[BreachExchange] Ransomware attack shuts down computer systems for Virginia legislative agencies

Tue Dec 14 09:45:17 EST 2021

https://richmond.com/news/state-and-regional/govt-and-politics/ransomware-attack-shuts-down-computer-systems-for-virginia-legislative-agencies/article_1603183b-cc58-5f2e-bad9-99693582b79c.html

A ransomware attack has forced the shutdown of computer systems and
websites for Virginia legislative agencies and commissions, including the
Division of Capitol Police and the Division of Legislative Services, which
is drafting bills and resolutions for introduction in the upcoming General
Assembly session.

The attack began on Sunday at the Department of Legislative Automated
Systems and has spread to almost all legislative branch websites, except
for the Legislative Information System on the General Assembly site. It has
not affected executive branch agencies of state government.

“Currently the bad guys have most of our critical systems locked up except
for LIS,” Dave Burhop, director of the legislative IT agency, notified the
clerks of the Senate and House of Delegates early on Monday morning.

Capitol Police can’t operate its website, but spokesperson Joe Macenka
said, “All of our critical communication systems are fine.”

Gov. Ralph Northam has been briefed on the ransomware attack and “has
directed relevant executive branch agencies to work quickly to offer any
help in assessing and responding to this ongoing situation,” spokesperson
Alena Yarmosky said Monday.

Yarmosky said the Virginia State Police fusion center sent a notice of the
attack just after 11 p.m. on Sunday. She said the Department of Legislative
Automated Systems “is shutting down most of their servers to try and stop
the spread and have engaged outside expertise to help.”

The attack involves ransomware that a criminal enterprise implants in
critical computer systems to extort money. The governor’s office and Burhop
confirmed that the state has received a ransom note, but did not specify
its contents.

“The bad guys have left us a ransom note but details are scant and no
amount of ransom has been specified yet,” Burhop said in the email to the
House and Senate clerks.

Among the agencies affected by the attack was the Joint Legislative Audit
and Review Commission, the General Assembly’s watchdog agency. JLARC
conducted most of its monthly meeting live online on Monday, but the
broadcast ended abruptly around noon as the state tried to limit the scope
of the attack.

Senate Clerk Susan Schaar said the Department of Legislative Automated
Services is working with the Virginia Information Technologies Agency to
address the outage. VITA serves more than 60 agencies in the executive
branch of state government.

The Department of Legislative Automated Systems manages the legislative IT
sites separately from the executive branch sites, Yarmosky said in the
governor’s office. “As such, VITA has very little knowledge of the system
and security architecture or tools in place to address cyber-attacks.”

Lindsay LeGrand, a spokesperson for VITA, said, “While the commonwealth’s
legislative branch systems are not part of the Virginia IT Agency’s
technology infrastructure, the VITA team is aware of the legislative system
outage and has been engaged to support the response effort.”

The response also includes the IT staffs of the House and Senate, Capitol
Police and the Virginia State Police.

“We can’t get much done,” Schaar said Monday.

Mandiant, a cybersecurity firm hired by the state this year, also is
involved in the response to the ransomware. A spokesperson for the company
said its systems were not affected by the attack.

A ransomware attack on the Colonial Pipeline for almost a week in May shut
down gasoline supplies for most of the East Coast and Southeastern United
States. The pipeline paid more than $4.4 million to the criminal enterprise
behind the attack in order to restore the operating systems for the
pipeline.

“We will be considering alternatives such as restoring ... backups, but we
believe our backup system may have been compromised as well,” Burhop said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211214/304f408d/attachment.html>