Crowdstrike and Microsoft outages: what you need to know

A note from Matt Palmer, JCSC Director

Dear reader,

I’m emailing you outside of our usual monthly newsletter to give you an update on the two cyber incidents that have caused widespread disruption today.

We know that broadcasters, banks, and airlines around the world have been affected. In Jersey, we know that people attending their GP surgery are experiencing disruption. People travelling onwards from Jersey today are also likely to be affected by the delays at UK airports.

If you are affected, please do be patient. We know there are dozens of people working hard to assess and resolve this issue, and that staff in affected businesses will be doing their best to deal with the disruptions.

This incident is a prime example of the supply chain risks we all carry. None of the affected organisations have downloaded malware, clicked on a phishing link or many any “mistakes” that have led to this. (And even if they had, it’s less than helpful to focus on ascribing blame.)

Today’s incident hasn’t been caused by malicious actors or targeted attacks: it’s been caused by a problem with the services these organisations rely on.

We’re working with the Government of Jersey and other agencies to respond to this incident. (We’re also dealing with two other unrelated criminal cyber attacks.)

Going forward, we’ll now be looking to get a full understanding of the effects across industries so we can better understand and plan for future similar risks.

If you are affected - and especially if you’re a provider of Critical National Infrastructure (CNI) or an Operator of Essential Services (OES) - please do get in contact with us so we can understand how you’ve been affected, and how we can support you.

All the best,

Matt

What’s causing the disruption?

The disruption is caused by two separate incidents:

  • A issue with Microsoft Office 365 has been resolved, but you may see ongoing effects.

  • An update to Crowdstrike (a commonly-used end point detection software) has caused all affected machines to stop functioning. If you’re trying to use affected machines today, you’ll likely just see a blue screen.

How can I fix it?

If you’re affected by the Microsoft Office 365 issue, it should now be resolved.

If you’re affected by the issue with Crowdstrike, you can fix it, but it will take some time. For each affected machine, you’ll need to:

  • Boot Windows into Safe Mode or the Windows Recovery Environment

  • Open C:\Windows\System32\drivers\CrowdStrike directory

  • Locate the file C-00000291*.sys and delete it

  • Start the computer normally

You’ll need to provide your BitLocker key to implement the fix, so make sure that you have it to hand.

How can JCSC help?

Our systems have not been affected and we’re functioning as usual, so if you need more information and advice, you can contact us: