Leicester streetlights take ransomware attack personally, shine on 24/7
City council says it lost control after shutting down systems
It's become somewhat cliché in cybersecurity reporting to speculate whether an organization will have the resources to "keep the lights on" after an attack. But the opposite turns out to be true with Leicester City Council following its March ransomware incident.
Nearly two months after INC Ransom's attack hit the English council's systems, residents' reports now have us thinking everyone in the city is donning thick shades to manage their newfound Svalbard-esque perpetual brightness.
Of course, it's not that serious, but according to Roger Ewens, 65, of Beaumont Leys, the streetlights on his road have been shining brightly all day and night for some time.
When he asked the council why the curtains keeping Beaumont Leys' bedrooms dark and cozy were being put to the test, he was told that it was a residual issue caused by the council's recent cyberattack.
Local media reported the council's reply to Ewens, which explained that the knock-on effects of shutting down systems after detecting INC Ransom's cyberattack meant the "central management system" responsible for controlling the streetlights was "misbehaving."
A council spokesperson told us it was "aware of a number of streetlights that are staying on during the day."
"This is due to a technical issue connected to the recent cyberattack, when we were forced to shut down our IT systems. It means we are currently not able to remotely identify faults in the street lighting system.
"The default mode for faults is that the lights stay on to ensure that roads are not left completely unlit and become a safety concern. There are a number of steps required to resolve the problem, and we are working through these as quickly as we can."
Ewens was also told that the issue was expected to be resolved by the end of next week (May 3). That said, the council also thought its cyberattack would be sorted out within a few days when it was first disclosed, so who knows how long it will take for locals' circadian rhythms to get back on track.
Disaster handled
Days after it became clear this early month that Leicester City Council wouldn't pay INC's ransom demands, even after it leaked a sample of sensitive council data, the miscreants published the entirety of the files it stole, amounting to a sizeable 1.3 TB.
"At 1.3 TB, this is a much larger batch of data than the 25 documents published last week," said Richard Sword, the council's strategic director of city development and neighborhoods.
- Ransomware gang did steal residents' confidential data, UK city council admits
- INC Ransom claims to be behind 'cyber incident' at UK city council
- UK council won't say whether two-week 'cyber incident' impacted resident data
- UK council yanks IT systems and phone lines offline following cyber ambush
"We are in the process of reviewing the data to see exactly what it consists of, and have notified the Information Commissioner of our actions.
"We have a duty to inform anyone considered at high risk as a result of data breaches. Due to the amount of data published, we will be prioritizing people who may come under this category.
"We realize this data breach will cause concern, and apologize for any distress caused. We continue to work with Leicestershire Police and the National Cyber Security Centre (NCSC) as part of this investigation."
The NCSC's official stance is to not pay ransoms, and for the council to resist even knowing the scale of data theft showed its commitment to avoid funding the cybercrime ecosystem further.
CISA, the NCSC's counterpart over in the US, also strongly advises against paying ransoms, but in both nations the rules aren't always followed.
The attack on Colonial Pipeline, for example, caused such disruption to the East Coast that a ransom payment became necessary. More recently, Caesars Entertainment (allegedly) and UnitedHealth both paid ransoms following their respective ransomware incidents, and the latter's CEO will testify before the House's Energy and Commerce Subcommittee next month to explain how the attack unfolded. ®