Libraries across the US city of St Louis have been hit by a serious ransomware attack, with cyber criminals disabling the systems of 17 libraries and demanding a ransom to restore them. While the libraries were able to restore their systems from a backup, the attack meant that no one was able to borrow books or use the computers across the weekend. St Louis Public Library is now working with the FBI in order to establish how the criminals broke into the systems and to correct any existing problems. IT security experts from Varonis, Tripwire, DomainTools and ESET commented below.

David Gibson, VP at Varonis:

David_Gibson_Varonis“In this instance it would appear that St Louis libraries were able to regain access to the affected servers fairly quickly, and for that it should be commended. However, the fact that services were taken completely offline suggests that there were security failings that can’t be ignored.

“The dramatic uptick in ransomware incidents is a worrying trend and, while seen as an inconvenience, many fail to categorise attacks as a serious security incident. Ransomware takes advantage of the same lax detective controls and over-subscribed access as other serious threats, like an insider attack or external data breach. A ransomware incident should be viewed as the canary-in-the-coal mine incident that makes an organisation stop and reflect upon its detective and access controls so they can prevent other attacks that aren’t so forthcoming.

“Regardless of whether an organisation pays the ransom, there can still be legal and regulatory implications in having this malware invade file systems. While many EU citizens aren’t likely to hold a St. Louis library card, the GDPR implications in a ransomware attack should be considered for those who do hold EU citizen data. At its most primitive level, if an organisation has its data encrypted by ransomware, that could mean a breach of the GDPR. The regulation clarifies a data breach as the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Whether notification is necessary rests on the regulation’s ‘harm threshold’ and this is open to ambiguity at present, so we’ll have to wait for clarification from the EU regulators prior to its implementation. In the meantime, UK organisation’s who have personal data encrypted by ransomware could still come under investigation by the UK’s Information Commissioner’s Office for a breach of the Data Protection Act, for failing to take appropriate measures to keep it secure.

“Ransomware is a menace, but that doesn’t mean it can’t be stopped. A sophisticated user behaviour monitoring solution can easily detect ransomware as a deviation from the user’s normal behaviour and render it effectively impotent by limiting the number of files that are encrypted.”

Tim Erlin, Senior Director, Product Management at Tripwire:

tim_erlin“The public library system isn’t known for being flush with cash, so it’s unlikely that this was a targeted attack. The attackers clearly wanted to hold data hostage, but they probably didn’t expect most of that data to be in physical books on the shelves.

The ability to restore from backups allowed the St. Louis library system to avoid paying the ransom. Ransomware continues to be a threat because it gets the job done. The more criminals get paid, the more they’ll employ this tactic.”

Kyle Wilhoit, Senior Security Researcher at DomainTools:

kyle-wilhoit“Being a local St. Louis resident, this directly impacts me and is a continually growing problem in “small town America.” Unfortunately, ransomware actors rarely, if ever, differentiate between victims. I’ve seen nefarious ransomware authors infect grandmothers in their 70’s all the way to non-profits during cancer research. Too often, organizations will pay the ransom amount to get their files back. While it’s certainly understandable why someone would pay to get their files back, paying the ransom to the malware authors only continues to feed into their nefarious behaviors. I’m happy to read that the St. Louis Public Library didn’t pay up. Let this be a lesson to organizations in the future – back up ALL of your data and continue to groom relationships with skilled incident responders and threat intelligence professionals!”

Mark James, IT Security Specialist at ESET:

mark-james“Ransomware can be a truly devastating piece of malware to hit your business. It has no morals, it neither cares if you provide a product, service or just information. What it does do is cause mayhem, worry and concern.

Usually the only fail proof way of getting your data back is through backup and disaster recovery, but it’s not just whether you pay up or not it’s the inconvenience your users suffer as a result. Restoring data can take hours if not days depending on the systems and the actual malware has to be completely eradicated from your network or it’s just going to start all over again.

But the positive here is they have a backup to work with, so many don’t, it’s the easiest and can be the simplest way to protect against a ransomware infection.

Take good regular backups, ensure your operating systems and applications are updated and ensure you have a good multi-layered regularly updating internet security product, and lastly where possible do not reward or pay the criminals for what they do!”