Libraries across the US city of St Louis have been hit by a serious ransomware attack, with cyber criminals disabling the systems of 17 libraries and demanding a ransom to restore them. While the libraries were able to restore their systems from a backup, the attack meant that no one was able to borrow books or use the computers across the weekend. St Louis Public Library is now working with the FBI in order to establish how the criminals broke into the systems and to correct any existing problems. IT security experts from Varonis, Tripwire, DomainTools and ESET commented below.
David Gibson, VP at Varonis:
“The dramatic uptick in ransomware incidents is a worrying trend and, while seen as an inconvenience, many fail to categorise attacks as a serious security incident. Ransomware takes advantage of the same lax detective controls and over-subscribed access as other serious threats, like an insider attack or external data breach. A ransomware incident should be viewed as the canary-in-the-coal mine incident that makes an organisation stop and reflect upon its detective and access controls so they can prevent other attacks that aren’t so forthcoming.
“Regardless of whether an organisation pays the ransom, there can still be legal and regulatory implications in having this malware invade file systems. While many EU citizens aren’t likely to hold a St. Louis library card, the GDPR implications in a ransomware attack should be considered for those who do hold EU citizen data. At its most primitive level, if an organisation has its data encrypted by ransomware, that could mean a breach of the GDPR. The regulation clarifies a data breach as the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Whether notification is necessary rests on the regulation’s ‘harm threshold’ and this is open to ambiguity at present, so we’ll have to wait for clarification from the EU regulators prior to its implementation. In the meantime, UK organisation’s who have personal data encrypted by ransomware could still come under investigation by the UK’s Information Commissioner’s Office for a breach of the Data Protection Act, for failing to take appropriate measures to keep it secure.
“Ransomware is a menace, but that doesn’t mean it can’t be stopped. A sophisticated user behaviour monitoring solution can easily detect ransomware as a deviation from the user’s normal behaviour and render it effectively impotent by limiting the number of files that are encrypted.”
Tim Erlin, Senior Director, Product Management at Tripwire:
The ability to restore from backups allowed the St. Louis library system to avoid paying the ransom. Ransomware continues to be a threat because it gets the job done. The more criminals get paid, the more they’ll employ this tactic.”
Kyle Wilhoit, Senior Security Researcher at DomainTools:
Mark James, IT Security Specialist at ESET:
Usually the only fail proof way of getting your data back is through backup and disaster recovery, but it’s not just whether you pay up or not it’s the inconvenience your users suffer as a result. Restoring data can take hours if not days depending on the systems and the actual malware has to be completely eradicated from your network or it’s just going to start all over again.
But the positive here is they have a backup to work with, so many don’t, it’s the easiest and can be the simplest way to protect against a ransomware infection.
Take good regular backups, ensure your operating systems and applications are updated and ensure you have a good multi-layered regularly updating internet security product, and lastly where possible do not reward or pay the criminals for what they do!”
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.