Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Louisiana’s Ransomware Attack Was Largest but ‘Not Catastrophic’

During a last-minute hearing Friday, Louisiana Deputy CIO Neal Underwood revealed that last week's ransomware attack was the largest one to impact the state, but he stopped short of calling the attack catastrophic.

Illustration of a red lock in the middle of a blue circuit board.
Last week's Louisiana ransomware attack affected approximately 10 percent of the 5,000 servers within the state government’s IT infrastructure, making it one of the largest cyberattacks on the state to date. 

Neal Underwood, deputy chief information officer for the Office of Information Technology (OIT), revealed the news during a last-minute hearing Friday morning, in which legislators quizzed numerous agency heads on their operational status following the cyberincident.  

“It’s not catastrophic,” Underwood said, before ultimately concluding that it was “a significant event, much more significant than any we’ve had in the past." He also called it a "sophisticated, coordinated attack," and not the result of "some malcontent teenager in their parent's basement." 

Around 1,500 of the state's 30,000 computers will have to be reimaged — the process of wiping and re-installing software on devices whose operating systems have been corrupted — he said.  

The attack also resulted in Gov. John Bel Edwards declaring a state of emergency for the second time in less than six months. The declaration allowed a number of processes to be expedited, including bringing in state and federal partners to assist through the existing Governor's Office of Homeland Security and Emergency Preparedness network (GOHSEP), as well as to allow for the suspension of certain regulatory statutes, such as late fees and other penalties and mandates related to the Office of Motor Vehicles or other offices affected by the cyberattack.

When asked about the estimated cost of the cyberattack, Underwood could only offer "anecdotal evidence," but said that the financial impact was "relatively small" when held against other emergencies.

The hearing revealed other details about the cyberincident, showing that automated monitoring software initially detected unauthorized activity within the state network. Personnel sent to investigate the activity subsequently discovered that a valid account had been hijacked and that the hackers had been successful in encrypting some servers and “components” of the network, Underwood explained.

“Most of our big, major, more modern systems weren’t impacted at all,” Underwood said. “What we lost was our ability to get to them and use them, because users’ PCs were either impacted, or because part of our network infrastructure was impacted, to the point where you had no path to actually access these systems.”   

Underwood reiterated that the reason state websites had been down across the board was because of the state's deliberate decision to isolate itself, to prevent the spread of the infection. 

“We immediately severed all connections to the outside world, which effectively shut down whatever operations they were putting in place. And [we] disabled whatever accounts were related to it, and began an investigation into what had taken place.”

That strategy seems to have paid off, with only a limited number of agencies still affected. The Office of Motor Vehicles has opened eight of its 79 offices as of Monday. Work to re-open the remaining offices is ongoing, though a majority of services have been maintained or returned to normal. 

Government Technology is Governing's sister e.Republic publication, offering in-depth coverage of IT case studies, emerging technologies and the implications of digital technology on the policies and management of public sector organizations.
Special Projects