The effects of a ransomware attack on Louisiana’s state government Monday that crippled some public-facing agencies stretched through Tuesday, as motor vehicle offices throughout the state remained closed and workers scrambled to reboot computer systems.
Gov. John Bel Edwards’ administration said many online services and state websites that officials shut down Monday to prevent further spread of the malware came back online Tuesday. The governor's cabinet met Tuesday to review the situation and is scheduled to convene again Wednesday morning, Christina Stephens, the governor's spokeswoman, said Tuesday evening in a text.
Still, the state’s 79 motor vehicle offices remained closed as workers had to "reimage" computer systems there, said Karen St. Germain, commissioner of the Louisiana Office of Motor Vehicles. The administration is hopeful OMV will reopen around noon Wednesday to again issue drivers' licenses, register vehicles and provide other services.
“The issue is that the computers we have, have to be reimaged. All of them. OTS has a big job,” Germain said, referring to the Office of Technology Services, which operates a sprawling network of state computer systems. “It’s going to take a little time to get all that straight, put it back the way it was and do it right.”
Louisiana's state government came under a ransomware attack Monday that caused internet and website problems at a host of agencies, disrupting…
The attack likely was automated, rather than some guy sitting in some European basement targeting Louisiana, said Jeffrey Allen Moulton, the executive director of the Stephenson National Center for Security Research and Training and the Transformation Technologies and Cyber Research Center at LSU. He’s also a member of the Louisiana Cybersecurity Commission and head of the commission’s subcommittee on emergency response.
Moulton’s crew is working with the State Police’s Fusion Center, FBI, Louisiana National Guard, Department of Homeland Security and others to get the state’s computer system back online. He says the state technical office followed the seven-phase plan put together to combat ransomware attacked. “This is exactly the protocol,” he said.
“A lot of these exploits are automated,” Moulton said of the attack. The machines go out onto the internet and look for vulnerabilities in systems, then attach ransomware to them. The state might have picked up the virus when some state worker went to a dangerous website or tried to upload a game on their work computer, Moulton said.
But the most likely culprit was a state worker clicking on some suspicious email or link without thinking, he said.
“We don’t know who did this, but we are working it,” Moulton said. Doing forensic analysis to determine who is responsible is a lower priority to getting the system up and running. Nobody will likely be prosecuted because it’s so difficult to gather evidence enough to stand up in court. But knowing the who, what, when and where will go a long way to helping technicians block similar approaches in the future.
The technicians do know the why: make money.
When the Louisiana governor’s race ended over the weekend, voters were left with the feeling that mudwrestling season was over. But a vast ran…
The virus was fairly easy to spot among the reams of computer code. But then that’s to be expected since the goal was to get money in return for releasing the lock on the data, he said. Technical personnel never looked at the ransom note, just started shutting down computer systems, as required in the protocol.
The virus also is fairly simple extortion. Some computer system attacks do more than lock users out. Some destroy the data or steal it. “Most criminals don’t want to do that because they’re after the money and they can come back and milk the cow again.”
Officials said they did not pay a ransom during the incident and that they did not lose data.
The Louisiana State Police and several federal agencies are investigating the attempted ransomware attack, Edwards said.
Ransomware, often spread through phishing emails, denies access to computer systems or data until the user pays a ransom, according to the Louisiana Cyber Security Commission. If the demands are not met, the person conducting the ransomware attack could keep the data unavailable or delete it.
Spokeswoman Stephens said seven agencies were initially impacted in some capacity: the Department of Public Safety, Office of Juvenile Justice, Department of Health, Department of Education, Department of Environmental Quality, Department of Revenue and the Division of Administration.
State agencies continue to have server issues hours after a ransomware attack ceased office functions in Louisiana on Monday.
The Department of Children and Family Services said Tuesday it was still dealing with the fallout from the computer issues. The child abuse and neglect line was available, but staff was still having trouble accepting reports. The agency's customer portal remained affected and child support payments could be delayed by at least a day, the department said.
Stephens said workers noticed unusual traffic on some state servers between 4 and 5 in the morning on Monday, and officials worked to make sure it didn't spread. As part of the response, the state shut down email access on several servers.
The attack caused the Louisiana Department of Revenue to extend the filing dates for state taxes due Wednesday, now making the due date to Monday, Nov. 25. The tax extensions cover payments of taxes for sales and use, hotel occupancy, beer, tobacco, fuel transporter, transportation and communication.
The attack did not compromise any state tax returns or taxpayer information. However, certain services provided by the department were disrupted, including the sales tax filing application Parish E-File and the Louisiana Taxpayer Access Point, the state’s tax account management portal, according to the Revenue Department.
The service interruptions at public agencies was due to what the Division of Administration called its "aggressive response" to the ransomware attack. The Office of Technology Services, OTS, shut down computer systems to avoid infecting state internet servers.
The IT team noticed the irregular pattern, saw that it was the Ryuk virus, which encrypts files, said Jacques Berry, spokesman for the Division of Administration. The team found where virus was attached to the programs and shutdown computers to avoid infecting other systems, Berry said.
A host of state services were down Monday, including websites for the Secretary of State's Office, which meant election results were unavailable two days after Saturday's runoff elections. The Louisiana Department of Health couldn't process certain Medicaid applications online. OMV offices were also shut down Monday.