state IT operations, said at least twenty local government entities had been affected. The following day, the DIR said reports from local …

  1. Pascal Monett Silver badge

    So that's how they do it

    "In almost every ransomware attack we've looked at, the company was been compromised six to nine months before the attack was launched," he said, noting that allows the attacker to conduct reconnaissance.

    When I read that line about how attackers start by deleting accessible backups I wondered how they could get to them. If, however, you infiltrate an organization and lay low for months while gathering data on the network, then you have all the time you need to discover network storage and passwords to access it.

    Given that cities are not known for having bank-level network protection, I'm guessing that once in, there won't be much of a warning to IT admins that an enemy process is worming through their systems.

    1. sanmigueelbeer Silver badge

      Re: So that's how they do it

      attackers start by deleting accessible backups

      We've been reading news about how the malicious file &/or trojans have been lying dormant for weeks.

      What if they would like dormant for MONTHS (and progressively change filenames).

      So when you pull your backup tapes, the malicious files get loaded. Again. The cycle returns: The malware doesn't strike only after hitting several months.

      Then no one have a choice but to pay up.

      1. Adrian 4 Silver badge

        Re: So that's how they do it

        But why would you restore an entire system image, complete with malware ? Surely you'd just restore lost data.

        1. NiceCuppaTea

          Re: So that's how they do it

          If i were writing such malware i would embed a copy of my remote access code in every pdf file found during the recon phase, as we all know PDF's are a crackers wet dream with the amount of security vulnerabilities.

          Maybe also embed myself in some services like print spooler to re-enable my remote access after the restores have taken place.

          If a cracker has had access for any period of time then you have to assume your entire estate is compromised and take appropriate steps, this is why the fundamental security principals must be adhered to at all times.

          Least privs to be able to do your job, firewalls should never be turned off even when only on the LAN, firewalls tuned to only allow things you are expecting, unused services turned off etc etc etc. In this day and age your LAN is only marginally safer than the internet and should be treated as such.

      2. c1ue

        Re: So that's how they do it

        A couple of notes:

        1) Tape backups are difficult if we're talking about hundreds or thousands of PCs scattered across multiple departments and locations. A local government typically has responsibilities ranging from police and fire, to voting, to school districts, to courts, and may also handle utilities like garbage collection, water and even power.

        2) Automated backup services use standard processes. It is trivial to identify those. VSS copies are equally trivial to detect.

    2. GnuTzu

      Re: So that's how they do it

      And, that's why offline backups are the only true guard against ransomware.

  2. Adrian 4 Silver badge
    Holmes

    Officials suspect a coordinated extortion campaign

    No shit, Sherlock.

    Couldn't it just be a coincidence ?

    1. Doctor Syntax Silver badge

      Re: Officials suspect a coordinated extortion campaign

      I suppose it's a bit like why armed robbers hit banks rather than, say, second-hand bookshops. It's where they keep the money. If city administrations are poorly defended and provide essential services it's going to be more lucrative than going after Joe Soap's holiday snaps.

  3. Alister Silver badge

    Currently, Vital Statistics remains offline

    He was the village Chief in Asterix wasn't he?

    1. Tom Paine
      Happy

      The reason I look a little on the stout side is that I fell into a cauldron of beer when I was a baby...

  4. TeeCee Gold badge
    Facepalm

    Coordinated?

    Twenty-three towns in Texas have been targeted...

    All this shows is that everything is bigger in Texas. I think we knew that.

  5. Anonymous Coward
    Anonymous Coward

    All your base are belong to us

  6. Snorlax
    Facepalm

    Yet Again...

    Just a few things:

    Train your users NOT. TO. CLICK. ON. EMAIL. LINKS. OR. ATTACHMENTS. WITHOUT. THINKING.

    Have a working endpoint solution.

    Have offline backups. Not a single DAT that's been in the drive for the last three years.

    Have working, regularly tested backups.

    Patch your machines. The vulnerability leveraged by Sodinokibi was patched by Microsoft in October 2018.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021