Virginia Health Database Held For Ransom

An anonymous reader writes "The Washington Post's Security Fix is reporting that hackers broke into servers at the Virginia health department that monitors prescription drug abuse and replaced the homepage with a ransom demand. The attackers claimed they had deleted the backups, and demanded $10 million for the return of prescription data on more than 8 million Virginians. Virginia isn't saying much about the attacks at the moment, except to acknowledge that they've involved the FBI, and that they've shut down e-mail and a whole mess of servers for the state department of health professionals. The Post piece credits Wikileaks as the source, which has a copy of the ransom note left behind by the attackers."

Re:Sounds like an inside job.

[eldavojohn]

The phrasing "gone missing" makes him sound like he's from somewhere in the United Kingdom...

Yes, but the phrase "Now I hear tell" indicates Virginia! What a conundrum! This case will never be cracked! The full note text for those too lazy to click through wikileaks:

ATTENTION VIRGINIA

I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(

For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid. Now I don't know what all this shit is worth or who would pay for it, but I'm bettin' someone will. Hell, if I can't move the prescription data at the very least I can find a buyer for the personal data (name,age,address,social security #, driver's license #).

Now I hear tell the Fucking Bunch of Idiots ain't fond of payin out, but I suggest that policy be turned right the fuck around. When you boys get your act together, drop me a line at hackingforprofit@yahoo.com and we can discuss the details such as account number, etc.

Until then, have a wonderful day, I know I will ;)

Michigan

[Darth_brooks]

The state of Michigan had this same scenario play out two years ago. The only difference: it was part of one of their Cyberstorm security exercises. At a round table discussion, the acting IT infrastructure director talked about how the exercise opened. He sat down at his desk one day, opened his e-mail, and found a ransom note that mirrors exactly what's going on now in Virgina.

It gets better. Certain key members of the IT infrastructure were given instructions ahead of time to take the day off, not tell anyone they were told to take the day off and, best of all, not answer their phone or e-mail unless they were being contacted by a specific person. (Someone who was 'in' on the exercise, and who had the authority to say "ah crap, XYZ is down and it's not part of the exercise, call Bob and let him know we actually need him.")

All in all it was an interesting discussion of "what if?" that I'd love to try out in my own workplace. Sure, if someone's on call and doesn't answer their phone, you beat them with at bamboo cane a the next opportunity. But what do you do in the meantime? If crap hits the fan, do your managers & team leads really know their call flows? Or does everyone just freak out and call the guy that usually knows what he's doing? What happens when that guy gets hit by a bus?

DHP != VDH

[elbuddha]

Just for clarification, the Virginia Department of Health Professionals is not the same agency as the Virginia Department of Health.

Each Virginia agency is its own little independent IT fiefdom, with all the disparity of budget and clue that entails. At least until their IT is taken over by Northrop Grumman, which is another clusterfuck entirely...