Lincolnshire County Council computer security staff are working over the weekend to restore computers and network access to staff for Monday morning after the local authority was the subject of a £1m ransomware demand on Tuesday last week.
In an interview with Computing, CIO Judith Hetherington Smith revealed that the local authority had no choice but to shut down the PCs and servers across the local authority's entire network. The decision was made after email-borne malware was launched by a member of staff following a phishing attack.
IT staff and the Council's key IT service providers have been conducting a rigorous security audit of all the organisation's IT to ensure that all traces of the malware have been deleted before restoring service.
"We have been able to bring up our social care system in a limited environment, because it's a priority system, and we're working over the weekend to restore other systems, with the hope that if everything goes well we'll be back up and running by Monday," Hetherington Smith told Computing.
The malware encrypted a number of files before deleting itself and presenting a ransom demand of £1m - in bitcoin, of course - in return for the decryption keys. "Right at the end, when it completes running, it displays a message on the screen demanding one million pounds," said Hetherington Smith.
While Hetherington Smith does not believe that the local authority was specifically targeted, the malware definitely demanded £1m - not dollars, euros or rubles, but pound sterling - indicating, perhaps, that the attackers were either targeting the UK or are UK-based.
Even more intriguing was that the malware was of a type that was completely new to the organisation's security software supplier. That supplier is now rushing to release new signature files for its anti-virus and anti-malware software.
"It's a new piece of ransomware that our anti-virus software provider hadn't seen before. So they've had to write new files to protect us from it. Our systems were totally up to date, so there were no vulnerabilities of that kind, and they have been brilliant working with us to create those fixes," she told Computing.
As far as Hetherington Smith is aware, the ransomware was only triggered by one user. The decision to shut down the entire network was made after that member of staff realised what had happened and contacted IT - although the sudden encryption of a number of files on the network had already alerted them to the anomaly.
In a bid to minimise the risk of the infection spreading across the network, Hetherington Smith ordered the shutdown of computing resources across the authority, while the Council's IT staff and its service providers swept and audited the entire computing estate, a process that is continuing over the weekend.
"We caught it quite quickly, which was fortunate, and we were able to protect our data and systems because of that," she said. The shutdown was very much precautionary, because the local authority holds personal data - of residents, council tax payers, children in care, vulnerable adults and others. The decision was made in order to protect that data.
The operation swung into action on Tuesday afternoon and, despite hopes that IT resources would be back up and running by Thursday, has continued into the weekend. Hetherington Smith believes that the clean-up operation should be finished by the time staff return to their desks on Monday morning.
"At the moment, we're quite pleased with the way that we have reacted in that we shut down our systems very quickly and we've been able to get our business continuity plans up and running," she said.
Prompted for advice for other organisations affected by a similar outbreak, she offered the following: "I guess my advice is three-fold:
"One, always keep reminding your staff of the dangers of doing these things. We do, but you can never be 100 per cent - someone will always make a mistake.
"Second, if you suspect something, do take the precaution and take your systems down.
"And check that your business continuity plan actually works occasionally."
Law firms wide open to phishing scams following security breaches
Users will be warned when they see or send a suspected spam message
A network of fake ad agencies and shell companies was used to run the operation
ITV looks to shift away from legacy systems for looking after classic shows