back to article Don't let ransomware crooks spend months in your network – like this govt agency did

Lockbit ransomware operators spent nearly six months in a government agency's network, deleting logs and using Chrome to download hacking tools, before eventually deploying extortionware, according to Sophos threat researchers. About a month before the unnamed US regional government agency began investigating the intrusion, …

  1. Pirate Dave Silver badge


    I shoulda been a welder. It's almost like an IT job (especially as a network admin) just isn't worth the money these days, especially in small shops where there's ONE admin, who's also the entire security team. Upper Manglement can't see the point in hiring an actual security guy (until things go to shit and there's a ransomware screen), so all us admins can do is try to keep things patched and locked down, and pray that our antivirus/IDS/IPS and firewall are slightly smarter than the assholes trying to break in and fuck us over.

    Yeah, stacking dimes all day looks pretty good right now.

    1. Potemkine! Silver badge

      You reap what you sow

      You're sooooo right. IT is a cost in the eyes of the beancounters, the ones that often really run the company, costs are bad and must be eliminated, for the sake of shareholders.

      Maintenance in manufacturing is seen as being part of manufacturing, as a productive thing.

      Maintenance in IT is seen as an expense to eliminate.

      1. Terry 6 Silver badge

        Re: You reap what you sow

        Well actually....

        My dad was a factory manager when I was a kid. The owners begrudged every penny spent on maintenance ( let alone replacement) for ageing machinery. Dad seemed to spend more time looking at the machines from underneath than from above. And I know his experiences were pretty common in British industry at the time - at least in small manufacturing businesses.

        These days there is the added complication that the beancounters are paid to achieve short term margins.

        I have a sneaky suspicion that many the offspring of those factory owners of 50 years ago went on to become accountants. Especially since most of those factories closed due to competition from much more efficient, modern overseas manufacturing ( long before it was merely a matter of cheap Chinese labour btw). And to also to believe that this is how businesses should be run, because that' how daddy did it. And I know there's a contradiction in there. It's a strange paradox.

        (Any yes I've met plenty of people like that)..

  2. Kane Silver badge

    This reads like...

    ...a Sophos advert.

    1. Anonymous Coward
      Anonymous Coward

      Re: This reads like...

      Well, it kinda is. Up to the point you realise it was their software installed on this network protecting it and the partial aim of this document is finding a way of blaming the client for a bad config and not that their software missed this attack.

      What is the point of a central control panel for Security Software which does not have big red crosses on a screen when things start disappearing?

    2. stiine Silver badge

      Re: This reads like...

      It reads like they want to remind administrators NOT TO DISABLE Tamper Protection.

      1. Anonymous Coward
        Anonymous Coward

        Re: This reads like...

        ... and not provide RDP access to the public internet ...

        1. Alan Brown Silver badge

          Re: This reads like...

          This, in spades

          It is (of course) one of the most commonly DEMANDED things by PHBs

  3. elDog

    It's a disservice to not start naming names, giving specifics, in these articles

    "a government agency's network", "the unnamed US regional government agency".

    Why this pissy-footing around giving more specifics? If the information is correct and especially if it has been previously publicly disclosed, the miscreants (the government agency) should be named and shamed.

    It wouldn't surprise me if tat particular "regional government agency"'s taxpayers haven't been told either. They will have to foot the bill and probably lose personal information over this.

    1. keith_w

      Re: It's a disservice to not start naming names, giving specifics, in these articles

      More like Sophos fears that naming names will cost them the client.

    2. General Purpose

      Re: It's a disservice to not start naming names, giving specifics, in these articles

      You don't think Sophos should respect client confidentiality and you can't imagine that their contract with the client explicitly protects client confidentiality?

      If name-and-shame became the price of calling in Sophos or other specialists, we'd have more intrusions being handled by under-resourced in-house teams and we wouldn't see any detailed technical analysis, or even a brief summary in the Register.

  4. Bitsminer Silver badge

    The First Rule

    Assume that your network is already compromised.

    1. Throatwarbler Mangrove Silver badge

      Re: The First Rule

      True. Once you assume your network is already compromised, you can stop worrying about security, which really cuts down on the workload.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like