Hacker’s paradise: Louisiana’s ransomware disaster far from over

Enlarge / Louisiana State Capitol, Baton Rouge, Louisiana, at dusk. (credit: Visions of America/Universal Images Group via Getty Images)

Louisiana has brought some of its services back as it recovers from a targeted ransomware attack using the Ryuk malware on November 18. The state’s Office of Motor Vehicles re-opened offices on Monday in a limited fashion. But OMV and other agencies affected—including the state’s Department of Health and Department of Public Safety—are facing a number of potential hurdles to restoring all services, according to people familiar with Louisiana’s IT operations.

The ransomware payload was apparently spread across agencies by exploiting Microsoft Windows group policy objects—meaning that the attackers had gained access to administrative privileges across multiple Active Directory domains. This is symptomatic of TrickBot malware attacks, which uses GPOs and PsExec (a Microsoft remote administration tool) to spread its payload.

This is the second major cybersecurity incident this year in Louisiana tied to Ryuk ransomware. In July, Governor John Bel Edwards declared a state of emergency and deployed the state’s cyber response team to assist seven parish school districts. There have been many other Ryuk attacks this year that have used TrickBot and, in some cases, the Emotet trojan—an attack referred to by some experts as a “Triple Threat” commodity malware attack. At least two Florida cities and Georgia’s Judicial Counsel and Administrative Office of the Courts were also hit by “Triple Threat” attacks.