Florida City Fires IT Employee After Paying Ransom Demand Last Week (zdnet.com) 326
Officials from Lake City, Florida, have fired an IT employee last week after the city was forced to approve a gigantic ransomware payment of nearly $500,000 last Monday. The employee, whose name was not released, was fired on Friday, according to local media reports, who cited the Lake City mayor. ZDNet reports: Lake City's IT network was infected with malware on June 10. The city described the incident as a "triple threat." In reality, an employee opened a document they received via email, which infected the city's network with the Emotet trojan, which later downloaded the TrickBot trojan, and later, the Ryuk ransomware. The latter spread to the city's entire IT network and encrypted files. Hackers eventually demanded a ransom to let the city regain access to its systems. The city's leadership approved a ransom payment last Monday, which was paid the next day, on Tuesday. The city's IT staff started decrypting files on the same day.
As it should be (Score:2, Funny)
That person probably told their boss they were safe and they did xir job, since after all, xir thought nothing could happen in the safe space.
Ransoms = part of Windows' TCO (Score:2, Insightful)
Ransoms = part of Windows' TCO
Re: (Score:2)
Best not pronounce "Bitcoin" or "blockchain".
But but but (Score:4, Insightful)
Bitcoins aren't real money!
Re: (Score:2)
Bitcoins aren't real money!
Do you also complain that cars aren't real money when someone takes your car from you at gunpoint?
We all know that cars aren't real money, just like we all know that bitcoin isn't real money. Clutching your pearls isn't going to suddenly make bitcoin "real money".
Re: (Score:2)
Re: But but but (Score:2)
"Bitcoin is actually very private these days"
Keep telling yourself that often enough, and it might just magically become true!
Re: (Score:2)
The technology may support privacy. Many if not most of the exchanges are fraudulent and steal from their clients. Many of the wallet tools are vulnerable: there are so many, and they are so often devised with "dotcom" era business plans and "dotcom" era quality control, they've been robbed as a matter of course.
Re: (Score:2)
Or can't they notify all exchanges that anyone trying to cash in the bitcoins from that transaction are guilty of embezzlement and have to be reported, or the exchange will be considered a party to international money laundering.
That'll make them sit up and take notice, and a bitcoin that cannot be spent is a worhless bitcoin.
Just one? (Score:4, Insightful)
Should have replaced them all.
Re:Just one? (Score:5, Insightful)
Indeed. They made the employee a scapegoat. A proper system would withstand a bad email.
That kind of "sin" is worth no more than 2 month suspension for a regular employee. People who have made such mistakes are usually much more careful afterward than those who haven't.
Re:Just one? (Score:5, Insightful)
This guy might have a case if he can show that others had opened virus infected emails and not been fired. Seems like that would be pretty easy. The magnitude of the infection is not his fault, it could have literally been any other employee that made the same mistake. Would they have demanded the mayor resiign for making that mistake? I doubt it.
Re: (Score:2, Insightful)
This guy might have a case if he can show that others had opened virus infected emails and not been fired. Seems like that would be pretty easy. The magnitude of the infection is not his fault, it could have literally been any other employee that made the same mistake. Would they have demanded the mayor resiign for making that mistake? I doubt it.
A lot of companies have to publicly state and even certify that their organization has met certain cybersecurity standards, which someone has to sign off on them. If this employee was caught signing off on utter bullshit which essentially caused the infection (regardless of whose fault it is/was), then it's a pretty cut and dry scenario for someone getting fired.
As others have stated, there's a reason a single employee was singled out for termination; every company needs a scapegoat, and every company has
Re: (Score:2)
Re: (Score:2)
Seriously, it is the mayor's job to put people in place to protect the public interest. If you have to pay the ransom then not only did your leadership not practice due diligence, they didn't even practice due care. They need to be replaced. The mayor can not be trusted to make good hiring decisions, he should be recalled.
This negligence puts the town's people's privacy and in many cases safety at risk.
Re: (Score:3)
if not executed.
In the real world, it was the object code of the trojan that was executed.
Re:Just one? (Score:4, Interesting)
A lot of people are making the assumption here that the fired employee was a lowly from-the-trenches peon, when they could easily have been the operations team-lead responsible for ensuring their team enacted the proper processes for limiting these sorts of issues - the "cities IT manager" could easily have several teams reporting to him (dev team, support team, operations team etc) with their own responsibilities etc, and the team-leads could have been shirking their responsibilities and as a result got themselves fired.
Re: (Score:3)
the "cities IT manager" could easily have several teams reporting to him
Have you ever worked IT in a municipality? It is highly
unlikely that there would be more than one "team" or group within IT for a city of population 12,000 like this one.
Hell... I know of cities of twice the size that have a grand total of 2 IT employees.
This is a CLEAR case of mismanagement where whomever was the senior-most person who should've known better and did nothing to attempt to correct the situation should
Re: (Score:2)
It may have been the IT manager who got fired, they are an IT employee after all and they may not want to disclose an identifiable individual to the world. It's perfectly possible that someone is being made a scapegoat, be it for the actions of people in the IT department or outside of it, or it could be that the person fired was directly responsible for the response. It may be that a
Re:Just one? (Score:5, Insightful)
It doesn't look like it was the employee that opened the file that got fired, it was someone else in the IT department.
Though there's plenty of blame to go around, of varying degrees. There are so many failures that ALL had to happen for this to occur.
- anti-ransomware filter on the email server
- IT-department led company-wide education of all employees on not opening "suspect" files
- anti-ransomware software on the desktop PCs
- managers responsible for making sure their employees understand and follow the rules regarding attachments
- IT network traffic monitoring by automated systems to detect ransomware actively encrypting files
- compartmentalization of files and folders, not having "excessively open" file and folder permissions that would prevent the less-educated, less tech-savvy, and less reliable employees from being able to do too much damage if they screw up
- BACKUPS. my god, where are their backups? No backups? Not all critical files backed up? No offsite backups? Backups got encrypted too? I'm extremely curious how this final catch-all safety net failed
This required ALL SEVEN of the above to fail for the attack to succeed. There's plenty 'o firing and punishments to be handed around. And if just one or two people caused ALL of that, then the spotlight needs to move up the management chain a notch or two and start burning some of the managers that were complacent in having such a bottleneck in their protection. (actually, I really can't imagine how at least a few managers shouldn't be seeing serious repercussions here - there's got to be some neglegent management going on for all of this to fail)
We had a minor ransomware event here somewhat recently. Someone that ought to have known better did The Stupid, and due to a combination of lacking anti-ransomware software (server or desktop side) AND having excessive file permissions on the network, it got running on our network, encrypting files. (after it pretty thoroughly emcrypted the desktop) Fortunately, our network guy was alerted by his traffic monitoring software and was able to shut it down fairly quickly. He then got to spend awhile restoring stuff from backups to fix what damage it was able to do before he caught it.
In the end, the employee didn't get nearly the amount of justice he deserved, but we now have anti-ransomware software on the desktops (and server afaik) AND a thorough review of permissions was conducted and significantly tightened down. Our backup stragegy was also reviewed and improvements were made on that front too, to speed up the recovery process and get a few things under the umbrella that had previously been overlooked. Only a modest amount of employee education was done, I think mainly because, as I said before, the idiot that let it loose already should have known better. (IT employee!)
Re:Just one? (Score:5, Insightful)
From a 28-year career:
- anti-ransomware filter on the email server Management wouldn't pay for it. ... he didn't. However, the firm bought "ransomware insurance."
- IT-department led company-wide education of all employees on not opening "suspect" files I preached. They sinned.
- anti-ransomware software on the desktop PCs Management wouldn't pay for it.
- managers responsible for making sure their employees understand and follow the rules regarding attachments Management was worse than staff.
- IT network traffic monitoring by automated systems to detect ransomware actively encrypting files Who sells that?
- compartmentalization of files and folders, not having "excessively open" file and folder permissions that would prevent the less-educated, less tech-savvy, and less reliable employees from being able to do too much damage if they screw up How does this prevent ransomware?
- BACKUPS. my god, where are their backups? No backups? Not all critical files backed up? No offsite backups? Backups got encrypted too? I'm extremely curious how this final catch-all safety net failed This is the only answer. And I took the tapes/EHD home with me every single night. Shortly after I retired an employee clicked on an email attachment and the firm got ransomware. I asked my replacement how he handled it
Re: (Score:2)
- compartmentalization of files and folders, not having "excessively open" file and folder permissions that would prevent the less-educated, less tech-savvy, and less reliable employees from being able to do too much damage if they screw up How does this prevent ransomware?
The folder permissions thing helps limit the impact of ransomware because don't forget, it's only running as the user who opened it, so it only has as many permissions as they do. Sure, it could maybe use some exploit to get local administrator access on the desktop it's running on, but who gives a shit if a desktop gets encrypted? Just reimage it and move on. It's the files on the servers that need to be protected.
I do think it's an absolute crime though that anti-virus vendors sell anti-ransomware as an e
Re: (Score:2)
> The folder permissions thing helps limit the impact of ransomware because don't forget, it's only running as the user who opened it, so it only has as many permissions as they do.
This. Unfortunately, the difference between IT department claims of "HIPAA compliance" or "FERPA compliance" are often simply marks on a checklist, a _secret_ checklist which no one outside the IT department is allowed to see or to verify compliance with. And many organizations have very generous access and permissions for the
Re: (Score:2)
Re: (Score:2)
- anti-ransomware filter on the email server Management wouldn't pay for it.
Does ClamAV not work anymore? Are there no opensource malware filters?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Exactly. Backups corrupted for a few days to the point that they aren’t reliable, and you have significant impact. Sure, you might be able to restore to last week, but even that process will involve significant down-time and tremendous work to recover lost data by the staff.
As for reliably automatically detecting and stopping malware with tremendous adverse effects on usability... good luck counting on that.
As attacks get more advanced- correct email signatures from people who might be legitimately se
Re: Just one? (Score:2)
Old adage:
"There are two kinds of companies: Those who know some of their systems have been compromised. And those who don't know it."
Re: (Score:2)
"Management wouldn't pay for it." - Assumes facts not in evidence.
"I preached. They sinned." - Enforcement, which where I work leads to dismissal, is regularly rejected as too harsh.
"Management wouldn't pay for it." - Assumes facts not in evidence.
"Management was worse than staff." - Assumes facts not in evidence.
"- IT network traffic monitoring by automated systems to detect ransomware actively encrypting files Who sells that?" Exactly.
"- compartmentalization of files and folders... How does this prevent
Re: (Score:2)
Re: (Score:2)
The key failure was backups either nonexistent or vulnerable to the ransomware. It isn't reasonable to expect to prevent a ransomware attack from ever happening. The best defense is to make it a "meh, whatever, I've got my files right over here" moment.
Re: (Score:2)
Re: Just one? (Score:5, Interesting)
Re: (Score:2)
Do we know why he didn't have a backup in place? It may because they didn't want to budget for it. Backups cost money, software and either onsite storage, or for a cloud service. And his boss may have not seen the point, since "everything is working fine now".
Re: (Score:3)
I like how you just assume that backups happen by a magic snap of Thanos' fingers.
Backups require effort. They require active maintenance.
If the higher level staff order the IT staff to do this that and the other thing, and they prioritize those things above doing backups, then what is the IT Manager going to do?
It's entirely possible that the IT Manager was simply incompetent. But past experience tells me that there is far more to the story, and that he was probably scapegoated so that the people above h
Re: (Score:2)
Re: (Score:3)
They made the employee a scapegoat.
It was his job. He failed at it. That is accountability, not scapegoating.
A proper system would withstand a bad email.
Whose job is it to make sure the system works properly? As techs, it is our job.
People who have made such mistakes are usually much more careful afterward than those who haven't.
Well, he's available. So you can hire him.
Re: (Score:2)
It was his job. He failed at it. That is accountability, not scapegoating. A proper system would withstand a bad email. Whose job is it to make sure the system works properly? As techs, it is our job.
CEO - I want full system access.
IT - Sir we can give you a special account for those times you need it but we don't recommend putting full admin rights on your...
CEO - Don't tell me you can't...DO IT!!!
IT - Yes sir
2 days later...
In CEO inbox - "You may already have won! Click **HERE** to find out now."
CEO - *CLICK*
Never underestimate the power of seemingly smart people doing really dumb things.
Re: (Score:2)
We have multiple technical measures to try and stop, or failing that decrease the impact of, attacks. We still want to decrease executives access to files they don't really need, but everyone dealing with this in reality knows you will never stop them from requiring access to at least a f
Re: (Score:3)
"People who have made such mistakes are usually much more careful afterward than those who haven't.
Well, he's available. So you can hire him."
Well played.
Re: Just one? (Score:2)
Re: (Score:2)
Re: (Score:2)
One - the spelling is Aspergers
Two - it's not something for which you can medicate
Three - taunting someone for displaying autistic traits is bullying
Four - you're a cunt
Re: (Score:2)
True, any one of us could get infected from any means.
Who they should have fired was the IT staff who failed to make proper backups and have a disaster recovery plan in place.
Re: (Score:2)
I think "document" is just lazy journalism. The in-depth article I read only mentioned an "attachment" (which I admit was probably disguised as a document).
Re: (Score:2)
well sure, but who did they fire? the guy who OPENED AN EMAIL? ..whos job was to, I guess, open emails on software provided by the employer?
I mean, fire the frigging IT manager and the IT managers manager.
also move to gmail or whatever and why on why would it spread from there to everywhere..
Re: (Score:2)
They should deport them back to Redmond.
Re: (Score:3)
'Based upon what, exactly? Your "gut instinct"'
No, based on the fact that regardless of who executed an attachment, their whole 'information system' is completely insecure. This attack isn't something that is 0day and a competent staff would have mitigated or eliminated this attack months ago.
Re: (Score:2)
This is from the article, and a cursory look at the two trojans reveals they both use Eternalblue—which they really should have been patched against.
I wi
Florida City also needs to fire IT Manager... (Score:5, Informative)
The IT manager who had no disaster backup policy in place.
What would they have done if their IT facility had burned to the ground? Treat a ransomware attack like that.
Re: (Score:2, Insightful)
"The IT manager who had no disaster backup policy in place." = probably not the actual case. "Having a policy" is great. IMPLEMENTING that policy before hackers can pwn additional layers? Not so simple for contractually-always-on systems, which have a MUNICIPAL BUDGET PROBLEM instead of corporate coffers to draw system-duplicating redundancy from.
You're underestimating the scale of the problem in underfunded understaffed Federal State and Local government IT, and its municipal and private sector vendors
Re: (Score:2)
Re: (Score:2)
Why would you fire a well connected IT manager (Score:2)
Re: (Score:2)
What would they have done if their IT facility had burned to the ground?
Probably fired the embers.
Re: (Score:2)
This.
IT has to believe that disaster is one minute away, and be prepared to pull the net out of the ditch.
Re: (Score:2)
You’re in luck, it was the IT manager they fired.
Re: (Score:2)
Maybe he wanted to have a disaster recovery plan in place, but didn't have the budget.
Re: (Score:2)
ha ha ha... BULLSHIT! (Score:5, Informative)
Whether or not this IT guy is a moron or not.
there is zero fucking doubt that there is MORE fault with management. The same fucking guys that always first prevent you from doing your damn job and then bitch at you for not getting your job done. There is no end to the amount of do this project under budget, under staffed, and yester-fucking-day! Your tickets are taking too long, you are working too few tickets.
And my personal fucking favorite. Asking you to build a system that is as resilient, speedy, and functional as something built for a cloud platform like AWS or Azure where they have spent millions of dollars and development time while you get next to nothing and a bunch of middle manager know-knothing hacks telling you to draw 3 blue line with red fucking ink and they are all required to be perpendicular to each other.
IT is a picture perfect example of how fucking dumb, stupid, idiotic, and counter productive human fucking beings are! And just how much of a clue management never had or will ever have! Every project has a moron, every product has a premium no one wants to pay for... and even if that $50,000 Storage array brings in $1,000,000 in revenue it's nothing but an expense, and never and investment, that needs to be removed from the budget.
I see this shit all damn day long... management that makes unreasonable demands on their staff, refuses to provide them proper resources, and then fires their ass when something goes wrong when they are more at fault than any other fucker walking the halls!
Re: (Score:2)
As I post elsewhere in this story - what makes you think that the fired employee *isnt* management? They could easily be a team-lead or department head whose responsibility was to enact the proper safeguards and failed.
People are assuming that the fired employee was a lowly bod who was chosen as a scapegoat without any evidence to support that theory.
Re: (Score:2)
What good is a fire drill that is never tested? Having something in your head does not a plan make. If management is any good this issue should have been addressed at the minimum twice a year in meetings and at least once a year in practice. A report generated as to the efficiency of the recovery.
I sometimes feel from comments on this site that I live in a different world. In an environment as large as a city or small town every department would need to be involved in the drill in order to ensure that emer
Re: (Score:2)
Not necessarily.
What if this IT guy is the one responsible for backup?
What would you say then?
Re: (Score:2)
Management is always selling a System. This System is comprised of org charts, mission statements, SOPs for critical activities, EHS, HR, etc, and can be generalized as the sum of all systems, goals and technology of the organization. The goal of management is to have the System appear infallible.
Re: (Score:2)
https://www.ribbonfarm.com/200... [ribbonfarm.com]
Re: ha ha ha... BULLSHIT! (Score:2)
If management would not allow them to properly do their job, either they could not effectively explain why it was needed or they should have left.
Gov't BS versus private sector BS (Score:2)
Idiot managers are in all organizations, public and private. I can tell you lots of stories. Promoting dumbass relatives of owners or top managers is very common in the private sector, for example. It's usually much harder to pull that in bigger city governments.
Dilbert is a documentary, not just a comic strip.
Government usually gives repeat-offender yahoos simple roles where they can't do much damage, but keep their rank. "Documen
Re: (Score:2)
Re: (Score:2)
Dilbert is a documentary
+1 insightful :)
Re: (Score:2)
Search for the guilty (Score:2)
Punishment of the innocent.
Promotion of the non-participants.
Was the person fired (Score:3)
The same person that opened the trojan file?
It's not clear if the IT worker opened the file or someone with the password of A1A1A1A1.
Windows again. (Score:5, Informative)
Windows again. Just fire the employee who paid Microsoft this year.
Re: (Score:2)
Re: (Score:2)
Windows gets is fair share of shit.
No, it needs more. In the form of mass firings plus lawsuits. First one should be you.
Re: (Score:2)
> But this disaster was entirely avoidable within an MS network
Since those particular ransomware tools only propagate on MS based hosts, it's entirely avoidable by using MacOS laptops, Thunderbird for email clients, and Samba for AD servers. The environment would still be vulnerable to Windows based hosts anywhere in the system with fileshare access, especially default enabled fileshare access. But I've seen just such concerns used, for decades now, to justify the greater initial investment.
I'm still rem
Re: (Score:2)
Agreed. If Linux had an 80% desktop market share guess what we'd see. How difficult would it be to design a program that resembles a Ubuntu sudo password dialog?
Re: (Score:2)
And whoever you work for should fire you before you spread.
outlook can auto run code + office VBA code (Score:2)
outlook can auto run code + office VBA code
Just going to leave this here... (Score:3)
https://www.amazon.com/Beyond-Blame-Learning-Failure-Success/dp/1491906413
Not an exact fit BUT my first thought was any request for funding for something that would have prevented this was met with a "no, it costs too much" or a "no we don't need it".
Where were the backups? Where was the scanning of emails and/or links? Where was the scanning of files on the systems? This was a failure that started at the top and to suggest otherwise it completely foolish.
Re: (Score:3)
Where was the firing of the person who allowed Microsoft Windows on the network?
Re: (Score:2)
Re: (Score:2)
This bug had been patched by MSFt many months ago...sorry to kick your little Linux flag into the dirt but if you never patch your systems? Then I'm sorry the OS isn't gonna matter, its still gonna get pwned...or did you forget about that Linux gets hacked too? [gbhackers.com]
Oh, snap! Or would that be...
# sudo snap
Cybersecurity (Score:2)
Responsible for upgrading "Florida Wo/man" stories to "Florida City" stories since 2019.
That user should have been sandboxed, (Score:2)
Re: (Score:2)
And by that I mean make him do his work from a literal sandbox with no wifi until he learns to not open random executables
If he's a manager, tell him he's working in Silicon Valley.
I wonder if that was a good idea on their part (Score:2)
You have now fired the company scapegoat.
This former employee is now:
1) Pissed off
2) Unemployed
3) Sans paycheck
4) Full of insider knowledge about the network they helped maintain
This person is now ripe for recruitment by the next group of folks who will seek to replay this scenario since the victims in question seem to have no issues with paying ransom demands.
If you want to go full tin foil hat, consider this person ( or another ) may have clicked that email link on purpose after being recruited by an
Profit? (Score:3)
This ransomware thing is starting to sound pretty profitable.
Re: (Score:2)
The city council who voted to pay the ransom should be prosecuted for sending money to a criminal organization, which could possibly have terrorism connections.
In most countries paying a ransom is illegal for a good reason. For the person paying the ransom, the cost of the ransom will be minor compared to the consequences of not paying. However, by rewarding the criminals you're encouraging further ramson demands in the form of extortion, kidnappings or ransomware. It is unlikely that the criminals would re
Re: (Score:2)
That's why you hire somebody else to pay the ransom for you.
https://yro.slashdot.org/story... [slashdot.org]
Bitcoin prohibition.... (Score:2)
How do crypto currencies actually benefit society?
As far as I can see they simply don't.
We have a bunch of hackers, criminals and drug dealers exploiting out of it.
We have a bunch of people mining crypto currencies, chewing up power and electricity generated which is fairly immoral in a world dealing with a climate crisis.
We have trading companies and exchanges profiting from people essentially gambling their savings on it.
The whole reason for Bitcoin is to enable anonymous electronic transactions, if a tra
Re: (Score:2)
Can anyone give a single practical use of Bitcoin which doesn't involve criminal activity and can't be provided by services such as Visa or Paypal?
After the diplomatic cables leak, [wikipedia.org] the US government tried to block funds to Wikileaks by pressuring Visa/Mastercard/Paypal to cancel their account. Publishing the leaked documents was not illegal, the government was trying to suppress speech. Now bitcoin allows anyone to donate to Wikileaks, and bitcoin donations allow Wikileaks to keep their servers up.
Re: (Score:2)
Should be good for a chuckle (Score:2)
"So, Mr Smith, tell us about your last position."
"Well, I oversaw a large, city-wide project that involved the testing of our backup and recovery services..."
Re: (Score:2)
Unix may be more secure, but it cannot defend against dumbass users who enter their password when a trojan asks for it.
Re: (Score:2)
It really can't. Any system is susceptible to social engineering because the weakpoint isn't the system at all. Its the user. *nix specific malware is less common sure. But more and more of what we do is cross platform and web based. Malicious javascript on a web page doesn't care what kernel you have as long as you type in your personal details.
Re: (Score:2)
That file shouldn't have gotten through though, there's no way Gmail/Chrome would've let them open a file like that.
Re: (Score:2)
Linux is no more difficult to use than MSWind was in 2000. From reports, MSWind has gotten worse. It's a bit different, so there's a learning curve, but it's no harder. (I can't speak about MSWind since 2000, as their EULA has prevented me from even looking at it.)
That said, this probably wouldn't have been eliminated by using Linux. It *MIGHT* protect the system files, but it can't protect the files the user is allowed to write. It might require a different vulnerability, perhaps one in JavaScript, bu
Re: (Score:2)