Louisiana has brought some of its services back as it recovers from a targeted ransomware attack using the Ryuk malware on November 18. The state's Office of Motor Vehicles re-opened offices on Monday in a limited fashion. But OMV and other agencies affected—including the state's Department of Health and Department of Public Safety—are facing a number of potential hurdles to restoring all services, according to people familiar with Louisiana's IT operations.

The ransomware payload was apparently spread across agencies by exploiting Microsoft Windows group policy objects—meaning that the attackers had gained access to administrative privileges across multiple Active Directory domains. This is symptomatic of TrickBot malware attacks, which uses GPOs and PsExec (a Microsoft remote administration tool) to spread its payload.

This is the second major cybersecurity incident this year in Louisiana tied to Ryuk ransomware. In July, Governor John Bel Edwards declared a state of emergency and deployed the state's cyber response team to assist seven parish school districts. There have been many other Ryuk attacks this year that have used TrickBot and, in some cases, the Emotet trojan—an attack referred to by some experts as a "Triple Threat" commodity malware attack. At least two Florida cities and Georgia's Judicial Counsel and Administrative Office of the Courts were also hit by "Triple Threat" attacks.

Mind the gap

According to testimony by Deputy Chief Information Officer Neal Underwood before the Louisiana legislature's Joint Legislative Committee on the Budget, only 10% of the state's 5,000 servers were affected by the ransomware attack, and a total of about 1,500 computers of the state's 30,000 systems were "damaged" by the ransomware. Others were taken offline as a precaution as part of the response to the attack. And OMV officials and a spokesperson for the office of Louisiana's secretary of state—which had to shut down systems tied to election data in the midst of vote recounts in Louisiana's elections—declared that no data was lost in the attack.

But that declaration may have been early and certainly did not apply across all Louisiana's agencies. Some data may be lost, as agencies' file backups were in some cases not current. In a letter in response to a public information request shared with Ars, an attorney for the Louisiana Department of Public Safety stated that the request could not be completed because records required for the response were unavailable "due to the recent ransomware attack on the state's computer systems."

Some offices of the OMV still have not re-opened, as their personal computers remain disconnected from the agency's network because they have not yet been re-imaged. And significant amounts of data—including records for the state's Medicaid system—may have been lost because backups maintained by Louisiana Department of Health's data center vendor were over six months old. While the state contracted out operations of LDH's data center, database servers and other systems remained accessible to Louisiana Office of Information Technology administrators.

[Update, 12/10/2019] A spokesperson for Louisiana's Division of Administration has asserted that the ransomware resulted in no major data loss, and contradicted sources for this story.