Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Security United States

Missouri County Declares State of Emergency Amid Suspected Ransomware Attack (arstechnica.com) 41

An anonymous reader quotes a report from Ars Technica: Jackson County, Missouri, has declared a state of emergency and closed key offices indefinitely as it responds to what officials believe is a ransomware attack that has made some of its IT systems inoperable. "Jackson County has identified significant disruptions within its IT systems, potentially attributable to a ransomware attack," officials wrote Tuesday. "Early indications suggest operational inconsistencies across its digital infrastructure and certain systems have been rendered inoperative while others continue to function as normal."

The systems confirmed inoperable include tax and online property payments, issuance of marriage licenses, and inmate searches. In response, the Assessment, Collection and Recorder of Deeds offices at all county locations are closed until further notice. The closure occurred the same day that the county was holding a special election to vote on a proposed sales tax to fund a stadium for MLB's Kansas City Royals and the NFL's Kansas City Chiefs. Neither the Jackson County Board of Elections nor the Kansas City Board of Elections have been affected by the attack; both remain open.

The Jackson County website says there are 654,000 residents in the 607-square-mile county, which includes most of Kansas City, the biggest city in Missouri. The response to the attack and the investigation into it have just begun, but so far, officials said they had no evidence that data had been compromised. Jackson County Executive Frank White, Jr. has issued (PDF) an executive order declaring a state of emergency. The County has notified law enforcement and retained IT security contractors to help investigate and remediate the attack.
"The potential significant budgetary impact of this incident may require appropriations from the County's emergency fund and, if these funds are found to be insufficient, the enactment of additional budgetary adjustments or cuts," White wrote. "It is directed that all county staff are to take whatever steps are necessary to protect resident data, county assets, and continue essential services, thereby mitigating the impact of this potential ransomware attack."
This discussion has been archived. No new comments can be posted.

Missouri County Declares State of Emergency Amid Suspected Ransomware Attack

Comments Filter:
  • Seriously, WTF? Looks like half-assing IT Security is getting less and less sustainable.

    • by bleedingobvious ( 6265230 ) on Wednesday April 03, 2024 @08:22AM (#64366308)

      Looks like half-funding IT Security is getting less and less sustainable.

      There we go. All fixed now. Spending your life fighting tooth and nail to fund even basic defenses against a $2 trillion+ market comprised of dedicated threat actors spanning the globe and hitting you 24 hours a day is maybe *not* the best approach to security.

      I *love* how every armchair super pro has a comment on this whilst also having zero understanding of what the realities are.

      The really funny bit is how funding is suddenly freed up during/post these incidents whilst all those farkwits in charge scurry to show how involved and concerned they are. It's a comedy of idiots.

      • by HBI ( 10338492 )

        Well, if there are $2 trillion in threat actors out there you have zero chance without the one thing that protects against ransomware attacks.

        Backups. The one thing every IT department in the world scrimps on. Because it's costly, time consuming and difficult with a mobile work force.

        • by tsstahl ( 812393 )

          Remember, you don't pay to do backups, you pay to do restores. But you are not wrong. :)

          ... Because it's costly, time consuming and difficult with a mobile work force.

      • Re: (Score:3, Interesting)

        by RobinH ( 124750 )
        We were hit with ransomware a few years ago. At the time it was just my boss and I doing IT part time for the company. We killed the network for a couple hours as soon as we noticed, found the one computer with ransomware on it, locked it in a box, scanned everything else just to be sure, and brought them back online. Then we searched out and found the couple hundred thousand server files that got encrypted, restored them from backups, and went on with life. It was a painful 2 days, but it wasn't a cata
        • by hey! ( 33014 )

          I've been out of IT for many years now, but one question I always have about these ransom scenarios is this: wouldn't advanced journaliing filesystems make recovery from an attack much easier, particularly filesystems where you can mount a shapshot? You could just start serving a past snapshot then make any updated files available as you clear them.

          Back in the day I had customers who had incompetent DBAs bork their databases with bad SQL DML and DDL. Where the customer was using Oracle it was pretty easy t

      • by gweihir ( 88907 )

        No need to fix anything. Half-assing IT Security obviously includes funding it inadequately, not hiring enough or unqualified people, changing plans all the time, buying specific products or services without asking the experts first, trying to do it without risk-analysis or sane requirements and all the usual project management and "leadership" mistakes.

        An "IT pro" would understand that.

    • Re: (Score:3, Interesting)

      by Rei ( 128717 )

      Seriously. All it takes to stop these types of attacks in their tracks is append-only storage. For example, a zfs fileserver with auto-snapshotting and ssh disabled. The attacker can modify files but the old content just remains in the snapshots until you delete them by accessing the server in person**.

      ** You *could* leave ssh open if remote access is critical to you, e.g. out of disk space in the middle of the night, but it does open a new point of weakness.

      It's frustrating to me that we don't just do th

      • Re: (Score:3, Interesting)

        by gweihir ( 88907 )

        Well, yes. And no. Because you also need software that can handle that type of storage and most cannot. (I am not defending that state of affairs, merely recognize it.)

        What you do instead is write-protected backups and regular restore tests. And what you also need to critically do is be prepared to identify and fix the attack vector. Otherwise you just get attacked again after restoring.

        • by Rei ( 128717 )

          Agreed that one party can't solve it - that it requires cooperation on both the software and hardware side (hence the reason why I referred to "the industry"). But it's eminently solvable, and yet we've done nothing, I see no signs of anything being done about it in the near future, and innocent people continue to suffer as a result.

          • by Rei ( 128717 )

            As for write-protected backups, it's the "write protected" that usually gets people when it comes to ransomware. They leave their backup system connected to the user system because it's far more convenient that way. And then we get back to my original post: if the writes aren't append-only, then your backup system is just as hosed as your user system.

            Even nominally offline backups are vulnerable while you're creating them and they're connected (sometimes even while you're trying to restore from them, if th

            • Our tiny-business solution: a separate backup micro-server (think NUC) that mounts data to be backed up (read-only) and makes snapshot backups to disks that no other system can access. In containers, it does other tasks as well (PiHole, etc).

              If any system is compromised, it cannot touch the backups. If the backup server is compromised, it cannot write to the live files. The backup disks are periodically swapped out, to provide a mostly-up-to-date offline copy.

              If a mom'n'pop business can do this, anyone

              • by gweihir ( 88907 )

                The simple solution is physically offline storage. Anybody can do these and the cost is small as long as you do not have more data than fits on typical USB storage. The harder solution is WORM storage. Still not that hard to do (sftp-in with low-priv SFTP server, mover daemon with high priv, 2FA with separate offline credentials, hardened installation, restricted reachability via firewall and _nothing_ else on that _physical_ server). But you have to do it and you have to resist doing it on the cheap. For e

            • by gweihir ( 88907 )

              Sorry, bit that is just nonsense. A proper WORM backup comes with a storage server that has a minimal attack surface. It is not that hard to do. Your append-only fetish helps you nothing when the kernel of that filesystem gets compromised.

              • by Rei ( 128717 )

                A proper WORM backup ... Your append-only fetish ...

                WORM is append-only.

                • by Rei ( 128717 )

                  And re "compromising the kernel of a fileserver", you're describing something that, while not impossible, is highly implausible in the described situation. In a typical attack, an attacker finds a weakness somewhere in your system (most often via social engineering) to get a foothold, and then piggybacks on stolen credentials to expand their reach in your network. A fileserver offering only e.g. NFS and no other services, with no SSH access, is not a likely target for compromise. They would have to find

                  • by gweihir ( 88907 )

                    See my other answer.

                    Incidentally, NFS does not have a good security record in r/w scenarios and that is in large parts an architectural problem and cannot be fixed. A read-only export via an unprivileged NFS server process that itself only has ro access is a bit better. sftp/ssh configured right (very limited for file dropping, 2FA and hardened for login) is far, far better.

                • by gweihir ( 88907 )

                  Nope. It is write once, no appending or other changes at all after the file handle is closed. Appending allows attacks.

                  • by Rei ( 128717 )

                    Nope. It is write once, no appending or other changes at all after the file handle is closed. Appending allows attacks.

                    Both of these statements are wrong.

                    You can keep appending to the end of WORM tape until the tape until it runs out. *The part you've written to* can't be overwritten, but you absolutely can append to the media. It's the very definition of append-only.

                    Appending does NOT allow attacks, by the very definition of appending, e.g. that the previous data continues to exist rather than being overw

          • by Rei ( 128717 )

            I think probably the easiest way to go about it would be to implement it as a multi-node motherboard, but with one node being minimal and only running an embedded ZFS server offering e.g. NFS services. Have a case header for the board to allow for a button to let you switch graphics & keyboard / mouse back and forth between the main OS and the file server. The file server GUI just offers a really basic, user-friendly OS setup and snapshot management system (but offering a shell for power users who want

      • I work in city government IT, and all of our file stores are ZFS with hourly snapshots (some stores do 15 minute). I have most databases backup twice a day to the NAS. Also "known good" images of servers and key machines are archived about once a month.
    • Seriously, WTF? Looks like half-assing IT Security is getting less and less sustainable.

      From the description, it's probably just a Microsoft update.

      • by gweihir ( 88907 )

        Hehehehe, you have a point. Their stuff has not gotten any more reliable (or secure), while the real-world requirements are getting higher and higher.

  • Its the easy way when its not your money.
    • and then send them an state income tax bill for that payment

      • by Revek ( 133289 )
        Oh no, they just pass that bill on to the taxpayers. Just like united healthcare is refusing to let me have what I would describe as a life changing medication. They want me to take a decades old one that made me very sick.
  • by fluffernutter ( 1411889 ) on Wednesday April 03, 2024 @08:31AM (#64366340)
    It sucks when these things happen and it's the public that has to pay for it, but we all watch everyone everywhere act as if the IT people are not important because they don't "make money" while we watch many others get raise after bonus after raise. We all know "Missouri Country" was probably spending the least on IT as they possibly could. So it's a "you reap what you sow" kind of situation.
    • by RobinH ( 124750 )
      How good could the IT people have been if they didn't make their #1 priority to have functioning daily backups?
      • How good could the IT people have been if they didn't make their #1 priority to have functioning daily backups?

        I like tossing people under busses as much as the next guy, but I haven't read anything about a lack of backups.

        In an incident like this, reconstruction is - apparently - complicated. From what I've heard, you can't just nuke & restore on your own hardware because law-enforcement and insurers want forensic access for investigation. You can't just immediately stand up some new VMs in AWS or Azure because if you do, you're restoring a config that you know has been compromised and is untrustworthy. Yo

        • by whitroth ( 9367 )

          You've got that right. I used to work for a federal agency (the NIH), and once, it got hit with malware. Our division, not so much - we had one machine compromised (the rest ran Linux). Shut the box down, removed and copy the hard drive, provide the original to security. Rebuild the box, and restore data from backups.

          Backups? Oh, yes, the ones I did monthly. Using hard drives in an eSATA drive bay. And then removed, and put into the fire safe. (Before I left, we had a *lot* of drives in that safe).

          I do the

        • This is slashdot. Stop being so god damned reasonable. You need to pull that trigger fast and hard if you want to fit in. Whatever you hit, you hit. Just keep shooting.

        • It's true that backups may not be good because you don't know when you were compromised. But I would like to know how many of these vulnerabilities are due to true zero days where there has been no time to patch or due to not having enough people to keep up with the patching and upgrading that is actually required? Also why has the staff not been educated properly on how to not open attachments that are suspicious. If this attack happened through an outside attacker through version N (or N-1 if the attac
  • Speak now, but to stop all Missouri dead in its tracks is the very definition of overkill in *any* dictionary

  • I hope it's not ransomware and it's just someone about to leak some info clarifying why over 10,000 dead people recently registered to vote in that state specifically this year.
  • The State of Missouri has been eager to courageously confront this problem, and discuss mutual strategies with its allies, the ransomware gangs. Florida is watching these events closely for tips on their own similar plans.
  • Working in City Government IT, it would be nice to know the lower level details of these attacks. I think we've done a good job mitigating the effects of such (in addition to layers of prevention, we have hourly snapshots of the NASs that replicate to "hot" standby servers in different geographic location, nightly "pull" backups that include 1-2 years of archives that are geographically dispersed, "golden" server images are archived every month or so, etc), but don't want to be quick to judge others in my p

"Our vision is to speed up time, eventually eliminating it." -- Alex Schure

Working...