Ransomware hits Louisiana schools; state of emergency declared

Louisiana Governor John Bel Edwards on Wednesday declared a state of emergency after three public school districts were seized by ransomware.

According to local news station KSLA, one of the affected school districts, Sabine Parish in northern Louisiana, released this statement on Wednesday night:

The Sabine Parish School System was hit with an electronic virus early Sunday morning. This virus has disabled some of our technology systems and our central office phone system. The district staff reported this electronic viral attack to local law enforcement, state officials and the FBI. All available resources are being utilized to get the district systems back online. An investigation involving local, state and federal law enforcement is ongoing at this time. The school phone systems were not affected by this attack. The central office phone system is being repaired and service will be restored as soon as possible. According to the Louisiana Department of Education, several other school districts were attacked by the same virus this week.

We haven’t seen details yet on what ransomware variant was inflicted in the attack; nor have state officials released a comprehensive list of the affected systems.

Eddie Jones, principal of Florien High School in Sabine Parish, told KSLA that his technology supervisor got an alert on his phone around 4am Sunday about a surge in bandwidth usage. It was particularly unusual given the time of day and the fact that the schools are all on summer break.

When technical staff investigated, Jones said, they found ransomware on the servers.

The principal said that he doesn’t believe that any sensitive information was lost. What was lost: “anything and everything” stored on the school district’s servers, including 17 years’ worth of Jones’ personal documents – his speeches, test schedules, master schedules and more.

The declaration of a state of emergency means that state resources will be made available and that assistance will be coming from cybersecurity experts from the Louisiana National Guard, Louisiana State Police, the Office of Technology Services and others to assist local governments in responding to the crisis and in preventing further data loss.

This is the first time that Louisiana has activated its emergency cybersecurity powers, which were created for just this type of cyberattack. The response is being handled by the state’s newly formed Cyber Security Commission, which was established in 2017. It brings together the state’s key stakeholders, subject matter experts, and cybersecurity professionals from Louisiana’s public sector, private industry, academia, and law enforcement.

The Governor’s Office of Homeland Security and Emergency Preparedness (GOHSEP) has also activated its Crisis Action Team and the Emergency Services Function-17 to coordinate a response.

Governor Edwards:

The state was made aware of a malware attack on a few north Louisiana school systems and we have been coordinating a response ever since. This is exactly why we established the Cyber Security Commission, focused on preparing for, responding to and preventing cybersecurity attacks, and we are well-positioned to assist local governments as they battle this current threat.

Ars Technica put some interesting context around Louisiana’s response: it’s modeled on Colorado’s response in the wake of two SamSam ransomware attacks. The first hit in February 2018, and the second came the following week. The attacks wound up costing the state $1.5 million to disinfect its systems after officials decided against paying nary one thin dime to the attackers.

Declaring an emergency empowered Colorado cybersecurity agencies to ask for help from the National Guard, on top of help from other security companies and the FBI.

The emergency declaration includes protection from being price-gouged for the extra help and resources. Here’s some language concerning that protection, from a Louisiana proclamation about states of emergency:

During a declared state of emergency, the prices charged or value received for goods and services sold within the designated emergency area may not exceed the prices ordinarily charged for comparable goods and services in the same market area at or immediately before the time of the state of emergency, unless the price by the seller is attributable to fluctuations in applicable commodity markets, fluctuations in applicable regional or national market trends, or to reasonable expenses and charges and attendant business risk incurred in procuring or selling the goods or services during the state of emergency.

How to protect yourself from ransomware

  • Pick strong passwords. And don’t re-use passwords, ever.
  • Make regular backups. They could be your last line of defence against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
  • Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
  • Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
  • Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home”>XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.