Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck IT Technology

Florida City Fires IT Employee After Paying Ransom Demand Last Week (zdnet.com) 326

Officials from Lake City, Florida, have fired an IT employee last week after the city was forced to approve a gigantic ransomware payment of nearly $500,000 last Monday. The employee, whose name was not released, was fired on Friday, according to local media reports, who cited the Lake City mayor. ZDNet reports: Lake City's IT network was infected with malware on June 10. The city described the incident as a "triple threat." In reality, an employee opened a document they received via email, which infected the city's network with the Emotet trojan, which later downloaded the TrickBot trojan, and later, the Ryuk ransomware. The latter spread to the city's entire IT network and encrypted files. Hackers eventually demanded a ransom to let the city regain access to its systems. The city's leadership approved a ransom payment last Monday, which was paid the next day, on Tuesday. The city's IT staff started decrypting files on the same day.
This discussion has been archived. No new comments can be posted.

Florida City Fires IT Employee After Paying Ransom Demand Last Week

Comments Filter:
  • by Anonymous Coward

    That person probably told their boss they were safe and they did xir job, since after all, xir thought nothing could happen in the safe space.

  • But but but (Score:4, Insightful)

    by ArchieBunker ( 132337 ) on Monday July 01, 2019 @08:29PM (#58858602)

    Bitcoins aren't real money!

    • Bitcoins aren't real money!

      Do you also complain that cars aren't real money when someone takes your car from you at gunpoint?

      We all know that cars aren't real money, just like we all know that bitcoin isn't real money. Clutching your pearls isn't going to suddenly make bitcoin "real money".

  • Just one? (Score:4, Insightful)

    by fred911 ( 83970 ) on Monday July 01, 2019 @08:29PM (#58858606) Journal

    Should have replaced them all.

    • Re:Just one? (Score:5, Insightful)

      by Tablizer ( 95088 ) on Monday July 01, 2019 @08:33PM (#58858624) Journal

      Indeed. They made the employee a scapegoat. A proper system would withstand a bad email.

      That kind of "sin" is worth no more than 2 month suspension for a regular employee. People who have made such mistakes are usually much more careful afterward than those who haven't.

      • Re:Just one? (Score:5, Insightful)

        by yodleboy ( 982200 ) on Monday July 01, 2019 @08:39PM (#58858660)

        This guy might have a case if he can show that others had opened virus infected emails and not been fired. Seems like that would be pretty easy. The magnitude of the infection is not his fault, it could have literally been any other employee that made the same mistake. Would they have demanded the mayor resiign for making that mistake? I doubt it.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          This guy might have a case if he can show that others had opened virus infected emails and not been fired. Seems like that would be pretty easy. The magnitude of the infection is not his fault, it could have literally been any other employee that made the same mistake. Would they have demanded the mayor resiign for making that mistake? I doubt it.

          A lot of companies have to publicly state and even certify that their organization has met certain cybersecurity standards, which someone has to sign off on them. If this employee was caught signing off on utter bullshit which essentially caused the infection (regardless of whose fault it is/was), then it's a pretty cut and dry scenario for someone getting fired.

          As others have stated, there's a reason a single employee was singled out for termination; every company needs a scapegoat, and every company has

          • But in the end the mayor is responsible for everything, so in this case, the mayor should be fired...
            • Seriously, it is the mayor's job to put people in place to protect the public interest. If you have to pay the ransom then not only did your leadership not practice due diligence, they didn't even practice due care. They need to be replaced. The mayor can not be trusted to make good hiring decisions, he should be recalled.

              This negligence puts the town's people's privacy and in many cases safety at risk.

        • Re:Just one? (Score:4, Interesting)

          by Richard_at_work ( 517087 ) on Monday July 01, 2019 @09:45PM (#58858930)

          A lot of people are making the assumption here that the fired employee was a lowly from-the-trenches peon, when they could easily have been the operations team-lead responsible for ensuring their team enacted the proper processes for limiting these sorts of issues - the "cities IT manager" could easily have several teams reporting to him (dev team, support team, operations team etc) with their own responsibilities etc, and the team-leads could have been shirking their responsibilities and as a result got themselves fired.

          • by mysidia ( 191772 )

            the "cities IT manager" could easily have several teams reporting to him

            Have you ever worked IT in a municipality? It is highly
            unlikely
            that there would be more than one "team" or group within IT for a city of population 12,000 like this one.

            Hell... I know of cities of twice the size that have a grand total of 2 IT employees.

            This is a CLEAR case of mismanagement where whomever was the senior-most person who should've known better and did nothing to attempt to correct the situation should

            • by N1AK ( 864906 )
              Like any news story, it seems that no one wants to let the lack virtually any details get in the way of having an opinion.

              It may have been the IT manager who got fired, they are an IT employee after all and they may not want to disclose an identifiable individual to the world. It's perfectly possible that someone is being made a scapegoat, be it for the actions of people in the IT department or outside of it, or it could be that the person fired was directly responsible for the response. It may be that a
        • Re:Just one? (Score:5, Insightful)

          by v1 ( 525388 ) on Monday July 01, 2019 @10:06PM (#58859034) Homepage Journal

          It doesn't look like it was the employee that opened the file that got fired, it was someone else in the IT department.

          Though there's plenty of blame to go around, of varying degrees. There are so many failures that ALL had to happen for this to occur.

          - anti-ransomware filter on the email server
          - IT-department led company-wide education of all employees on not opening "suspect" files
          - anti-ransomware software on the desktop PCs
          - managers responsible for making sure their employees understand and follow the rules regarding attachments
          - IT network traffic monitoring by automated systems to detect ransomware actively encrypting files
          - compartmentalization of files and folders, not having "excessively open" file and folder permissions that would prevent the less-educated, less tech-savvy, and less reliable employees from being able to do too much damage if they screw up
          - BACKUPS. my god, where are their backups? No backups? Not all critical files backed up? No offsite backups? Backups got encrypted too? I'm extremely curious how this final catch-all safety net failed

          This required ALL SEVEN of the above to fail for the attack to succeed. There's plenty 'o firing and punishments to be handed around. And if just one or two people caused ALL of that, then the spotlight needs to move up the management chain a notch or two and start burning some of the managers that were complacent in having such a bottleneck in their protection. (actually, I really can't imagine how at least a few managers shouldn't be seeing serious repercussions here - there's got to be some neglegent management going on for all of this to fail)

          We had a minor ransomware event here somewhat recently. Someone that ought to have known better did The Stupid, and due to a combination of lacking anti-ransomware software (server or desktop side) AND having excessive file permissions on the network, it got running on our network, encrypting files. (after it pretty thoroughly emcrypted the desktop) Fortunately, our network guy was alerted by his traffic monitoring software and was able to shut it down fairly quickly. He then got to spend awhile restoring stuff from backups to fix what damage it was able to do before he caught it.

          In the end, the employee didn't get nearly the amount of justice he deserved, but we now have anti-ransomware software on the desktops (and server afaik) AND a thorough review of permissions was conducted and significantly tightened down. Our backup stragegy was also reviewed and improvements were made on that front too, to speed up the recovery process and get a few things under the umbrella that had previously been overlooked. Only a modest amount of employee education was done, I think mainly because, as I said before, the idiot that let it loose already should have known better. (IT employee!)

          • Re:Just one? (Score:5, Insightful)

            by CaptainDork ( 3678879 ) on Monday July 01, 2019 @10:44PM (#58859152)

            From a 28-year career:

            - anti-ransomware filter on the email server Management wouldn't pay for it.
            - IT-department led company-wide education of all employees on not opening "suspect" files I preached. They sinned.
            - anti-ransomware software on the desktop PCs Management wouldn't pay for it.
            - managers responsible for making sure their employees understand and follow the rules regarding attachments Management was worse than staff.
            - IT network traffic monitoring by automated systems to detect ransomware actively encrypting files Who sells that?
            - compartmentalization of files and folders, not having "excessively open" file and folder permissions that would prevent the less-educated, less tech-savvy, and less reliable employees from being able to do too much damage if they screw up How does this prevent ransomware?
            - BACKUPS. my god, where are their backups? No backups? Not all critical files backed up? No offsite backups? Backups got encrypted too? I'm extremely curious how this final catch-all safety net failed This is the only answer. And I took the tapes/EHD home with me every single night. Shortly after I retired an employee clicked on an email attachment and the firm got ransomware. I asked my replacement how he handled it ... he didn't. However, the firm bought "ransomware insurance."

            • by Danj2k ( 123765 )

              - compartmentalization of files and folders, not having "excessively open" file and folder permissions that would prevent the less-educated, less tech-savvy, and less reliable employees from being able to do too much damage if they screw up How does this prevent ransomware?

              The folder permissions thing helps limit the impact of ransomware because don't forget, it's only running as the user who opened it, so it only has as many permissions as they do. Sure, it could maybe use some exploit to get local administrator access on the desktop it's running on, but who gives a shit if a desktop gets encrypted? Just reimage it and move on. It's the files on the servers that need to be protected.

              I do think it's an absolute crime though that anti-virus vendors sell anti-ransomware as an e

              • > The folder permissions thing helps limit the impact of ransomware because don't forget, it's only running as the user who opened it, so it only has as many permissions as they do.

                This. Unfortunately, the difference between IT department claims of "HIPAA compliance" or "FERPA compliance" are often simply marks on a checklist, a _secret_ checklist which no one outside the IT department is allowed to see or to verify compliance with. And many organizations have very generous access and permissions for the

            • - anti-ransomware filter on the email server Management wouldn't pay for it.

              Does ClamAV not work anymore? Are there no opensource malware filters?

              • Meh, not very well ATM. Tons of false positives...not what it used to be.
              • Management - at nearly all companies - wants someone to yell at, when things go wrong. Thus 'Opensource' has an incredibly hard time being adopted. Worked at one place that forced me to remove Bittorrent - working perfectly at backing up a database - because, ya know, "It's used for file stealing!!!" Minor detail that the 'official' backup software was costing them something like 20K USD per year ... and didn't work ... didn't change their minds in the slightest. Same thing goes for MySQL ... it has pr
            • Exactly. Backups corrupted for a few days to the point that they aren’t reliable, and you have significant impact. Sure, you might be able to restore to last week, but even that process will involve significant down-time and tremendous work to recover lost data by the staff.

              As for reliably automatically detecting and stopping malware with tremendous adverse effects on usability... good luck counting on that.

              As attacks get more advanced- correct email signatures from people who might be legitimately se

            • "Management wouldn't pay for it." - Assumes facts not in evidence.
              "I preached. They sinned." - Enforcement, which where I work leads to dismissal, is regularly rejected as too harsh.
              "Management wouldn't pay for it." - Assumes facts not in evidence.
              "Management was worse than staff." - Assumes facts not in evidence.
              "- IT network traffic monitoring by automated systems to detect ransomware actively encrypting files Who sells that?" Exactly.
              "- compartmentalization of files and folders... How does this prevent

          • Comment removed based on user account deletion
          • The key failure was backups either nonexistent or vulnerable to the ransomware. It isn't reasonable to expect to prevent a ransomware attack from ever happening. The best defense is to make it a "meh, whatever, I've got my files right over here" moment.

        • Re: Just one? (Score:5, Interesting)

          by Zero__Kelvin ( 151819 ) on Monday July 01, 2019 @10:41PM (#58859132) Homepage
          He was the IT manager. The onus was on him to have a backup system in place but he did not. Firing him was highly appropriate in this case. If they had fired a subordinate, or even him, for opening an email that would have been egregious, but that isn't why he was fired. He was woefully incompetent.
          • by GezusK ( 449864 )

            Do we know why he didn't have a backup in place? It may because they didn't want to budget for it. Backups cost money, software and either onsite storage, or for a cloud service. And his boss may have not seen the point, since "everything is working fine now".

          • I like how you just assume that backups happen by a magic snap of Thanos' fingers.

            Backups require effort. They require active maintenance.

            If the higher level staff order the IT staff to do this that and the other thing, and they prioritize those things above doing backups, then what is the IT Manager going to do?

            It's entirely possible that the IT Manager was simply incompetent. But past experience tells me that there is far more to the story, and that he was probably scapegoated so that the people above h

        • They didn't have backups, the entire IT team should be fired.
      • They made the employee a scapegoat.

        It was his job. He failed at it. That is accountability, not scapegoating.

        A proper system would withstand a bad email.

        Whose job is it to make sure the system works properly? As techs, it is our job.

        People who have made such mistakes are usually much more careful afterward than those who haven't.

        Well, he's available. So you can hire him.

        • It was his job. He failed at it. That is accountability, not scapegoating. A proper system would withstand a bad email. Whose job is it to make sure the system works properly? As techs, it is our job.

          CEO - I want full system access.
          IT - Sir we can give you a special account for those times you need it but we don't recommend putting full admin rights on your...
          CEO - Don't tell me you can't...DO IT!!!
          IT - Yes sir

          2 days later...
          In CEO inbox - "You may already have won! Click **HERE** to find out now."
          CEO - *CLICK*

          Never underestimate the power of seemingly smart people doing really dumb things.

        • "People who have made such mistakes are usually much more careful afterward than those who haven't.

          Well, he's available. So you can hire him."

          Well played.

      • True, any one of us could get infected from any means.

        Who they should have fired was the IT staff who failed to make proper backups and have a disaster recovery plan in place.

    • by gl4ss ( 559668 )

      well sure, but who did they fire? the guy who OPENED AN EMAIL? ..whos job was to, I guess, open emails on software provided by the employer?

      I mean, fire the frigging IT manager and the IT managers manager.

      also move to gmail or whatever and why on why would it spread from there to everywhere..

    • They should deport them back to Redmond.

  • by sconeu ( 64226 ) on Monday July 01, 2019 @08:35PM (#58858638) Homepage Journal

    The IT manager who had no disaster backup policy in place.

    What would they have done if their IT facility had burned to the ground? Treat a ransomware attack like that.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      "The IT manager who had no disaster backup policy in place." = probably not the actual case. "Having a policy" is great. IMPLEMENTING that policy before hackers can pwn additional layers? Not so simple for contractually-always-on systems, which have a MUNICIPAL BUDGET PROBLEM instead of corporate coffers to draw system-duplicating redundancy from.

      You're underestimating the scale of the problem in underfunded understaffed Federal State and Local government IT, and its municipal and private sector vendors

      • by jythie ( 914043 )
        I'm thinking back to a couple cases I was around for where there was a great policy in place, and the tech was set up, but there was never any time to actually run through a disaster to make sure everything would actually work as hoped... until there was a problem and we discovered critical things were not covered or backups did not actually work as intended. I can even recall a case of going to check the backups and discovering they had not actually worked in years, but since no one ever pulled a tape an
    • Comment removed based on user account deletion
    • when there's a perfectly good peon sitting right there?
    • by dissy ( 172727 )

      What would they have done if their IT facility had burned to the ground?

      Probably fired the embers.

    • This.

      IT has to believe that disaster is one minute away, and be prepared to pull the net out of the ditch.

    • by jimbo ( 1370 )

      You’re in luck, it was the IT manager they fired.

    • by AmiMoJo ( 196126 )

      Maybe he wanted to have a disaster recovery plan in place, but didn't have the budget.

    • by Luthair ( 847766 )
      Were they given the resources for it? If the staff is already 100% occupied on support tickets...
  • by SirAstral ( 1349985 ) on Monday July 01, 2019 @08:41PM (#58858672)

    Whether or not this IT guy is a moron or not.

    there is zero fucking doubt that there is MORE fault with management. The same fucking guys that always first prevent you from doing your damn job and then bitch at you for not getting your job done. There is no end to the amount of do this project under budget, under staffed, and yester-fucking-day! Your tickets are taking too long, you are working too few tickets.

    And my personal fucking favorite. Asking you to build a system that is as resilient, speedy, and functional as something built for a cloud platform like AWS or Azure where they have spent millions of dollars and development time while you get next to nothing and a bunch of middle manager know-knothing hacks telling you to draw 3 blue line with red fucking ink and they are all required to be perpendicular to each other.

    IT is a picture perfect example of how fucking dumb, stupid, idiotic, and counter productive human fucking beings are! And just how much of a clue management never had or will ever have! Every project has a moron, every product has a premium no one wants to pay for... and even if that $50,000 Storage array brings in $1,000,000 in revenue it's nothing but an expense, and never and investment, that needs to be removed from the budget.

    I see this shit all damn day long... management that makes unreasonable demands on their staff, refuses to provide them proper resources, and then fires their ass when something goes wrong when they are more at fault than any other fucker walking the halls!

    • As I post elsewhere in this story - what makes you think that the fired employee *isnt* management? They could easily be a team-lead or department head whose responsibility was to enact the proper safeguards and failed.

      People are assuming that the fired employee was a lowly bod who was chosen as a scapegoat without any evidence to support that theory.

      • by MeNeXT ( 200840 )

        What good is a fire drill that is never tested? Having something in your head does not a plan make. If management is any good this issue should have been addressed at the minimum twice a year in meetings and at least once a year in practice. A report generated as to the efficiency of the recovery.

        I sometimes feel from comments on this site that I live in a different world. In an environment as large as a city or small town every department would need to be involved in the drill in order to ensure that emer

    • Not necessarily.

      What if this IT guy is the one responsible for backup?

      What would you say then?

    • The motive I'm getting ready to describe must be understood if one hopes to predict the behavior of individual people within an organization, and how these behaviors will be expressed through the larger entity.

      Management is always selling a System. This System is comprised of org charts, mission statements, SOPs for critical activities, EHS, HR, etc, and can be generalized as the sum of all systems, goals and technology of the organization. The goal of management is to have the System appear infallible.
      • I'm replying to myself but...I wanted to add the following. People in upper tier positions are there, at least in part, due to their heightened abilities in self-promotion and preservation. This is partly due to Power Talk and other Gervais Principles

        https://www.ribbonfarm.com/200... [ribbonfarm.com]
    • So many comments defending the IT staff. That's the bullshit.

      If management would not allow them to properly do their job, either they could not effectively explain why it was needed or they should have left.
  • Punishment of the innocent.
    Promotion of the non-participants.

  • by Grand Facade ( 35180 ) on Monday July 01, 2019 @08:51PM (#58858716)

    The same person that opened the trojan file?

    It's not clear if the IT worker opened the file or someone with the password of A1A1A1A1.

  • Windows again. (Score:5, Informative)

    by Tough Love ( 215404 ) on Monday July 01, 2019 @08:56PM (#58858736)

    Windows again. Just fire the employee who paid Microsoft this year.

    • Comment removed based on user account deletion
      • Windows gets is fair share of shit.

        No, it needs more. In the form of mass firings plus lawsuits. First one should be you.

      • > But this disaster was entirely avoidable within an MS network

        Since those particular ransomware tools only propagate on MS based hosts, it's entirely avoidable by using MacOS laptops, Thunderbird for email clients, and Samba for AD servers. The environment would still be vulnerable to Windows based hosts anywhere in the system with fileshare access, especially default enabled fileshare access. But I've seen just such concerns used, for decades now, to justify the greater initial investment.

        I'm still rem

  • by rjr162 ( 69736 ) on Monday July 01, 2019 @08:59PM (#58858748)

    https://www.amazon.com/Beyond-Blame-Learning-Failure-Success/dp/1491906413

    Not an exact fit BUT my first thought was any request for funding for something that would have prevented this was met with a "no, it costs too much" or a "no we don't need it".

    Where were the backups? Where was the scanning of emails and/or links? Where was the scanning of files on the systems? This was a failure that started at the top and to suggest otherwise it completely foolish.

    • Where was the firing of the person who allowed Microsoft Windows on the network?

      • Comment removed based on user account deletion
        • This bug had been patched by MSFt many months ago...sorry to kick your little Linux flag into the dirt but if you never patch your systems? Then I'm sorry the OS isn't gonna matter, its still gonna get pwned...or did you forget about that Linux gets hacked too? [gbhackers.com]

          Oh, snap! Or would that be...

          # sudo snap

  • Responsible for upgrading "Florida Wo/man" stories to "Florida City" stories since 2019.

  • And by that I mean make him do his work from a literal sandbox with no wifi until he learns to not open random executables
    • And by that I mean make him do his work from a literal sandbox with no wifi until he learns to not open random executables

      If he's a manager, tell him he's working in Silicon Valley.

  • You have now fired the company scapegoat.

    This former employee is now:

    1) Pissed off
    2) Unemployed
    3) Sans paycheck
    4) Full of insider knowledge about the network they helped maintain

    This person is now ripe for recruitment by the next group of folks who will seek to replay this scenario since the victims in question seem to have no issues with paying ransom demands.

    If you want to go full tin foil hat, consider this person ( or another ) may have clicked that email link on purpose after being recruited by an

  • by ceoyoyo ( 59147 ) on Monday July 01, 2019 @11:48PM (#58859346)

    This ransomware thing is starting to sound pretty profitable.

    • The city council who voted to pay the ransom should be prosecuted for sending money to a criminal organization, which could possibly have terrorism connections.

      In most countries paying a ransom is illegal for a good reason. For the person paying the ransom, the cost of the ransom will be minor compared to the consequences of not paying. However, by rewarding the criminals you're encouraging further ramson demands in the form of extortion, kidnappings or ransomware. It is unlikely that the criminals would re

  • How do crypto currencies actually benefit society?

    As far as I can see they simply don't.

    We have a bunch of hackers, criminals and drug dealers exploiting out of it.
    We have a bunch of people mining crypto currencies, chewing up power and electricity generated which is fairly immoral in a world dealing with a climate crisis.
    We have trading companies and exchanges profiting from people essentially gambling their savings on it.

    The whole reason for Bitcoin is to enable anonymous electronic transactions, if a tra

    • Can anyone give a single practical use of Bitcoin which doesn't involve criminal activity and can't be provided by services such as Visa or Paypal?

      After the diplomatic cables leak, [wikipedia.org] the US government tried to block funds to Wikileaks by pressuring Visa/Mastercard/Paypal to cancel their account. Publishing the leaked documents was not illegal, the government was trying to suppress speech. Now bitcoin allows anyone to donate to Wikileaks, and bitcoin donations allow Wikileaks to keep their servers up.

  • "So, Mr Smith, tell us about your last position."

    "Well, I oversaw a large, city-wide project that involved the testing of our backup and recovery services..."

You are always doing something marginal when the boss drops by your desk.

Working...