back to article Pay up, Lincolnshire, or your data gets it. Systems still down after ransomware hits

The Register has learned that Lincolnshire County Council has been hit by ransomware, leading it to turn off all of its networks' computers yesterday. As reported yesterday, Lincolnshire County Council shut down all of its computers after an alleged 0-day attack began to spread throughout its systems. The Register has now …

  1. Anonymous Coward
    Anonymous Coward

    I said that yesterday, obvious really because of the shutting down of all machines.

    The questions now remains of what sort of piss poor I.T. service do Serco provide to let a cryptolocker through their email and A/V and what if any means of remuneration are included in the contract?

    Also, if I was another council or organisation using Serco right now I'd be very worried because I'm pretty sure if someone had some new way of getting through Serco's systems they wouldn't have just gone for Lincolnshire council.

    1. Elmer Phud

      Was phished rather than forced

      1. Anonymous Coward
        Anonymous Coward

        Still had to be phished onto a machine and opened. Where's the antivirus in such situations? If it was that good to get past, escalate privileges and go on a rampage without being noticed straight away then why phish a council?

        1. bitmap animal

          Our office currently gets about 50 emails a day which are not picked up by the a/v at the ISP, the different a/v on the gateway nor the a/v on the desktop. Many of these look like invoices or remittance advices from genuine companies, several of which we deal with. We've do regular staff training with what to look out for, but as I say some of these emails are very good indeed these days.

          Several of our suppliers send us spreadsheets with macros in so we can't automatically just block anything with a macro. I manually dissect suspicious ones I'm made aware of and if they do look dodgy I forward to the a/v company who put detection in the next updates and that seems to work.

          It seems that the criminals are using constantly evolving wrappers and as a business with regular employees whos job is to open orders and remittance advices it's very very tricky for us. Our firewall also restricts downloads of certain file types which may limit the chances of a payload being downloaded. So far we have not knowingly had an infection but I'm well aware that despite the best efforts this small business it's probably a matter of time.

          1. g00se
            WTF?

            Sisyphean

            Our office currently gets about 50 emails a day which are not picked up by the a/v at the ISP, the different a/v on the gateway nor the a/v on the desktop. Many of these look like ...

            All very commendable, not to say heroic. So why exactly are you still using Windows?

            1. bitmap animal

              Re: comment from g00se

              Firstly I didn't mention Windows, you have assumed that – correctly but still an assumption.

              We are a business primarily and we use our computers as a tool to help the business to run, we need the desktop and applications to be as stable and predictable as possible to seamlessly enable the staff to get on with their work. Windows OS generally lasts 10 years before end-of-life, most Linux servers are EOLd after only five years and the desktops much less. The various GUI desktop releases undergo more frequent design changes and even more frequent tweaks, moving things around and changing behaviour. Libre Office is pretty good but again the lifecycle is too short between releases, it is being tweaked and you can't always be sure it will behave in the same way over the years. Excel is rock solid in that respect. WSUS is great for centralised patch management, I'm not aware of something that works as well to centrally handle the myriad of Linux Distro and Libre Office patches.

              Lets have a look at the LibraOffice 5.0 release schedule

              Release 5.0.0 Aug 3, 2015

              Release 5.0.1 Aug 24, 2015

              Release 5.0.2 Sep 21, 2015

              Release 5.0.3 Nov 2, 2015

              Release 5.0.4 Dec 14, 2015

              Release 5.0.5 Feb 8, 2016

              Release 5.0.6 May 2, 2016

              End of Life May 29, 2016

              For 5.1 it is scheduled for first publishing next week and then the 5.1.6 EOL date is November. Less than 10 months birth to death.

              Is that really something which you would want to support in a business environment?

              This is before we start talking about bespoke applications, many commercial tools are Windows only. I suspect a lot of this is because of the stability of the platform, it is not continually being updated and the behaviour is well known and fairly stable. A vendor can say with reasonable certainty that their tool will run on a specific list of Windows versions, not so easy to do with the variety of distros and desktops in the Linux world.

              Linux is a great idea, LibraOffice is great for a lot of things but I feel that for a stable work environment the Windows infrastructure is a wiser choice. We need office tools which will perform the same and give predictable results in a few years time and users can consistently operate.

              1. Anonymous Coward
                Anonymous Coward

                Re: comment from g00se

                We have around 250 windows installations on our site and maybe 60 Linux. We have far, far, far more issues with Linux than windows. And as you said its mainly down to endless new releases nothing is stable! our Linux support guys are forever having to dick around tweaking things to get it to work when a new release comes out.

                1. Santa from Exeter

                  Re: comment from g00se

                  I take it then that you aren't paying anything for your Linux installations, whilst comparing them to your Windows installations which you do pay for. We use RHEL, which is designed for businesses, hence the Enterprise in the name. We have 600 Linux desktops spread across a number of sites and they are pretty stable thanks. RHEL6 was released 2010 and is due to go into Extended Support in 2020.

                  1. Anonymous Coward
                    Windows

                    Re: comment from g00se

                    Don't mind RICHTO. He's made a career of splaffing anti-Linux FUD into The Register's forum.

        2. Anonymous Coward
          Anonymous Coward

          I've long been of the opinion that AV software was overpriced and mostly useless and I've seen plenty of infection careen through at least three layers of different AV software completely undetected. I've seen a cryptowall infection come in through our mail servers AV (which are in turn protected by a cloud-based AV and anti-spam), through into a users mailbox and straight past the client-side AV.

          Was an embedded office file disguised as a court summons or jury service of some sort IIRC (we only allow attachments from whitelisted domains but of course that's assuming you're not getting the mail from a contact in a company that just got pwned - and we were), exploiting a zero-day that was due to be patched that weekend. The AV on the client didn't spot it encrypting all files the user had access to, the AV on the file servers didn't spot the files being changed but DID spot a bunch of files being replaced with $filename.encrypted (which modern cryptoware doesn't do IIRC). But the security team who got all the alerts didn't think anything peculiar about this until hours later when everyone had gone home and some teleworkers phoned up and said they couldn't open up any files. Cue frantic shutting down/suspending machines, network traces, restoring and diffing multiple sets of backups, forensic analysis to see what else this user touched to see what else might have been infected, etc etc.

          Sure the security team got well and truly carpeted for that but AV software just doesn't work reliably enough IMHO. Attack surfaces on most clients are just fecking huuuuuge without really onerous security measures which some business can't afford or won't put up with.

          AC for obvious reasons but I know for a fact it's far from a rare occurrence.

        3. Robert Helpmann??
          Childcatcher

          If it was that good to get past, escalate privileges and go on a rampage without being noticed straight away then why phish a council?

          The handy thing about ransomware, at least for the black hats, is that it doesn't necessarily need to escalate privileges in order to do damage, at least on a Windows system. It only needs to get at your data to cause you problems so it only needs your access rights. This may not be the case in this instance as it obviously spread beyond the original... person who opened the infected email, but for a single user it should be enough to just lock up the files that matter to them personally. This skirts system and program files as the goal is for them to eventually use their computers to send the ransom.

          As far as the skill level needed to get past the council's cyber defenses, why would you expect it to be all that difficult to compromise their machines or network?

        4. JeremyP99

          "then why phish a council?"

          Because, as Edmund Hillary noted, "it's there".

        5. Anonymous Coward
          Anonymous Coward

          Still had to be phished onto a machine

          Problem with outsourcing your IT and letting incompetent "I know better" users have priveleges.

          I also summise that they may have had inside help as, just like indian call centres, the promise of "a few extra quid" to a minimum wage council or outsourced IT employee to open a mail intentionally would be easy.

          Perhaps when it's over they'll have a proper investigation to who opened it

    2. Bc1609

      Shutting down

      Yeah, while it's probably not the "right" or even a good thing to do, I admit that if I were in their position I would be been very tempted just to hit the main fuse box as soon as I knew what was going on, and then disconnect everything from everything else before turning it back on again. You just know that they haven't done proper backups...

    3. Captain Scarlet

      "Lincolnshire Council has been in touch since the publication of this story to clarify that the ransomware was not CryptoLocker"

      hmm odd they seem to have commented about AC's comment but not on what was encrypted or what the actual ransomware was.

    4. Anonymous Coward
      Anonymous Coward

      Well, our local council is safe

      because Co-Socious (or So Hopeless as we call em) wont allow us to click the system tray clock to see what the date is..

      Honsetly, as an ex techie, the stuff I see these idiots do in the name of "corporate security" makes me chuckle.

      To them, the firewall is the only thing they need to maintain to keep everything safe...

      Anon. Sorry but they do still employ me. Just not as a corporate IT techie...

    5. Velv

      You're making the assumption Serco designed the controls instead of just operating what's already installed. The head of IT for the council has to be the person accountable.

      1. Anonymous Coward
        Anonymous Coward

        Having worked for SERCO (and ATOS, CAPITA, EDS)

        "You're making the assumption Serco designed the controls instead of just operating what's already installed. The head of IT for the council has to be the person accountable"

        I must say that they are at least 50% more technically knowledgable than Capita or ATOS

    6. Roger Mew

      Why

      What I do not really understand is why these type companies etc allow control computers to use the same connections as things that can be accessed. For example, a computer that can only deal with company data cannot connect by anymeans with one that deals with say emails. It is real easy to stop any data going to a system that is blocked from receiving that data. So for example a machine control computer cannot by reason that it does not identify emails or for that matter any other stuff like jpg, etc just control code. It can still pass info from one machine to another but not if its routing cannot pass that sort of file. I have just had to do that for an individual, no emails, no messaging, no skype etc. JUST and only data with a certain mix. No internet search engines, nothing just its own codes. Then use another for stuff like emails that can only load certain things like a straight email, none of the sending a PDF as that can hide something, yet loads of companies send that sort of rubbish out. I got one of those from an electrical supplier, scanned with AVG before I opened it and it had malware on it. They were not happy, if they sent one to a council... Case rests.

      OK it means 2 or three machines, but data is secured.

    7. Halfmad

      The NHS mail system was being bombarded with this sort of crap last year, seems to have lessened now but I doubt there's a trust/commish group in the country that hasn't had problems because of it.

  2. We're with Steve
    FAIL

    S-E-R-C-O

    TBH I was feeling sorry for Licolnshire Council until I read that last line.

    It's made my day that has :-)

  3. wolfetone Silver badge
    Trollface

    Do they have popcorn in Lincolnshire? If so, grab a bag and watch this mess unfold.

    It should provide better entertainment than Avatar.

  4. Anonymous Coward
    Anonymous Coward

    Now that the "State" (albeit one small corner) has been hit, maybe the powers-that-be will let GCHQ, MI6, SAS, ... loose.

    Nah, thought not.

    Oh, for HMRC to get hit.

    1. Trigonoceps occipitalis

      Look, they’re doing the best they can in the face of our resistance. Once crypto back-doors are mandated all Lincolnshire would need to do is contact the Police for access to the spare key.

    2. JeremyP99

      I'm not sure we'd notice any difference. Writing a letter is nowadays the fastest way to get a response. Remember "letters"?

  5. Little Mouse

    0-day attack?

    I smell BS.

    These attacks have been around for a while now and are typically triggered by users inadvertently running code through links in emails that go on to encrypt every network share they have rights to.

    Sounds to me like some staff had R/W permissions to far more than they should have. Oops.

    1. Anonymous Coward
      FAIL

      Re: 0-day attack?

      I suspect their Serco twats think "0-day" means "the AV didn't catch it"

      `:-|

      Not that El Reg managed to formulate anything resembling a competent counter to such stupidity:

      Ransomware does not use 0-day vulnerabilities (previously undisclosed vulnerabilities in software which the software's authors have "0 days" to patch), as it first reared its head in September 2013.

      Similar malware has been spotted since then, however, with newer vulnerabilities exploited.

      WTF? A presumption and a couple of non sequiturs all rolled up into a little ball of shit? WhyReg? Why?

  6. theModge

    You just know it will be someone senior who ran the attachment don't you?

    Firstly it's highly possible the proles can't run anything they receive by email - my (limited) experience of public sector IT is that the standard issue desktops are locked up tighter than a ducks proverbial.

    Secondly I'd guess that there's a better chance of find the names and interests of the chief exec than of a random admin type.

    +10 points if it turns out to be the councils head of managing the serco contract...

    1. Anonymous Coward
      Anonymous Coward

      Re: You just know it will be someone senior who ran the attachment don't you?

      Most likely.

      10 years ago when I was unfortunate to run IT in an SME I had to use a cluebat to introduce newly hired UK staff to the idea that the permissions go in the opposite direction - CEO, HR director, Finance director, etc gets the lowest and the engineering staff gets the highest including the sealed envelope with root passwords if you get run by a bus.

      Funnily enough, in most Eastern European countries you do not need to explain this concept. It is a given.

    2. kmac499

      Re: You just know it will be someone senior who ran the attachment don't you?

      I once worked for a sizeable high street retailer. One morning we all started to get the Valentines Day virus email. The first person in the chain? The Deputy Director of IT

  7. Anonymous Coward
    Anonymous Coward

    Cheapest is not always the best

    Bean counters sitting back in the glory that they have saved the council a fortune or not

  8. Anonymous Coward
    Anonymous Coward

    Lincolnshire has compooters?

    1. Red Sceptic

      And that's exactly how it's pronounced.

    2. Midnight

      Not any more.

  9. Natalie Gritpants

    Happened to my next door neighbour on his home computer

    Only interesting thing is that he works for HMRC so here's hoping he has another go while at work.

  10. maffski

    I disagree with this statement

    Ransomware does not use 0-day vulnerabilities (previously undisclosed vulnerabilities in software which the software's authors have "0 days" to patch), as it first reared its head in September 2013.

    By the same logic no virus can use a new 0-day as the Italian Bouncing Ball was written in the 80's. Or, to put it another way, I disagree with this statement.

    1. David Hall 1

      Re: I disagree with this statement

      Was searching through the comments to see if anyone else noticed this.

      I wonder if the Reg's copy editors were drunk this afternoon or if the author is just confused.

      But to echo your point. Ransomware certainly could use a zero day. And that will be a great day for us all...

    2. Anonymous Coward
      Anonymous Coward

      Re: I disagree with this statement

      The article seems poorly written with an irrelevant description of zero-day. I think it's assumed that most readers who got this far know what ransomware is, principal ways of it getting there and the likely effect of an infection from a typical user's desktop (local documents, mapped drives, well-known UNC paths, crawling).

  11. Anonymous Coward
    Anonymous Coward

    If it looks like a Duck, Quacks like a Duck...

    Certainly sounds like CryptoLocker... They can deny that CryptoLocker was the name of the virus, but surely acts like the ransomware I come to be amazed that people pay up due to lack of BC (see backups)

  12. Anonymous Coward
    Anonymous Coward

    Will anyone notice?

    Common gossip has it that this is the county council (with serco's able assistance) that have messed up the SAP based finance system they provide for schools in the county. Messed up so badly that schools cannot find out their financial position telling the schools "no reports possible..try using any paper based records you have". Suppliers aren't too happy either as schools don't know who to pay, when to pay and how much to pay leading to more than a few angry calls and red letters to the poor school administrators. This has been going on since last summer so the longer it carries on the more likely one or more schools will find themselves up the financial creek without a paddle.

    (I believe that Private Eye have been running this story as well)

    1. Duffaboy

      Re: Will anyone notice?

      Sap, I feel sorry for them

  13. Anonymous Coward
    Joke

    "after a staff member opened a dodgy email attachment"

    Tony Blair is spamming his Iraq War dossier again? :)

    (Old joke, but it still has legs!)

    1. Anonymous Coward
      Anonymous Coward

      Re: "after a staff member opened a dodgy email attachment"

      Neah, he is spreading "Black Energy" today.

      Hint - see who are the main contributors to his "Foundation". Some of the names are now in the public domain and even posted on the Graunidad.

      Make sure you are well seated and in no position to fall off your chair when you see the list.

  14. cantankerous swineherd

    said it before

    I'll say it again. this nothing compared to the impending mass bricking of smart meters.

    1. John Brown (no body) Silver badge

      Re: said it before

      I have to admit this does still concern me, but on the other hand we don't seem to be getting stories of the meterocolypse from countries where they have already rolled out.

  15. Anonymous Coward
    Anonymous Coward

    Until recently, I was the backup bitch (okay, restore bitch) at an NHS trust, and I'd get these once a week, if not more often.

    Why some granny of a health visitor felt the need to open INVOICE.PDF.EXE from Bank of America I will never understand, but it was a regular thing.

    1. Archivist

      Maybe because the OS didn't display the file extension? I've never understood this default.

  16. x 7

    come on.........we all know Serco are bloody useless.

    look at the trains they maintain: the London > Scotland sleepers forScotrail.

    The trainsets run one service a day - either to London or from London, and Serco find it impossible to keep the water tanks for the toilet flush topped up. They're usually empty after 200 miles or so.....

    The heating often doesn't work and the trains vibrate so badly you'd think square wheels is the norm.

  17. Anonymous Coward
    Childcatcher

    I'm cleaning up a machine right now

    The only way to be safe from Cryptolocker, Teslacrypto etc is backups. You need 14 days at least and ideally a grandfather/father/son rotation. The backups *must* be elsewhere and inaccessible to your machine(s) ie don't just copy docs to a network share unless it is backed up.

    If you run Windows, you might turn on restore points because that enable Shadow Copies which could be a saving grace and DO NOT CLICK YES on a sudden request that wants to delete shadow copies (quite often the first thing you notice wrong when they strike)

    If you get hit and you do not have backups to fall back on:

    Pull the power out. Buy another disc and a caddy and clone your existing disc to it (Linux boot CD or you can get disc duplicator caddies quite cheaply). Ideally make two clones. Put one of the clones into your machine and boot off it to make sure that it works. Disconnect all other PCs from your network first or isolate it in some way. Download and install Spybot and Malware Bytes - both have free versions. Update them and run them until the disc is cleared then wait a day or two and do it again. That will capture the zero days usually. You may have to use safe mode and a vulcan nerve pinch.

    Finally, if you have a large disc and not much in use and the bastards haven't wiped the free space to cause deleted space to be reclaimed then you might be able to recover the original unencrypted files with "Photorec" now known as Testdisk.

    MAKE BACKUPS NOW IF YOU RUN WINDOWS. It really isn't funny explaining to someone that their entire digital photo collection of 12+ years is gone. Yes I'm now running qphotorec and praying for some results ...

  18. Anonymous Coward
    Anonymous Coward

    Layers of defence

    We were hit once. It was a convincing looking mail to our goods receiving department. There was no file attached, but a link to an external site. It got past our existing firewall setup, mail filter, web filter and endpoint antivirus.

    We spotted the attack fairly quickly and just had to re-image that one PC and roll back some files the user had access to on the file servers using shadow copies. We already had very granular permissions in place, so the attack was limited.

    In response we have put in several more mitigations. We have applocker policies that restrict executables from running from profiles and other locations they shouldn't be running from. We have changed the firewall to block access to websites that are not categorised by the firewall vendor (this occasionally means we have to click past a warning to get to an uncategorised site, but is no great hardship). We also have FSRM rules which look for filename changes made by all known variants of crypto malware. If these are detected, alarms go off and file server shares are switched to read only.

    Finally, if this isn't enough we have time lagged replicas to our DR site and multiple levels of independent backup to disk and tape.

  19. Anonymous Coward
    Anonymous Coward

    Ransome ware!

    I hope the scammers have filled in the appropriate forms, in triplicate, AND lodged a formal request for expenses.

    It is a council.

  20. hoola Silver badge

    Armchair Experts

    A lot of the posts appear to be form people who have no understanding of what it is like to work in a large enterprise, 10000 plus workstations, 1000s of servers and petabytes of data (just unstructured data) not including your databases and VMs. In order to work, users need access to a filesystem they can write to. Unless you have insane levels of permissions on that filesystem that in themselves are a disaster, there is always going to be some writable disks somewhere. It is impossible to mitigate against every threat and most often these exposures come from human error, either oversight or stupidity. There will always be a large group of users who are very good at their job but are not technical experts. If you work in accounts and receive 100s of emails a day it is not unexpected that at some point one will come in that is convincing enough to be opened.

    The real failures come from the IT department if they do not react quickly enough to stop the spread and then sort out the restores. Whether Serco are incompetent or not, having been in this situation the technical staff at the end of the management chain will be having a really hard time.

    1. Anonymous Coward
      Anonymous Coward

      Re: Armchair Experts

      Regardless of the size of the enterprise you should be able to properly secure it as long as you have a well planned role based security setup in the organisation. Separate out users and resources (shares, printers, applications, permissions delegations, anything else that can be secured) so that users (or even groups containing users) are never directly assigned to resources. Create role groups containing the users and add those to the resource groups that the role require. Roles can be based on geography, org structure or access to specific sets of resources. Have a consistent naming convention for the groups so you know exactly what they do just by looking at the group name.

      All you then need to do is add/remove staff to the relevant roles and they will get access to everything they need in a very secure and easily manageable way, You can immediately see what a role has access to by looking at the resource groups they are a member of (just make sure the resource groups are named after the resource they secure).

      It requires discipline and buy in from all your IT staff. You need to stop the quick fix mentality of giving a user direct access to a specific resource. Take the time to plan the required groups to do it properly.

      I have implemented this in every organisation I have worked at, including some very large ones. I usually get grumbles up front due to the required up front planning and creation of what some regard as unnecessary groups, but eventually the competent staff always see the benefits and continue the system after I have gone.

      Of course, trying to retrofit this to a large org that hasn't previously had any planned resource access in place is the challenge.

  21. Anonymous Coward
    Anonymous Coward

    Ransomware

    Erm, my understanding of pretty much all ransomware is that it runs on a client machine and encrypts sensitive files in the hope that the user will be so desperate to get the data back they pay X BTC.

    It is not, generally, designed to target corporate environments on the grounds that there is an assumption of backups and therefore a lower chance of a payout, so most corporate users are effectively collateral damage in the spray & pray phishing attempts.

    However, the crucial thing about all known versions of ransomware is that they are not wormable. Ransomware does not spread from machine to machine and does not often backdoor a system.

    The claim that "once it got a foothold, it spread" implies that this isnt ransomware or the Incident Response team have massively ballsed up their process and assumed encrypted files on the share were infections on multiple client machines.........

    1. x 7

      Re: Ransomware

      "Ransomware does not spread from machine to machine and does not often backdoor a system."

      I hate to be a nay-sayer, but I'm not so sure you're right there.

      A few months back I was auditing a doctors surgery and found traces of ransomware on around 25 machines (roughly 60% of the total). The AV (I think it was McAfee) had actually partly done its job and emasculated the payload, so no damage was done, but neutered files relating to the ransomware AND a seemingly related worm were easily found.

      I never got to the bottom of what happened - I reported the fact to the CSU support team and they took over and got McAfee involved. However at face value, the ransomware appeared to have piggybacked on the worm

      1. Anonymous Coward
        Anonymous Coward

        Re: Ransomware

        A few months back I was auditing a doctors surgery and found traces of ransomware on around 25 machines (roughly 60% of the total).

        Was it down to files being shared between the devices?

        McAfee is one of the AV companies saying there isnt a wormable ransomware and if there was it is likely to be fairly high profile as its the big "fear."

        There were examples of the early Cryptolocker being pushed out with other bad shiz (keyloggers mainly) but its hard to think as to how the ransomware itself can propogate like that. All the researched attacks I can find are where each user is infected by an individual attack (although it can be part of an attack on hundreds of users simultaneously).

        1. x 7

          Re: Ransomware

          "Was it down to files being shared between the devices?"

          Thinking back about it, not obviously, though I guess not impossible. The files I found were in local user profiles and seemed to be installed / created at user logon. They had datestamps over a few consecutive days - essentially the first logon of that day. They weren't using folder redirection or active profiles - the domain controller function was being run by an SCO Unix box (in a limited fashion) so its unlikely they were being pulled down from a central location.

  22. Mike 137 Silver badge

    "... spread throughout its systems."

    who's running a flat network then? I see this all the time - exclusive reliance on Active Directory for control over access to resources over an otherwise exhaustively interconnected user network. Apparently nobody's heard of network segregation.

  23. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like