Texas Does Ransomware Bigger: 23 Local Gov’ts Attacked

Another week, another local government crippled by ransomware. Wait, I mean 23 local governments, in Texas.

In what appears to be a coordinated attack last week, small-org paralysis is happening as per usual, but multiplied by 20. Worryingly, the state IT department is saying very little of substance.

Will they pay, or do they DR? In today’s SB Blogwatch, we verify our backups.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Fascinating clothing.

Lone Star Mess

What’s the craic? Trey Shaar reports—“Ransomware Attack Hits Local Governments In Texas”:

 A coordinated ransomware attack has affected [23] local government entities in Texas. … The majority of them are smaller local governments.

The Texas Department of Information Resources … said it is continuing to investigate the origin of the attack, but at the moment believes it came from a “single threat actor.” [It also] said the Texas Military Department and the Texas A&M University Systems’ Cyber-Response and Security Operations Center teams are deploying resources to “the most critically impacted jurisdictions.”

Here we go again. Ravie Lakshmanan agrees—“23 state agencies across Texas succumb”:

 It seems like not a day goes by without a major company being hacked or a government-run institution exposed to ransomware attacks. [It] comes as several US cities have been crippled by a wave of ransomware attacks, with infections leading agencies to spend hundreds of thousands of dollars to recover.

The continuing attacks reflects on the agencies’ poor security posture, thereby making them a lucrative target. … Threat actors are setting their sights on public and private organizations that are ill-prepared to handle such attacks.

Regardless of the type of victim and the region affected, ransomware remains at the top of the list of digital threats. … As long as companies continue to pay to get their data restored, “digital kidnapping” of valuable data will be a sound business model for cybercriminals.

Which payload was it? Catalin Cimpanu—“Infection blamed on a strain of ransomware known only as the .JSE ransomware”:

 The ransomware that infected the networks of the 23 local Texas governments encrypts files and then adds the .JSE extension at the end. … Some antivirus vendors detect it as Nemucod, under the name of the trojan that drops it.

First signs of this .jse ransomware have been spotted as early as August 2018. … The ransomware is a strange one as it does not leave a ransom note behind.

Want to prevent your organization being next? Heed bobstreo’s advice:

 OK boys and girls. It’s time to do a security analysis of your networks, and check your backup and especially recovery/restore processes to make sure they actually work.

Segmenting/firewalling your network resources like SAN and Production from users only makes sense. … Test and QA environments can be rebuilt pretty quickly with no downtime for “the Important Stuff.”

The first rule of firewalling is DENY ALL. Exceptions can then be made, documented, tested, and then implemented.

If your network is one gooey center, with no crunchy outside, you will be sad.

But SirAstral thinks different:

 Network Segmentation is “Security Theater.” It raises the cost, effort, and complexity of your infrastructure for little to no gain.

Segmented networks still get compromised just as much as unsegmented because most malware continues to use the ports that you are already going to have open so that systems can communicate. Lowering Surface Area and Server Hardening are far more valuable.

Management networks are still needed to be able to reach all systems so they can be managed making the segmentation argument even further moot. Deep Packet inspection, Threat Analytics, along with SEIM tools are going to go much father.

You only end up with millions of FW rules and a massive ****ing headache, coupled with business units bitching about why your network is failing them. And management spending money on a network team that is larger than it needs to be.

Speaking of spending money, what about paying the ransom? Joe Franscella dances around a poll: [You’re fired—Ed.]

 When attacked, some organizations have chosen to pay criminals to retrieve their data and unlock their computers. Others have decided not to give into extortion. Two organizations in particular, the FBI and National Conference of Mayors, have come out against paying off criminals.

To understand better how … every-day American adults feel about this modern crime wave … we commissioned a survey conducted online by The Harris Poll in July of 2019 among more than 2,000 U.S. adults: …

  • Among those who experienced an attack on a work device, 46 percent say their companies paid a ransom. …
  • 64% of registered voters will not vote for candidates who approve of making ransomware payments. …
  • 66% of Americans believe that government organizations should never make ransomwre payments to cyber criminals. …
  • 86% of Americans agree that when organizations make ransomware payments, they are encouraging cyber criminals to continue with such attacks.

Stop press: Catalin Cimpanu—@campuscodi—tweets an update:

 Got a heads-up from a more official source that this incident might have been caused by Sodinokibi (REvil) and not “JSE Ransomware.” Still working on verifying it; however, it’s a [law enforcement] informational document, so it’s a more authoritative source.

Danger, Will Robinson, danger:

 Our company was hit two weekends ago Saturday. Unfortunately I was in early Saturday morning to work on a project and discovered it.

These are social engineer attacks, with email, usually to sales and appearing to come from a known customer or vendor. … The infected computer directly attacks domains. Once the domain controller is toast, so is the rest of your domain.

They are after cash and it’s working. Encrypted the servers, backup systems and all … domain controlled databases. … Maybe a wake up call for some CEO who does not want to commit funds to secure the infrastructure.

None of the antivirus picked it up. … Thank your local NSA agent for the quality tools they provided to the attackers.

Meanwhile, dwpro alleges an allegation:

 All the skills in the relevant agencies have been gutted and outsourced, mainly to IBM as part of a government initiative to de-duplicate and consolidate resources. … I’ll be shocked if it isn’t a contractor working for IBM that is responsible.

And Finally:

Walk Dress Like an Egyptian

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Ray Shrewsberry (Pixabay)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 619 posts and counting.See all posts by richi