Apparently it's the library's turn to pay a fine.
Libraries in St Louis have been bought to a standstill after computers in all the city's libraries were infected with ransomware, a particularly virulent form of computer virus used to extort money from victims.
Hackers are demanding $35,000 (£28,000) to restore the system after the cyberattack, which affected 700 computers across the Missouri city's 16 public libraries. The hackers demanded the money in electronic currency bitcoin, but, as CNN reports, the authority has refused to pay for a code that would unlock the machines.
As a result, the library authority has said it will wipe its entire computer system and rebuild it from scratch, a solution that may take weeks.
This discussion has been archived.
No new comments can be posted.
Ransomware Attack Paralyses St Louis Libraries as Hackers Demand Bitcoins
|
Log In/Create an Account
| Top
| 33 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 0) by Anonymous Coward on Wednesday January 25 2017, @10:57AM
... how do you manage to get ALL your systems (providing different services over various locations) infected? And... backups?
(Score: 0) by Anonymous Coward on Wednesday January 25 2017, @02:28PM
Contrary to the "private" sector, the government's failure means that it gets rewarded even more resources by decree.
(Score: 2) by hendrikboom on Wednesday January 25 2017, @02:41PM
The article doesn't say the backups are infected. I hope they have some.
Nor does it say what security hole was used to break into the system. The article does say what kinds of techniques are typically used for ransomware.
Whatever it was, I hope they fix it when they restore the systems.
(Score: 0) by Anonymous Coward on Wednesday January 25 2017, @03:09PM
What are you talking about? Their incompetence right there in the summary:
(Score: 2) by hendrikboom on Wednesday January 25 2017, @11:06PM
They have 700 computers. That alone might take weeks.
If they haven't backed up their entire membership base, it would be hopeless to restore it in muerely a few weeks. Even so, I imagine there will be trouble knowing who has borrowed or returned specific books after the last backup.
(Score: 0) by Anonymous Coward on Wednesday January 25 2017, @04:59PM
The hole was probably some stupid patron looking at some shady website and got hit with malvertising. Once inside the network, it spread through with ease. At least the library I did some IT work for didn't have proper firewalls in place between public access computers and the rest of the system. Of course, not all libraries are like that and some I know are probably overparanoid, including having the public access computers on their own network running Windows in an immutable VM on Linux updated hourly.
(Score: 2) by Grishnakh on Wednesday January 25 2017, @06:12PM
You can't expect random people off the street to be savvy about not visiting sites with malvertising. You can't even expect experienced users to avoid that all the time. The way you avoid this is through proper IT practices: 1) install an ad-blocker (this means don't use IE), and better yet (and in addition of course) 2) run Linux. You don't need Windows to give people free web browsing. They don't need to run any kind of software except the web browser, and Linux does this just great.
(Score: 2) by butthurt on Wednesday January 25 2017, @10:45PM
Adobe has ironically named its DRM system "Adobe Access."
https://www.adobe.com/uk/products/adobe-access.html [adobe.com]
On Linux, support for it exists only in the "system" or "standalone" Flash player:
Flash Player is integrated with Google Chrome. Google Chrome's Pepper Flash Player plug-in doesn't support Adobe Access on Linux. Therefore, you can have issues viewing rich media content using Google Chrome latest version on Linux.
As a workaround, enable system Flash Player in Google Chrome.
-- https://helpx.adobe.com/flash-player/kb/enable-flash-player-google-chrome.html [adobe.com]
Adobe is discontinuing its Flash Player for Linux as a standalone download as of version 11.2, due later [in 2012], it announced [in February 2012]. After that point, new versions of the Flash Player browser plugin for Linux will only be available as part of Google Chrome.
Adobe will continue to provide security updates to the standalone Flash Player 11.2 on Linux for five years after its release, it said.
--
http://www.pcworld.com/article/250455/for_flash_on_linux_chrome_will_be_users_only_choice.html [pcworld.com]
That deadline, if Adobe kept to its plan, will soon arrive. If security researchers bother to continue finding bugs in the Flash software, Linux users who want to consume media with Adobe's DRM will only be able to do so by running software with known vulnerabilities.
(Score: 1) by anubi on Thursday January 26 2017, @08:39AM
I step on a lot of commercial websites too with these fringe special players, scripts, and the like... leaving me with the question of do I disable the blocker and take my chances, or click away from the site. Unless I am damned determined, the latter is my preferred choice.
As far as I am concerned, any businessman having this kind of stuff on his business site is the same kind of businessman who thinks having his advertising circulars soaked in cat urine before being placed in the customer mailbox is an acceptable business practice and will actually pay for said service.
Businessmen will pay for the damndest things these days.....
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1) by butthurt on Thursday January 26 2017, @10:15AM
I'm not sure Flash, unfortunately, is yet what I'd call a "fringe" medium. Librarians may not want to tell patrons who wish to view it to get stuffed.
(Score: 2) by nobu_the_bard on Wednesday January 25 2017, @03:49PM
Newer ransomwares attack backups if they can. They will search for shares on the network, even if the active user doesn't have an active link to the shared files. It will attempt to interfere with Shadow Copy and other services, if it can, as well. I've seen it in real time - backups vanishing one after another as they were gobbled up (in that case, it was just the Windows copies affected - as it happened, the machine in question was virtual and had regular images taken, stored on a physically isolated server, so it turned out to not be a big deal).
I've also heard rumors of ones that sniff network traffic to try to deduce other things they can access, but haven't seen one of these myself yet.
You need the backups to not be directly accessible from any of the machines they relate to backing up during work hours, where possible, to be sure they aren't endangered. If you really had a well done network you could do this with just permissions settings perhaps, but you really need to be on top of things. One errant administrator session and you're wrecked.
(Score: 3, Insightful) by Scruffy Beard 2 on Wednesday January 25 2017, @04:42PM
If it is not off-line, off-site, and verified, it is not a back-up.
(Score: 0) by Anonymous Coward on Wednesday January 25 2017, @11:36PM
Should be in all-caps and bold as well.
If your copy of your stuff can't survive a fire, flood, burglary, or hack, what you have is NOT a backup.
That the articles about this event doesn't include the names of the IT personnel responsible for the difficult-to-restore software/data infrastructure is just wrong.
This was fundamental incompetence.
Those chumps should be fired (and should never have been hired in the first place) and their names should be in the zeitgeist to alert any potential employers.
Those turkeys should have jobs that involve no more responsibility/skills than one that includes asking the question "Do you want fries with that?"
-- OriginalOwner_ [soylentnews.org]
(Score: 2, Interesting) by anubi on Wednesday January 25 2017, @11:39AM
Anybody here not see this kind of stuff coming?
To me, it seems Congress and business management are the only ones so high up to not see this under their feet.
In an effort to accommodate business models of snooping and controlling everyone by remote means, having Congress pass law to shield them from people reversing their software, while still holding them harmless for hostile software, we have let out computer infrastructure become so fragile that as much as opening up an email leads to catastrophe.
From Malwarebytes: [fortune.com]
We now have the system operating under the laws passed by Congress... not laws of common sense.
Quit mixing code and data! This is what happens when we do.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1, Flamebait) by Nuke on Wednesday January 25 2017, @01:00PM
WTF are you on about?
(Score: 0) by Anonymous Coward on Wednesday January 25 2017, @08:13PM
Turn in your geek card. OP is perfectly understandable.
(Score: 1, Informative) by Anonymous Coward on Wednesday January 25 2017, @03:59PM
You definitely have a good big-picture view of the information / computer world.
I've felt strongly about that for 20 years. I've never liked the naivety of Bill Gates / Microsoft in general- OLE, COM, active-X, .net, self-executing downloads, etc. Clicking on a .exe or any executable in a browser, .pdf viewer, word processor, or anything similar should not start code running. It's just not safe at all. I don't care how "cool" it all is.
javascript is also as a mix of code in what should be only data. I would be OK with javascript if it had no ability to interact with the machine's hardware, file system, external programs, etc...
The only safe way to run computers is to run browsers in disposable cloned containers.
(Score: 2) by inertnet on Wednesday January 25 2017, @12:12PM
and followed the money.
By the way, I don't understand why bitcoins can't be tracked. By design they're all unique, so I guess it should be possible to create a list of "compromised serial numbers". Any bitcoins that was used to pay a ransom should be flagged as compromised, so they can't be spent anywhere. And anyone trying to spend them should get a visit from authorities.
(Score: 4, Interesting) by Unixnut on Wednesday January 25 2017, @12:44PM
> By the way, I don't understand why bitcoins can't be tracked.
They can be tracked. In fact they can be tracked by anybody on earth, as the ledger is public (visible to all). You can look at the bitcoin blockchain right now and see exactly from which wallet to which wallet every single bitcoin flows.
Hell, there are tons of sites to show you visually. Here is one with a global map of (near) real time transactions: http://bitcointicker.co/transactions/ [bitcointicker.co]
The problem is associating that wallet (Which is just a public key in essence) with the private key (the bit stored on your computer in your wallet.dat or equivalent), and from there, associating the wallet with an actual human. That is where it gets tricky.
Bitcoins power is decoupling the identity of the holder from the account, and from there giving anonymity to users and public disclosure to the transactions so everyone can verify the ledger.
(Score: 2) by shipofgold on Wednesday January 25 2017, @01:27PM
The problem is "who" gets to create that list of compromised serial numbers and "who" will actually honor them?
I am guessing that it is a lot easier to launder "compromised" bitcoins as there will always be people who will accept them for some good or services (perhaps at a discount). Attaching the bitcoin to a real person is the hardest part....especially across borders.
In this case the sum of $35K probably wouldn't even motivate most law enforcement to look at it even if you could prove it was currently located in their jurisdiction.
I could also imagine a market in extortion by threatening to report your bitcoin as compromised.
Finally, even if your bitcoin are marked "compromised" after you pay a ransom, you won't get them back.
(Score: 2) by looorg on Wednesday January 25 2017, @01:38PM
None of the public machines should have any kind of information stored on them that was vital or worth a single bitcoin, information shouldn't even be allowed to be stored on them. So they should just be wiped without even having to think about it. That they are not automatically wiped on a nightly basis is baffling by itself. If you have 700 machines open to the public it's not like you are going to go around maintaining them one by one anyway, or is that how it works in the public sector of St. Louis? I guess that would be one way of creating job-security. The next question is why are all these systems even connected to each other ? How can you let public computers share a network with your "work" systems (various servers and maintenance systems plus the book lending system)? This just seems like incompetence. The public machines shouldn't even be allowed to come anywhere near the important systems, and the other way around - important machines shouldn't connect to unsecure machines, they should be treated like they all have the plague. If it turns out to be true that the the infection point is a central servers, and that then replicated the malware out to all the machines, then that is even worse. What are they doing running unknown software (or clicking funny email attachments) on the server?
That said the expense is in some part just fiction. No computers where destroyed. All is already paid for. What is wasted is time. Time that has also already been paid for in the form of salaries. Actual cost minimal or nothing, value of the lesson? Priceless? Hopefully.
(Score: 3, Insightful) by damnbunni on Wednesday January 25 2017, @02:16PM
The time costs money.
'Time that has already been paid for in the form of salaries'? Er, no. Even assuming the workers are salaried, instead of waged, the hours they spend working on restoring the computers is hours they are NOT spending on doing whatever their job normally is. So either that work backs up and doesn't get done, or someone else has to do it - probably working overtime.
So either they have to pay people extra to fix the computers, or pay someone else to come in and fix the computers, or pay people to do the work of the people who are fixing the computers.
You also have to realize that libraries are usually on a shoestring budget. Even big city libraries. They don't get nearly enough funding to hire IT experts. Their systems are cobbled together by volunteers and whoever on the staff knows the most about wifi. SHOULD they be able to hire those experts? Yes. But they often barely get enough funding to maintain their buildings and buy the occasional book. IT spending is way down on the list.
I've worked in libraries. (Not these libraries.) The people I worked with were passionate about their work, and knew they were cutting corners, and wished they could afford to NOT cut them, but they didn't have a lot of choice.
(Score: 2) by looorg on Wednesday January 25 2017, @06:17PM
I would disagree. There is nothing else to do if all the computers, servers, systems or whatever are down. Getting them up again is the only task at hand. If you are paid to work with the computers then this is now your only or main task. If you are getting paid a monthly (or weekly or whatever) wage then you are already paid for, if you spend the time eating cookies and drinking coffee or reinstalling windows machines it's the same in that regard - the cost did not increase or decrease. There is no extra cost involved unless you have to hire some outside expert(s) to deal with the issue, or I have to pay you overtime. But on their alleged shoestring budget there probably won't be anyone or anything extra. I'm not certain but I doubt the FBI sends a bill for their assistance, if they offered any.
I don't doubt that the staff or the volunteers are doing their best and that they love working at a library. The things mentioned doesn't really have to cost much, if any, either. I did not go into it but the post after mine by Number6 (I want to know something ...) does lay it out better than I would have. All I can add to his/her post is that Deep Freeze is excellent when it comes to dealing with and running public machines.
(Score: 3, Disagree) by mcgrew on Wednesday January 25 2017, @02:33PM
I think you're completely misunderstanding information technologies. The library here in Springfield, IL has public computers that are connected to the internet, they offer free wi-fi in the library, and their card catalog [lincolnlibrary.info] is online, but you can't get into the computers that hold employee payroll data, library card information, fines, and other sensitive information.
If you would have bothered to RTFS you'd have seen that a middle manager clicked on an email link. It had nothing to do with computers set out for patrons.
Why do the mainstream media act as if Donald Trump isn't a pathological liar with dozens of felony fraud convictions?
(Score: 2) by Scruffy Beard 2 on Wednesday January 25 2017, @05:00PM
I see nothing in TFS(summary) to that effect. (maybe I need coffee)
From TFA:
(Score: 2) by looorg on Wednesday January 25 2017, @06:06PM
I did read the fucking article, I even read it again and I still can't find what you mention.
The system is believed to have been infected through a centralised computer server, and staff emails have also been frozen by the virus. The FBI has been called in to investigate.
From the article and I mentioned that in one of the last sentences of my initial post.
Victims are hacked by clicking on an innocuous looking attachment or website link within an email.
Which was not related to the specific incident that the article was about but was a general comment at the end of the article detailing how ransomware infections usually happen. So which one of us is it that needs to learn to RTFS again? Not me.
(Score: 2) by number6 on Wednesday January 25 2017, @03:56PM
[Assuming the target is a computer running a Windows OS]
If I had backups of these files from the system drive (generated once a week by a scheduled task):
- The master file table (MFT)
- The master boot record (MBR)
- The system Registry hives: "DEFAULT | SAM | SECURITY | SOFTWARE | SYSTEM"
- The userprofile Registry hive: "NTUSER.DAT"
- The system file: "BOOT.INI"
Is it always possible to recover from ransomware attacks?
If it is not always possible to recover from ransomware attacks, then what am I missing to make this (simple) system recovery strategy resistant to ransomware?
I went to Wikipedia and had a look at the article on Ransomware (.https://en.wikipedia.org/wiki/Ransomware) and noticed that the more vicious strains of Ransomware like to encrypt the filesystem.
Technically, what exactly does "encrypt the filesystem" mean? What files or objects or things are being touched? How exactly does this process cascade? Is there some simple way of mitigating the process (apart from cloning the drive)?
The simple strategy of backing up those system files I mentioned above has actually saved me many times.
However, if I was an organization or I gave more of a shit about this, I would also be installing the program "Deep Freeze" (www.faronics.com) which would roll the system back to a snapshot state on every reboot.
--
Q: "So how do you back up all those system files while your OS is running, how do you overcome 'access denied' messages"?
A: I use this command-line tool which copies raw sectors off the disk, bypassing the operating system handles:
--
Q: "What other tools do you use"?
A: These are useful to have in the kit:
(Score: 2) by Scruffy Beard 2 on Wednesday January 25 2017, @04:50PM
"Encrypt the filesystem" means that they scramble all of the files the user has access to in a specific way that only the attacker knows how to reverse.
This can include online backups.
(Score: 0) by Anonymous Coward on Wednesday January 25 2017, @05:05PM
That is why I pull backups, not push them.
(Score: 2) by Gaaark on Wednesday January 25 2017, @05:24PM
I always pull back.
But then i push forward again.
Then i do it again. And again.
It's fun.
Wait. What are we talking about?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 1) by Scruffy Beard 2 on Wednesday January 25 2017, @08:04PM
I think pushing via sneakernet can be secure.
(Score: 2) by tibman on Wednesday January 25 2017, @06:55PM
For backups i would suggest you focus on your actual data and not operating system files. Reinstalling windows is no big deal and something that has to be done periodically anyways. If you want to preserve your OS then i'd suggest doing a full-disk backup and not selective OS files. If you get some kind of malware then you really should format and reinstall. The malware could have put in a rootkit that you can't even see. Linux is a little different, imo. If you can verify they never had root and couldn't escalate then a clean-up is fine. I still reformat though : )
SN won't survive on lurkers alone. Write comments.
(Score: 0) by Anonymous Coward on Friday January 27 2017, @06:34AM
How do you like it? Did you figure this in your Total Cost of Ownership calculations?