Louisiana Governor John Bel Edwards on Wednesday declared a state of emergency after three public school districts were seized by ransomware.
According to local news station KSLA, one of the affected school districts, Sabine Parish in northern Louisiana, released this statement on Wednesday night:
The Sabine Parish School System was hit with an electronic virus early Sunday morning. This virus has disabled some of our technology systems and our central office phone system. The district staff reported this electronic viral attack to local law enforcement, state officials and the FBI. All available resources are being utilized to get the district systems back online. An investigation involving local, state and federal law enforcement is ongoing at this time. The school phone systems were not affected by this attack. The central office phone system is being repaired and service will be restored as soon as possible. According to the Louisiana Department of Education, several other school districts were attacked by the same virus this week.
We haven’t seen details yet on what ransomware variant was inflicted in the attack; nor have state officials released a comprehensive list of the affected systems.
Eddie Jones, principal of Florien High School in Sabine Parish, told KSLA that his technology supervisor got an alert on his phone around 4am Sunday about a surge in bandwidth usage. It was particularly unusual given the time of day and the fact that the schools are all on summer break.
When technical staff investigated, Jones said, they found ransomware on the servers.
The principal said that he doesn’t believe that any sensitive information was lost. What was lost: “anything and everything” stored on the school district’s servers, including 17 years’ worth of Jones’ personal documents – his speeches, test schedules, master schedules and more.
The declaration of a state of emergency means that state resources will be made available and that assistance will be coming from cybersecurity experts from the Louisiana National Guard, Louisiana State Police, the Office of Technology Services and others to assist local governments in responding to the crisis and in preventing further data loss.
This is the first time that Louisiana has activated its emergency cybersecurity powers, which were created for just this type of cyberattack. The response is being handled by the state’s newly formed Cyber Security Commission, which was established in 2017. It brings together the state’s key stakeholders, subject matter experts, and cybersecurity professionals from Louisiana’s public sector, private industry, academia, and law enforcement.
The Governor’s Office of Homeland Security and Emergency Preparedness (GOHSEP) has also activated its Crisis Action Team and the Emergency Services Function-17 to coordinate a response.
Governor Edwards:
The state was made aware of a malware attack on a few north Louisiana school systems and we have been coordinating a response ever since. This is exactly why we established the Cyber Security Commission, focused on preparing for, responding to and preventing cybersecurity attacks, and we are well-positioned to assist local governments as they battle this current threat.
Ars Technica put some interesting context around Louisiana’s response: it’s modeled on Colorado’s response in the wake of two SamSam ransomware attacks. The first hit in February 2018, and the second came the following week. The attacks wound up costing the state $1.5 million to disinfect its systems after officials decided against paying nary one thin dime to the attackers.
Declaring an emergency empowered Colorado cybersecurity agencies to ask for help from the National Guard, on top of help from other security companies and the FBI.
The emergency declaration includes protection from being price-gouged for the extra help and resources. Here’s some language concerning that protection, from a Louisiana proclamation about states of emergency:
During a declared state of emergency, the prices charged or value received for goods and services sold within the designated emergency area may not exceed the prices ordinarily charged for comparable goods and services in the same market area at or immediately before the time of the state of emergency, unless the price by the seller is attributable to fluctuations in applicable commodity markets, fluctuations in applicable regional or national market trends, or to reasonable expenses and charges and attendant business risk incurred in procuring or selling the goods or services during the state of emergency.
How to protect yourself from ransomware
- Pick strong passwords. And don’t re-use passwords, ever.
- Make regular backups. They could be your last line of defence against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
- Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
- Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
- Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home”>XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.
Aron Thoreau
Congratulations to the terrible IT security politics in USA.
Before town and hospital, now schools, what next? army?
This start to be embarrassing and worrysome.
Mahhn
hmm, I live and work in the USA, the company I work for, and state I live in, has good security and politics. But go ahead and lump everyone and everything in a country under one classification. You sound just like Turnip. So share with us, what perfect place with perfect politicians, and perfect security do you live in?
Magyver
Mahn, – Aron merely condemned the security policies in American state & federal government for a multitude of ongoing & recurring problems – they are indeed governed by muddled politics which are the main thing wrong with this country. However, it would seem somewhat less than rational for you to be offended by the completely valid concept he described, for you are not at fault – poor security management is. As far as this “Turnip” person goes, I never heard of him – but suspect you are a “Never Turniper”, lol.
Magyver
Funny that 8 people would downvote Aron for complaining about “IT security politics & policies in the USA”. In only 0.79 seconds a google search dumped 48,900,000 results to this query: “list the state and federal government agencies that have been hacked in recent years.”.
The following nuggets were on the first page alone:
* In fiscal year 2016, government agencies reported 30,899 information-security incidents
* Hacker breached 63 universities and government agencies
* In 2015 the fingerprints of 5.6 million people were compromised
* The first known incidence of network penetration hacking took place in 1967 and is ongoing
* There’s too much to list here but a VERY limited list of US state, & federal agencies etc. includes the State Department, White House, NOAA, USPS, US Coast Guard, the Pentagon, the GAO & GPO, HealthCare.gov, U.S. Army Corps of Engineers, the Army, the Nuclear Regulatory Commission – have you seen enough yet?
Fortune.com says 160 Million Government Records Exposed in Data Breaches Since 2014
This does’t include any Banks or the 6 breaches of credit reporting companies
It doesn’t include private companies include : T-Mobile, Quora, Google, Orbitz, Facebook, Marriot, British Airways, SingHealth, myPersonality, Saks and Lord & Taylor, SheIn.com, Cathay Pacific Airways, Careem and countless more.
A black-and-white banner with the image of a hooded militant and “I love you ISIS” replaced Central Command’s usual banner on Twitter recently.
If anything Aron understated his case – and yes this is both embarrassing and worrisome.
Apologies may be in order.
anonymous coward
Most school, work, and healthcare computers really have no business being connected to the Internet or having USB ports for connecting data drives. There ought to be air-gapped, separate “designated unsafe” computers connected online for research and exploration, because that’s a useful tool, but there shouldn’t be any way for employees or students to corrupt one with the other.
Public schools in the US ran for over a century in their modern form before they were introduced to Internet connectivity. There is no reason why they should be wasting public funds now to rescue any data from these computers. Reinstall them from scratch and treat it as an opportunity to start over right, unconnected.
wolfkin
nah dude internet is part of school. We’re not training miners anymore modern kids need modern tech. The problem is we need to invest in IT solutions that work. They need to PAY for backup solutions that are effective. So when things like this happen you can transition with minimal downtime. Cutting schools off from the Internet helps no one.
Steve
“anonymous coward” did not say that schools should be disconnected from the internet. He/she/it has a valid point: far too many systems are connected to the internet that don’t need to be, needlessly exposing them to danger.
anonymous coward
Steve, that’s exactly right.
anonymous coward
Public schools are for learning reading, writing, math, history, research and library skills, science, art, and music. You want CS training, pay for it and attend a vocational school. It’s not a place to stare at screens coding or searching the Web for cat videos. There’s places for that, but it’s not publicly funded schools.
Anon
The internet is a vast learning resource. Schools are going to be connected to the internet. Schools often do not have the kind of money needed to hire IT Professionals capable of properly securing a network. Schools and universities are common targets for compromise because of these reasons. Nothing has changed this is how it has always been. Threat actors can compromise servers and devices in these locations to use as they see fit and go unseen for some time before discovered. I expect most ransomware attackers would see the clearer picture; that schools have little funding and attacking schools is not going to net them much for financial gain. By the below response I expect they will probably just start over again from scratch.
“The principal said that he doesn’t believe that any sensitive information was lost. What was lost: “anything and everything” stored on the school district’s servers, including 17 years’ worth of Jones’ personal documents – his speeches, test schedules, master schedules and more.”
Schools will not be offline now or in the future. I would consider them to be entry level targets for most hackers wanting to “play” and hone in their skills. It is improbably these types of places will ever be very secure. Again because of the inability to afford the staff to secure them….
Magyver
Lisa, Paul, Mark – is it possible do you think, to encase an entire system such as this inside a sandboxed environment? It seems that if someone developed the software technology to protect businesses, schools in a giant sandbox they would become rich beyond their wildest dreams.
If it were possible it might only take one staff employee to manage each businesses sandbox – mere chicken feed at that point. …C’mon guys, dazzle me! …*grins*
Paul Ducklin
Sandboxing can work well – for example, a system that takes snapshots and can roll bach at will, whether using VMs or a “shadow copy” type approach. But there’s still the issue that data needs to be saved, updated, shared, exported, imported – and pretty much anywhere you can modify your own data with the intention of keeping those changes, malware can modify it to inject changes you didn’t want. Sandboxes, shadow copies, backups – they’re all useful parts of a potential solution… but not a magic bullet. (For example, what if you roll back changes you wanted to keep, or fail to keep changes you later regret, or rollback too far, and so on.)
(FWIW, Sophos’s own CryptoGuard product provides a sort of “autorepair if ransomware” which can detect ransomware by spotting its behaviour even *after* it kicks off, essentially turning the scrambling action against itself, reverting the changes and killing off the offending process.)
Steve
“roll bach at will”?!? Roll over, Beethoven, and let Johann join the party!