Louisiana ransomware attack hits government systems

A ransomware attack targeted government systems in Louisiana, but disruptions seemed minimal due to the state's preparation.

Louisiana Governor John Bel Edwards announced Monday evening on Twitter that the state activated its cybersecurity team in response to "an attempted ransomware attack that is affecting some state servers."

"The Office of Technology Services [OTS] identified a cybersecurity threat that affected some, but not all state servers," Edwards tweeted. "OTS immediately initiated its security protocols and, out of an abundance of caution, took state servers down, which impacted many state agencies' e-mail, websites and other online applications."

Edwards said he anticipated no data loss from the Louisiana ransomware attack and the state did not pay ransom. He added that some services began coming back online Monday afternoon, but "full restoration may take several days."

Today, we activated the state's cybersecurity team in response to an attempted ransomware attack that is affecting some state servers. The Office of Technology Services identified a cybersecurity threat that affected some, but not all state servers. #lagov #lalege

— John Bel Edwards (@LouisianaGov) November 18, 2019

In his announcement, Edwards called the Louisiana ransomware incident an "attempted" attack four times, which appeared to contradict his assertion that service interruptions were due to the "aggressive response to prevent additional infection of state servers, and not due to the attempted ransomware attack." The governor's office did not respond to requests for clarification.

UPDATE: A spokesperson for Gov. Edwards said he described the incident as an "attempted attack" because the attack only infected a few servers and did not spread through the state's network and the state, and because the state did not pay the ransom.

Colin Bastable, CEO of security awareness training company Lucy Security, said he read this inconsistency "as spin."

Technically, Louisiana's response was good -- fast and decisive -- which engenders confidence and buys time.

"It was a ransomware attack that succeeded in disrupting services and potentially infecting some servers. But a fast response is vital, including good PR management, so he is entitled to spin it," Bastable told SearchSecurity. "Technically, Louisiana's response was good -- fast and decisive -- which engenders confidence and buys time. They recognize that email delivery, via employees and contractors, is the main point of threat, hence staff switching to personal email [as reported by WWLTV]. However, personal email use carries significant risks in itself."

James McQuiggan, security awareness advocate for Knowbe4, a cybersecurity training firm based in Clearwater, Fla., said the state's handling of the Louisiana ransomware threat was an excellent example of good incident response.

"Calling it an attempted ransomware attack could be a result that the perception of a full ransomware attack encrypts all of the servers and shutters an organization to almost a standstill in its operations," McQuiggan told SearchSecurity. "With the Louisiana event, it seems based on information that their downtime was minimal, but significant only to close offices only for this morning."

Ryan Weeks, chief information security officer at Datto, applauded "the tough decisions they have made thus far."

"It's a difficult choice to shut down all your systems and take an extended outage," Weeks told SearchSecurity. "When you are not clear on the entry point of a threat and it spreading, this can be a wise call in order to minimize damage and reduce your recovery time."

Edwards said this latest Louisiana ransomware attack was similar to a ransomware attack against school districts in July, but he did not elaborate further. The Louisiana State Police and federal agencies are investigating.