City of Knoxville Shuts Down Network After Ransomware Attack

An anonymous reader quotes a report from Bleeping Computer: The City of Knoxville, Tennessee, was forced to shut down its entire computer network following a ransomware attack that took place overnight and targeted the city's offices. Knoxville has a population of over 180,000, it's Tennessee's third-largest city after Nashville and Memphis, and it's also part of the Knoxville Metropolitan Statistical Area, with a reported population of almost 870,000 in 2015. Computers on Knoxville's network were encrypted overnight, with the attack being noticed by employees of the city's fire department around 4:30 AM, June 11, according to Chief Operations Officer David Brace.

While the City of Knoxville official website was still down at the time this article was published, Knox County government computer operations have not been affected in the attack. [...] "No credit card information is stored by the City, so individuals who have made any online reservations of City facilities are not believed to be at risk," Knoxville spokesman Eric Vreeland told WBIR. The city reported the ransomware attack o the Federal Bureau of Investigation (FBI) and is currently working with the Tennessee Bureau of Investigation as part of an ongoing incident investigation. At the moment, the ransomware group responsible for this attack is still unknown.

And now

[Anonymous Coward]

It's the city of Hard Knoxville.

Stop Paying!

[Firethorn]

This is simple enough, we need to stop paying these people. It's like kidnapping for ransom. Yes, it'll cause more harm for any given incident, but if the ransomware people never get paid for doing it, then they'll stop, and we'll all be better off on average.

Windows

[stooo]

Probably Windows. Not a good thing.
But worse than using Windows is to have no good backup.

Re:

[Bert64]

That's easy to say, but harder to do when you're the one that lost data.

It's the same with protecting the environment, everyone else should do it, but not me because its inconvenient.

Re:Stop Paying!

[Excelcia]

Yes, it's easy to say, but in this case it's not hard to do at all. It's trivially easy to protect yourself 100% from ransomware. And I don't mean by closing all malware attack vectors - any IT manager can be forgiven for missing a vulnerability somewhere. No IT manager can be forgiven for having such poor backup strategies that ransomware can be effective. I feel badly when someone is robbed, but I don't feel bad when someone who leaves the keys in the car gets it stolen. I have no pity for people who get hit with ransomware because it is so easy to protect yourself against with proper backup procedures. Any corporate or government IT manger that doesn't have at least weekly backups ought to be fired. Better yet a nightly differential backup and a weekly image. Get hit by ransomware, restore from before the attack and move on. Any time I hear of a ransomware attack, I cringe - that IT manager ought to be publicly shamed first (so the whole country knows never to hire him again) and fired.

Re:Stop Paying!

[Syberz]

I wouldn't put all of the onus on the IT manager, often times their hands are tied due to budgeting and the inability for the powers that be to understand why it is a good idea to spend X dollars on proper backups.

Re:

[JfTbUwZbCa2T]

That's why it's important in any job, not just IT, to document potential issues and present them to management. Even when you know they're going to shoot you down, you make the case anyway. When things go wrong you can say, "I warmed you. I suggested we take action to prevent this scenario from playing out and you denied my request. Please see attached email/memo/agenda for reference."

Re:

[CaptainDork]

I did all of this. I recommended best practices including proper backup schemes with backup devices disabled after backup, and enabled just prior to backup.

Backup drives left the building each night and we kept 30 days of rotation.

When new management showed up, they cut corners and changed all that. I objected via email and demanded responses that I could archive to cover my ass.

It worked. Weeks after I retired, the firm was hit by ransomware, and all hell broke loose.

I got hold of the gut who replaced me

Re:

[FatAlb3rt]

Backup is for recovery, not protection.

Re:

[Solandri]

A friend of mine (accountant for her family company, annual revenue ~$5 million) got hit by ransomware. As the accountant, she regularly gets spreadsheet reports from each of her sales staff emailed to her. The ransomware happened to disguise itself as an email from one of her sales staff, titled "here's the spreadsheet you requested." So of course she opened it.

As soon as she realized it was ransomware, she went into a panic. She yanked the network cable out of the wall (destroying the cable), and y

No lost data.

[stooo]

For lost data, there are what's technically called a "backup". No lost data.

Re:

[FatAlb3rt]

Just like spam, stop replying or clicking and it will stop. /s

Re:

[xlsior]

There are a number of those "don't pay ransom, we can help you!" consulting companies that claim to be able to recover your files for you, but all they typically do is turn around and negotiate a lower ransom payment with the hijackers while pocketing some of the payment for their trouble. So even if companies think they aren't paying the ransom, they often do anyway.

National Defense Assets

[pefisher]

It seems like this is the kind of case that would justify bringing some national defense assets to bear.

Bears.

[stooo]

Wot ?
Let those bears alone, they don't want to deal with those crazy humans any more.

Re:

[CaptainDork]

And do what? The fucking NSA, FBI, CIA, have their own ransomware problems.

A swat team is useless in this situation.

Re: PCMatic

[rtosman]

Carbonite LoL!

In Australia and elsewhere- months ago..

[Canberra1]

Many slashdot articles like this over the last month. Somebody caught with their pants down. Ransomware took out many civic places, councils and transport/parcel delivery services. Suffice to say the next victim to cy wolf or use the phrase 'Sophisticated attack' has had between 3 weks and 3 months prior notice. Worse the current mob are publishing what they like, and finding new customers all the time. The law of the jungle. It is a given that they have backups and effective restore processes - but as patching appears to be late or absent, it is the same level of negligence as leaving the council doors unlocked. It is done to a budget, not to a level of competency. I guess this will go on forever, until toy operating systems build in poison pills, and terminate tasks that touch an immutable file. Even the AV products won't do this because MS won't tell them about changes within changes. For example on ZOS, only the backup task has unlimited read access, with constraints, including what time it runs. the output directory has an immutable write flag and expiry date. A thing call 'exits' mean poison pills catch trespassers, such as company people downloading to a USB stick. One assumes these councilors will loose their performance bonuses - no ifs, no buts. Some lame excuse that they outsourced it to a respectable company with service levels so low... It would be nice if their press release said 'We were unlucky - we failed to lock the doors, did not realise computer security was serious'.

Scary

[scilover]

I read the article and they said they couldn’t detect the intrusion until it was too late! Even though the city’s website and network were taken down, thankfully the 911 hotlines weren’t taken down. I wonder how the hackers manage to do the ransomware attack?

Easy fix

[JfTbUwZbCa2T]

Restore from backup. Certainly a state's third largest city has an IT department with enough wherewithal to have nightly backups.

How?

[John-after-logtime]

Whats wrong with a service design that allows a single user's mistake to destroy a whole corporation?