£1m ransomware demand from previously unknown malware took down Lincolnshire County Council network

clock • 3 min read

But everything should be back up and running by Monday morning, says CIO Judith Hetherington Smith

Lincolnshire County Council computer security staff are working over the weekend to restore computers and network access to staff for Monday morning after the local authority was the subject of a £1m ransomware demand on Tuesday last week.

In an interview with Computing, CIO Judith Hetherington Smith revealed that the local authority had no choice but to shut down the PCs and servers across the local authority's entire network. The decision was made after email-borne malware was launched by a member of staff following a phishing attack.

IT staff and the Council's key IT service providers have been conducting a rigorous security audit of all the organisation's IT to ensure that all traces of the malware have been deleted before restoring service.

"We have been able to bring up our social care system in a limited environment, because it's a priority system, and we're working over the weekend to restore other systems, with the hope that if everything goes well we'll be back up and running by Monday," Hetherington Smith told Computing.

The malware encrypted a number of files before deleting itself and presenting a ransom demand of £1m - in bitcoin, of course - in return for the decryption keys. "Right at the end, when it completes running, it displays a message on the screen demanding one million pounds," said Hetherington Smith.

While Hetherington Smith does not believe that the local authority was specifically targeted, the malware definitely demanded £1m - not dollars, euros or rubles, but pound sterling - indicating, perhaps, that the attackers were either targeting the UK or are UK-based.

Even more intriguing was that the malware was of a type that was completely new to the organisation's security software supplier. That supplier is now rushing to release new signature files for its anti-virus and anti-malware software.

"It's a new piece of ransomware that our anti-virus software provider hadn't seen before. So they've had to write new files to protect us from it. Our systems were totally up to date, so there were no vulnerabilities of that kind, and they have been brilliant working with us to create those fixes," she told Computing.

As far as Hetherington Smith is aware, the ransomware was only triggered by one user. The decision to shut down the entire network was made after that member of staff realised what had happened and contacted IT - although the sudden encryption of a number of files on the network had already alerted them to the anomaly.

In a bid to minimise the risk of the infection spreading across the network, Hetherington Smith ordered the shutdown of computing resources across the authority, while the Council's IT staff and its service providers swept and audited the entire computing estate, a process that is continuing over the weekend.

"We caught it quite quickly, which was fortunate, and we were able to protect our data and systems because of that," she said. The shutdown was very much precautionary, because the local authority holds personal data - of residents, council tax payers, children in care, vulnerable adults and others. The decision was made in order to protect that data.

The operation swung into action on Tuesday afternoon and, despite hopes that IT resources would be back up and running by Thursday, has continued into the weekend. Hetherington Smith believes that the clean-up operation should be finished by the time staff return to their desks on Monday morning.

"At the moment, we're quite pleased with the way that we have reacted in that we shut down our systems very quickly and we've been able to get our business continuity plans up and running," she said.

Prompted for advice for other organisations affected by a similar outbreak, she offered the following: "I guess my advice is three-fold:

"One, always keep reminding your staff of the dangers of doing these things. We do, but you can never be 100 per cent - someone will always make a mistake.

"Second, if you suspect something, do take the precaution and take your systems down.

"And check that your business continuity plan actually works occasionally."

You may also like
UK business falling short on cybersecurity warns government report

Threats and Risks

A staggering 78% of businesses lack a formal incident response plan

clock 10 April 2024 • 3 min read
IT Essentials: No honour among thieves


The criminal with a conscience doesn't exist

clock 08 April 2024 • 3 min read
Multiple China-linked groups attacking Ivanti vulnerabilities

Threats and Risks

Patches have been made available by Ivanti

clock 08 April 2024 • 2 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

Met police disrupt LabHost scam-as-a-service website

Met police disrupt LabHost scam-as-a-service website

Dozens arrested globally and thousands sent warnings

Penny Horwood
clock 18 April 2024 • 3 min read
Last chance to register for Cybersecurity Festival 2024

Last chance to register for Cybersecurity Festival 2024

Book your free place today

clock 18 April 2024 • 2 min read
Interview: Illumio, Security Excellence Awards finalist

Interview: Illumio, Security Excellence Awards finalist

'We are one team, delivering one platform, on one mission to ensure that organisations can realise a future without any high-profile breaches'

Computing Staff
clock 17 April 2024 • 5 min read