Red Beans and Ransomware: Louisiana Government Targeted by Cyberattack

Nov 25, 2019, 10:30 AM by Alex Simons

Have you ever been to New Orleans?

It’s probably the greatest city on the planet.

I like the open container laws – nothing beats partying in the street.

New Orleans is also governed by the State Office of Louisiana – the latest victim of an organized ransomware attack. According to a statement from Governor Jon Bel Edwards, “some, but not all state servers” were shut down by the breach - including the Department of Motor Vehicles, Department of Health, Wildlife and Fisheries, and the Secretary of State Office [1].

The FBI has launched an investigation into the root of the attack. Governor Edwards has also declared a state of emergency as the interrupted systems slowly come back online.

Cybersecurity experts believe that the hackers infiltrated Louisiana’s network through a strain of ransomware called RYUK – the same virus that penetrated Georgia’s court system and extorted two cities in Florida for over $1 million [2].

The compromised systems in Louisiana serve as a stark reminder over the importance of a reliable ransomware response policy. Let’s take a moment to analyze the RYUK attack process, proper IT resiliency safeguards, and the evolving cybersecurity landscape.

Down Goes the DMV: Introducing RYUK

What could possibly decrease production at 79 DMVs in Louisiana?

The answer to that question is RYUK – a Crypto-Locker variant that encrypts data at the system-level and typically demands $288,000 per attack [3]. The virus was authored by a Russian cybergang named “WIZARD SPIDER” and often targets larger global enterprises and government agencies.

The organized nature of the RYUK attack process complicates the implementation of security protocols. But the easiest first step to secure your IT environment is to ensure that all systems connected to the corporate network are up-to-date with the latest software patches and anti-virus software. This level of defense will help suppress the introduction of malware into the operating system.

However, these preventative measures are largely contingent on the anti-virus software identifying the RYUK code. The Russian hackers were able to bypass the Louisiana Government's firewall by altering the code of an existing strain of ransomware called "HERMES".

The UK’s National Cyber Security Centre (NCSC) recently released a detailed security advisory about the RYUK threat back in September. The report lists a wide variety of ransomware defense mechanisms and highlights “keeping safe backups” and “reviewing and refreshing your incident management processes” [3].

The consistent replication of data backups off-site is the foundation to any credible ransomware response strategy. But a ransomware-resilient solution should also include air-gapped storage and customizable point-in-time failover capabilities. 

The Evolving Cybersecurity Landscape

Global ransomware outbreaks are growing in both quantity and level of sophistication. The Big 3 from the past couple years include WannaCry, NotPetya, and Spectre/Meltdown.

Ransomware is still the greatest cyber threat facing corporate downtime and business continuity. This position is supported by a recent Statista survey of 1,600 InfoSec professionals citing the top challenges facing network security [4]:

Why is ransomware still so prevalent?

One reason is that the attacks have proven to be economically effective. Cybersecurity Ventures predicts that ransomware damages reached roughly $11.5 billion in 2019 [5].

Another component is the ease of availability and accessibility to malware. There are a variety of black market websites where entry-level hackers can purchase pre-built kits of ransomware and immediately execute an attack.

Keeping pace with this constantly evolving cybersecurity threat landscape is becoming an increasingly more difficult undertaking. A cloud-native Disaster Recovery-as-a-Service (DRaaS) solution can simplify many of these cybersecurity procedures by replicating critical business workloads to an air-gapped storage repository specializing in ransomware defense.

Block RYUK with DRaaS

Disaster recovery planning and ransomware response management is an intricate process which involves technology, processes, and personnel. A managed DRaaS deployment model is designed to simplify these procedures through pre-existing hybrid-cloud infrastructure, customizable solution architecture, and live technical support.

A comprehensive end-to-end DRaaS solution will also have the ability to replicate both production data and active virtual machines (VMs) to an off-site facility purpose-built for disaster recovery orchestration. The cloud environment should leverage dedicated policies to validate backups and prevent the "malware-in-your-backup" attack-loop.

The DRaaS model can achieve this objective through the 3-2-1 Backup Rule. This policy demands three copies of data, stored on two different types of media, one of which air-gapped off-site. DRaaS implementations will also deploy the appropriate product strategy and required level of staffing to deliver these capabilities as a turnkey service. The following functionality will also ensure the uptime and availability of your data in the event of a ransomware attack:

• Unlimited File Versioning:Rollback prior to the ransomware attack with customizable retention policies and point-in-time restore capabilities.
• Full or Partial Failover: Different strains of ransomware will corrupt different datasets. Be prepared to restore data at both the file and system level.
• Array Agnostic: Ransomware can corrupt any environment, so the DRaaS solution needs to be able to replicate any environment.
• Expert Assistance: Developing a comprehensive disaster recovery strategy requires expertise, time, and IT resources (CAPEX and OPEX). Look for a provider who can simplify this process.
• Customizable Solution Design: Segment your disaster recovery strategy based on the availability needs of each application for the most efficient solution.
• Encryption: Secure backup repositories with the highest levels of encryption in-flight and at-rest to protect off-site infrastructure

DRaaS is an ideal use case for cloud data protection and ransomware protection. The right solution will combat your favorite Nigerian Prince by automating IT resiliency.

Veeam and KeepItSafe: Unstoppable Ransomware Defense

KeepItSafe provides managed cloud backup, disaster recovery, and ransomware protection with Veeam Cloud Connect and Replication. Our customizable suite of data protection services feature ransomware response polices and 24/7 live support to ensure comprehensive data availability.

If you’re interested in learning more about our Veeam-Powered solutions, we invite you to download Data Protection Disaster Recovery, and Ransomware Protection with DRaaS or schedule a consultation with a KeepItSafe recovery professional.

• [1] ZDnet: Ransomware Hits Louisiana State Government Systems
• [2]Ars Technica: Louisiana was hit by RYUK, Trigering Another Cyber-Emergency
• [3]National Cyber Security Centre: Ryuk Ransomware Targeting Organisations Globally
• [4]Statista: Most Pressing Cyber Security Issues
• [5]Cybersecurity Ventures: Global Ransomware Damage Costs Predicted to Hit $11.5 Billion by 2019