Malicious program downloaded to state computer at center of Monday's ransomware attack
BATON ROUGE - State officials are hoping to be rid of an attempted cyberattack targeting Louisiana by Monday. Department heads told WBRZ the attack was likely instigated by an illicit file downloaded to a state-owned computer.
A spear fishing email sent by a hacker on Sunday was identified as the RYUK ransomware, a system built by ecrime groups who usually demands money during the attack. Officials say no ransom was demanded in this case and they did not respond to the email.
According to Cybersecurity Commissioner Jeff Moulton, the ransomware attack stemmed from an unapproved software download containing a virus. Moulton called the incident a case of "user error."
The software affected roughly 600 computers, and about 130 servers need to be rebuilt. That's less than 10 percent of the state's servers, Moulton said, although bosses at the Division of Administration later increased the assumption of affected computers to as many as 1,600 across 132 servers.
The state owns roughly 35,000 computers and 5,000 servers.
Investigators told WBRZ, they believe a spear fishing email arrived in an inbox Sunday and the corrupt file was downloaded.
"Ransomware has very distinct properties," Louisiana Chief Information Security Officer Dustin Glover said. "It has to have a ransom. For whatever reason the notes have stopped including the amount and you have to contact the attacker to gain that amount."
Work to fully restore impacted systems is expected to be complete Monday. No personal data was compromised.
"In this particular instance as with most ransomware, the goal of the attacker is to lock you out of your data to get some money," Glover said. "It's monetary based. In our enterprise getting data out is a difficult task with this scenario there was no opportunity for data exfiltration."
At the Office of Motor Vehicles, which was closed Tuesday and was crippled Monday by the hack, said it was about 50% done from clearing the virus.
"Those individual work stations were very hard hit with the workers in those offices," Deputy Chief Information Officer Neal Underwood said. "We have to go out around the state and touch each one of those work stations to take all the infected software off and put the new software on before we can open the office back up."
The governor's office said no data is believed to have been lost in the attack and the state did not pay the "ransom." The outages to state services yesterday were said to be largely an effect of officials trying to prevent the malware from spreading.
Many online services were restored as of Tuesday morning, but it was announced the Office of Motor Vehicles would remain closed throughout the day. Online government services are expected to be fully restored Wednesday.