A large-scale North Carolina ransomware attack has encrypted data on 48 servers used by the Mecklenburg County government, causing considerable disruption to the county government’s activities – disruption that is likely to continue for several days while the ransomware is removed and the servers are rebuilt.
This North Carolina ransomware attack is one of the most serious ransomware attacks to have been reported this year. The attack is believed to have been conducted by individuals operating out of Ukraine or Iran and the attack is understood to have involved a ransomware variant called LockCrypt.
The attack started when a county employee opened an email attachment containing a ransomware downloader. As is now common, the email appeared to have been sent from another employee’s email account. It is unclear whether that email account was compromised, or if the attacker simply spoofed the email address.
Opening the email and malicious attachment resulted in the installation of ransomware. The infection then spread to 48 of the 500 servers used by the county. A ransom demand of $23,000 was issued by the attackers, the payment of which would see keys supplied to unlock the encryption.
While many businesses pay the ransom demands to allow them to recover files quickly and limit disruption, Mecklenburg County refused to give in to the extortionist’s demands.
After the deadline for paying the ransom passed, the individuals behind the attack attempted another email-based attack on county employees although those attempts failed.
Recovery from the attack is possible without data loss as the county has backup files that were not encrypted in the attack; however, restoring data on all the affected servers will be a slow and laborious task and the county will continue to experience severe disruption to its services.
A similarly large-scale ransomware attack hit Texas school districts in October. The attack occurred at the Texas Department of Agriculture. The Texas Department of Agriculture overseas breakfast and lunch programs at Texas Schools and has access to computer networks used by Texas school districts.
Similarly, the attack involved a single employee being fooled into downloading ransomware by a phishing email. The ransomware spread across the network affecting 39 independent Texas schools, and potentially resulting in the exposure of hundreds of student records.
Such extensive ransomware attacks are becoming much more common. Rather than simply infecting one device, ransomware is now capable of scanning networks for other vulnerable devices and rapidly spreading laterally to affect multiple computers. In the case of the Texas Department of Agriculture ransomware attack, it was rapidly identified, but not in time to prevent it spreading across the network.
As these incidents show, all it takes is for a single employee to open a malicious email attachment for an entire network of computers and servers to be taken out of action. Even if the ransom demand is paid, recovery can be a slow and costly process.
Ransomware attacks are increasing, as is the sophistication of both the ransomware and the scams that fool employees into downloading the malicious software. Fortunately, it is possible to implement defenses against these attacks.
Both of these attacks could have easily been prevented with basic security measures – An advanced and effective spam filter to prevent malicious emails from being delivered to employees and an effective security awareness training program to raise awareness of the threat from ransomware and phishing emails.
Security awareness training and phishing email simulations can reduce susceptibility to email-based cyberattacks by up to 95% according to several anti-phishing training firms, while a spam filter such as SpamTitan can ensure that employees are not tested. SpamTitan blocks more than 99.9% of spam emails, ensuring ransomware and other malware-laced emails are quarantined so they can cause no harm.
To find out more about SpamTitan and how you can secure your organization and mount an impressive defense against email and web-based threats, call the TitanHQ team today.