We Have Your Files. To Get Them Back, Send Money

by Dick Hall-Sizemore

Tried to get into the Legislative Information System lately? If you did, you were likely greeted by the following message:

We’re experiencing a service outage with some of our servers. The Budget Portal, Law Portal, Reports to the General Assembly, and some other data may not be accessible. Our team is currently working to restore the service. We apologize for any inconvenience.

This is not a case of servers acting up. As reported by the Richmond Times-Dispatch, the legislature has been hit by a ransomware attack. The malware has shut down systems used by the legislative branch; most problematically, the system used by the Division of Legislative Services to draft and submit bills.  This is their busy season. For some reason, only some features of the Legislative Information System have been affected. The bill-status system is working.

The attack has not affected agencies in the executive branch. The two branches have separate IT systems. However, the Dept. of State Police and VITA (the executive branch’s IT agency) are providing assistance to the Division of Legislative Automated Systems (DLAS).  

It is not known how long the systems will be down. The director said they had received a ransom note, but no amounts were listed. The agency has contracted with a private consulting company to provide guidance and assistance.

An agency in the executive branch has been affected by an unrelated ransomware attack. The payroll systems of the Department of Behavioral Health and Developmental Services (DBHDS), which operates the state’s mental health facilities, have been “paralyzed” by the attack. Rather than targeting DBHDS, this attack was on the cloud services of the Ultimate Kronos Group, a private company that provides payroll services to government agencies and private companies. A spokesperson for the agency offered assurances that staff would be paid on time.

These attacks come amidst recent meetings in which there was concern expressed about the state’s vulnerabilities. In fact, Del. David Reid, D-Loudoun,  has been working for months on a series of budget amendments to broaden state protection against cyber threats at all levels of government.

Obviously, cyber threats, including ransomware, are part of the IT landscape and both private organizations and public agencies need to increase their defenses significantly. It is a great time to be a cybersecurity major in college.

Share this article


(comments below)


(comments below)


52 responses to “We Have Your Files. To Get Them Back, Send Money”

  1. You don’t need a degree to solve the problem.
    Separate the organization’s intra-net from the internet with a hard firewall… no data is allowed to be moved between the two without IT intervention and inspection.

    1. Stephen Haner Avatar
      Stephen Haner

      Some of my GOP friends were chuckling and I reminded them that it could very well have been an R legislator or staffer who opened the email that let in the malware. Their goal is to make it look innocuous.

      1. how_it_works Avatar

        I worked at a place that kept getting all sorts of spam and ransomware emails. Portscans and all sorts of strange stuff.

        I blocked ALL traffic originating from the Asia Pacific region.

        It cut the portscans and spam emails down to almost nothing.

        1. Nancy Naive Avatar
          Nancy Naive

          Lotta .ru back in the day.

      2. Nancy Naive Avatar
        Nancy Naive

        For Democrats….
        Good dey ser/mam, i am prince in my kontree and many money is held by evil bankers. Click link to hep many hngries childrins…

        For Republicans…
        Good dey ser/mams, i am prince in my kontree and wishing to help American king Trump. Click here to send moneys to Trump.

  2. Atlas Rand Avatar

    That’s unfortunate. My wife just started last week with DBHDS. Guess she won’t be getting paid!

    1. Dick Hall-Sizemore Avatar
      Dick Hall-Sizemore

      It will probably depend on her schedule and how she is paid. If she is 9-5 and on salary, there probably won’t be a problem. My experience is that KRONOS is used mostly for staff that have unusual shifts, 12-hour shifts for four days and three days off, for example; for hourly workers; and for those with a lot of overtime.

      1. Atlas Rand Avatar

        So apparently the whole hospital uses KRONOS, even salary, but they are using paper timesheets, pay not supposed to be impacted.

  3. LarrytheG Avatar

    Ransomware, as I understand it, is a hacker getting into your system as ROOT (super user) and encrypting ALL or most of your files and they have the “key’ that decrypts them.

    All systems are vulnerable to hackers but unless it’s a zero-day vulnerability, most are known and the software company provides “patches” to secure them.

    On the back side, is file and system backups. What this means is if your files are corrupted, you get the last backup and overwrite the corrupted files with the last copy of the good ones.

    A few years back, when Virginia wanted to have a system operator for all state servers, there was pushback as many agencies wanted to do their own thing.

    The problem is that state agencies are not stand alone – they end up sharing files and other data products and once one gets infected, it can then spread to others unless there is a uniform process for maintaining patches and backups.

    Don’t take my word for it – just do a little reading:



    1. “All systems are vulnerable to hackers”….hence the requirement of a hard firewall. Hackers can’t get in since they can’t gain access to a system not connected to the internet. It takes time and effort to safely move files from the internal system to the internet, but since when is any government action ‘timely’.

      1. LarrytheG Avatar

        firewalls are mandatory, agree… but they are not bulletproof either! It’s LAYERS!

        But simple stuff is often not done – like keeping the systems patched up-to-date and running full backups daily or even hourly depending on transaction frequency.

        Databases – that span systems especially need to have coordinated backups so if it has to be restored – all the pieces and parts are kept together.

        Bottom Line – IT is real profession that requires real professionals, that is their primary and sole job!

        Disbelievers get converted once a disaster like ransomware runs amok… but it usually takes that to convince them.

        1. If you can’t upload nor download – it’s protected.

  4. Nancy Naive Avatar
    Nancy Naive

    Hackers could could never succeed with a ransomeware attack on the Department of Redundancy Departmentment. Computers are cheap. Backups are even cheaper. Scrub the affected computer and rebuild.

    1. how_it_works Avatar

      Backups are one of those things that the IT department can forgo and nobody will ever know they’re not being done…till the feces hits the rotary impeller blades, anyway.

  5. Nancy Naive Avatar
    Nancy Naive

    Seriously, and y’all wonder why Hillary used her own server.

    1. Because she was sending money to some foreign prince’s hungry children and didn’t want it tracked by the state department?

      1. Nancy Naive Avatar
        Nancy Naive

        Of course, Dept of State was hacked earlier. Don’t hear about the Fed getting hacked too much anymore, but Geez, they are picking off the commerical sector like M&Ms.

    2. Because she was sending money to some foreign prince’s hungry children and didn’t want it tracked by the state department?

    3. Matt Adams Avatar

      The problem being is her server was less secure than State. She would’ve been better off with Gmail and they would’ve at least achieved her e-mail properly.

      1. Nancy Naive Avatar
        Nancy Naive

        Yeah, she barely achieved them, and for sure didn’t archive them. Damned spellchecker!

        In all anything sent to, or received by State is achived. It’s only from and to private emails that wouldn’t have been, and Hell, they can’t stop that for anyone.

        1. Matt Adams Avatar

          Very true, thanks for the catch.

  6. how_it_works Avatar

    ..and someone’s probably saying, “Backup? I can’t find the reverse switch!”

    1. Dick Hall-Sizemore Avatar
      Dick Hall-Sizemore

      DLAS has a backup system, but, at last report, the agency director thought it may have been compromised, as well.

      1. LarrytheG Avatar

        typically “backups” are done on a regular basis – like every day. So, you should be able to go back to the last day before the system was encrypted but you’d lose the transactions done between the last good backup and current.

        some systems lay down transactions to backup servers as they occur.

        How the systems are originally designed and maintained affects how recovery can happen (or not).

        Conceptually, it’s not that complicated. just think of files you have on your own computer and what you do (or not) to back them up on another device or media. It’s the nitty-gritty that gets complicated. Remember the bad old days when your hard drive would go belly-up with all your important stuff on it?

        1. how_it_works Avatar

          When I managed a backup system, I had it set up so that I could retrieve any backup going back a month, and I would pull tapes from a backup set every couple of months and store them off-site.

          Another back system I worked with, no tapes were EVER overwritten. They were removed from the tape library and replaced with new tapes every week, and the tapes removed were stored off-site.

          1. LarrytheG Avatar

            I think many have moved away from tape to NetApp type servers these days and restoring can be from weeks or months of disk data.

            This is one I’m somewhat familiar with but it’s been some years since I did this.


            Back in the day, management hated to spend money on stuff like this…and I wonder today when someone gets hit with ransomware if they did the backups and stuff necessary to recover.

          2. how_it_works Avatar

            Tape still has advantages over disk, in that tapes are less fragile and easier to store offsite.

          3. LarrytheG Avatar

            I see where Amazon AWS is selling backup services:


            I’m betting Amazon has their act together.

          4. how_it_works Avatar

            If your only backups are stored in AWS, you have a problem and you don’t even know it.

          5. LarrytheG Avatar

            why is that?

          6. how_it_works Avatar

            You have no control over what AWS does with your backups. One mistake on their end and they’re all gone.

          7. LarrytheG Avatar

            that can happen even in house. I don’t advocate relying solely on AWS but AWS is “offsite” and can save your bacon if you have a catastrophe onsite – like a fire.

          8. how_it_works Avatar

            AWS is offsite but is it as good as storing your tapes with a company like Iron Mountain?

          9. LarrytheG Avatar

            I truly don’t know. I suspect AWS is cheaper and more platform independent – pure cloud. The problem with other providers, is that they want to sell you something they own and have to maintain and that locks you in to them for better or worse.

            We had a cabinet full of NetApps (which is proprietary).

            There were discussions of “hot’ and “cold” offsite computing if we suffered a disaster but in order to do that – you’d have to have complete and almost hourly backups and the ability to move them all to offsite servers.

            You can bet that big bank/credit card systems (and AWS) probably have the full enchilada – they can run even if they have major systems go down, and I’d be very surprised if they are as vulnerable to ransomware as other companies and state agencies are.

            Their problems often happen when they do software updates… ..self-inflicted.

          10. LarrytheG Avatar

            Yes. But AWS “up time’ is pretty impressive and it would take two disasters, one for your own site to have a catastrophe then at the same time AWS to go down but AWS preserves files and comes back up with your files. AWS is a professionally maintained – it’s real and likely way better than many smaller systems where backups are catch as catch can. Even so, I would not solely rely on them. I’d not solely rely on an one method anyhow. Even on site backups need offsite backups – i.e. disaster recovery.

  7. Nancy Naive Avatar
    Nancy Naive

    “All your base are belong to us.”

    Amazing the numbers of modern circumstance that can be covered by that, ain’t it?

  8. Nancy Naive Avatar
    Nancy Naive

    Hey! Speaking of money, I have to tell youse guys. For us old farts, not such a deal, but for our 40-something children and 20-something grandkids, this is an incredible investment for retirement. Theirs, not ours.

    Series I Savings Bonds. 4% + inflation. They are 30-year full maturity, 5-year penalty free early withdrawal. Currently the interest rate for bonds purchased before April 2022 is 7.2%, locked in for the next 30 years. State tax exempt. Limit $10,000 per year per person.

    $10,000 purchased today will be $80,000 in 2051.

    1. LarrytheG Avatar

      hmmm… sounds a little too good to be true…..

      1. Nancy Naive Avatar
        Nancy Naive

        Hey, it’s the gub’mint. Of course it sounds too good to be true.

        And of course, it was. The inflation portion is 6-month adjusted. The total rate is not locked. It’s 7.12 until April 2022. The next 6 months could be as low as the base, or 7.12, more or less. Still. What’s the annualized inflation rate for the past 10 years?

        10K invested today will be 30K in 30 years inflation adjusted.

        Still, laddering guarantees $30K 2021 dollars inflation protected. Do that every year, and that’s a damned good addition to retirement.

        1. LarrytheG Avatar

          Do we have to send in a gift card to get that special rate?

          1. Nancy Naive Avatar
            Nancy Naive

            For a 20-something, maxing out the Roth with a little Traditional 401(k) to get the match, if any, and aggressively invested, they’re fine. As they start reaching 40, these bonds provide a great no-risk base so that they can continue aggressive investing in their tax-deferred/free accounts.

            Gift card? They are a gift card!

          2. Atlas Rand Avatar

            I’m struggling to find the information on what constitutes the “base” rate and what is the inflation adjusted portion. Know where that is?

          3. LarrytheG Avatar

            I thought the Roth/401K thing went away.
            But yes, you are more than correct in terms of the options available to people, especially young folks to build wealth for their future. Social Security is still relevant in that it’s really an Insurance Annuity with an inflation adjustment. You can’t outlive it, no matter how much you paid into it.

            I don’t know what things look like today with young folks but as a volunteer tax guy, I can tell you that the vast majority of seniors have Social Security and all but a handful need it. It’s often the only source of income or it is accompanies by a work pension which is insufficient without social security.

            I don’t know if you worked for the Feds or as a contractor but the Feds went to FERS awhile back and it’s a 3-legged stool with SS as one leg.

  9. Timothy Watson Avatar
    Timothy Watson

    I don’t have much faith in DLAS’s access control and contingency planning processes, or their IT governance in general, when they have publicly-accessible webservers running Windows Server 2000 (end of life for 11 years) and Windows Server 2003 (end of life for six years).

    1. LarrytheG Avatar

      yep. Wow! Ancient software no longer receiving manufacturer security patches… So the state apparently still does not have a true unified network and is still allowing agencies with vulnerable systems to still reside on and connect to the state network and the internet.

      1. Dick Hall-Sizemore Avatar
        Dick Hall-Sizemore

        Remember, the DLAS operation is separate from the overall state operation run by VITA, which was reorganized a few years ago.

        1. LarrytheG Avatar

          Are they a state asset? They may have got themselves exempted from VITA but really to their own harm as well as a risk to other state agencies.

          Are they really still using ancient Microsoft servers that are no longer supported with security updates? If so, whoever is in charge is clearly remiss and they need to be brought under the VITA umbrella. This is a story repeated over and over and learning is the “hard way”.

          Back in the day, I was tangentially involved with the Navy/Marine Corps Intranet (NMCI) (at a local level) and the goal was to establish standards for computers, software and network but virtually every activity wanted a waiver and wanted to keep their own stuff no matter it’s age or vendor support, security updates, or even if they had anyone on staff that knew how to competently maintain.

          It’s human nature to keep what you’ve already built and maintain, but when it comes to networks and the internet, it’s a recipe for disaster – such entities live on borrowed time until the inevitable happens, and they then are forced to deal with the consequences.

          1. Timothy Watson Avatar
            Timothy Watson

            When the legislature created VITA, and then expanded VITA’s authority to set security standards and require security audits of agencies, they specifically restricted that VITA’s oversight authority to executive branch agencies. For example, the law that allows VITA to set IT security audit requirements limits that authority to executive branch agencies and also states, “The Chief Justice of the Supreme Court and the Joint Rules Committee of the General Assembly shall determine the most appropriate methods to review the protection of electronic information within their branches” (§ 2.2-2009(A)(1)).

            There’s plenty of gaps at executive (and judicial) branch agencies, which can been seen in some of the reports prepared by the Auditor of Public Accounts (APA), but the APA doesn’t perform audits of legislative-branch agencies because the APA is part of the legislative branch and lacks the independence required by Government Auditing Standards (“Yellow Book”). Without any public reports, it’s hard to judge what exactly is occurring in the legislative branch to protect IT security, etc.

            There’s also a large fixed cost in running IT infrastructure nowadays, especially when considering the costs of centralized management and security tools.

            Full disclosure: I previously worked at VITA.

          2. LarrytheG Avatar

            If you worked at VITA, I would encourage you to stay here and comment and help us better understand the issues that VITA is dealing with.

            I don’t see how – for the state – some agencies can have their own silos and still want to be connected to the State network. We had the same thing going on with NMCI in the Navy. Everyone wanted a waiver…. and did not want oversight of their network security.

Leave a Reply