Slashdot Mirror
Kentucky Hospital Calls State of Emergency In Hack Attack (cnbc.com)
An anonymous reader quotes a report from CNBC: A Kentucky hospital is operating in an internal state of emergency following an attack by cybercriminals on its computer network, Krebs on Security reported. Methodist Hospital, based in Henderson, Kentucky, is the victim of a ransomware attack in which hackers infiltrated its computer network, encrypted files and are now holding the data hostage, Krebs reported Tuesday. The criminals reportedly used new strain of malware known as Locky to encrypt important files. The malware spread from the initial infected machine to the entire internal network and several other systems, the hospital's information systems director, Jamie Reid, told Krebs. The hospital is reportedly considering paying hackers the ransom money of four bitcoins, about $1,600 at the current exchange rate, for the key to unlock the files.
Backups people, it's not hard using current technology and you get extra points for verifying those backups once you've done them. After all, a set of blank tapes in the safe are no good to man nor beast. This is a damn hospital with people's lives at stake and you'd think that they would take more care with their date!
Let's use a car analogy.
Say you are "stupid enough" drive to a bad neighborhood. You leave your car parked, but accidentally left one of the doors unlocked. Should it now be perfectly legal to steal that car, or smash the windows, or commit whatever property crime you want on it?
No, but you're a fucking idiot if you don't expect it to happen.
I've seen huge upswings in locky and other ransomware hitting the email gateway since the first. Literal 30x upswing.
Lots of the locky infected messages are mimicking fax gateways and network-to-email scanner/mfp devices. The others are the usual tracking, invoice, tax, payment, etc social engineering schemes.
Via email, most use executables in zip files.
I've banned zip file attachment just to cut down on the load.
I've heard reports that there are some really aggressive targeting via ad networks too.
Backup, backup, and backup some more. Then audit. Then do DR drills. Then Audit the DR drills.
Your user's endpoints aren't secure. Locky and company work inside a user's context and do not need admin privs. Backup is the only thing that will save you.
electronic medical records.
If this turns out to be a typical outcome of medical facility IT administration, then electronic medical records might not be such a good idea, at least not without adjustments to how the records are hosted.
Just like "critical infrastructure" should not be connected to the Internet, it seems medical facility records infrastructure needs to be separate as well. Perhaps this is a general architectural strategy that should be implemented wherever organizations process sensitive information - one level of infrastructure for general purpose communications and Internet access, another (separate) level of infrastructure for the sensitive information, with an acceptance of the higher cost of maintaining the proper separation. One big mashup appears to have some significant risks.
Problem is, if you're a hospital you have thousands of people who can screw up. Any time you have thousands of people who can screw up, it's just a matter of time before someone does.
I also read in another article that they just said "No." and restored from backups.
So, a stupid macro virus open thousand files on a PC at full speed, delete them, and create another one with .locky extension. No AV software has he capability to detect something unusual ? dangerous ? Suspect ? (I wonder how AV waste my CPU and disk IOs so badly...)
This locky shit has been around for a few month, and no AV can do anything about it ?? seriously ? They did not even bother changing the .locky file extension...
Good luck with that... As an infra-engr guy for over a decade now, I can't tell you how many times I've been told to go pound sand by the people in charge of the company when I suggest things like that that cost money upfront to stop things that may cost money later. Pretty much anyone asking for actual backup systems or real DR hits similar walls. Not saying it's right or that I agree with it.. But, it's not as simple as saying it's time they learn. They don't. They never do.
Security people have for decades said "STOP PUTTING EVERYTHING ON THE INTERNET!". And yet we have just about everything including public infrastructure on the Internet. The lies about "why" are very consistent. "Saves money" is probably the most popular, yet who is seeing that savings? Has the cost for you improved, or are the savings are going to execs and bureaucrats? You (Consumer) are the most at risk due to these policy decisions.
A specific class of people saying "do it anyway" does not mean it should be done, it means that people should be better than lemmings. Eventually it will happen, because it will have to happen.
While I certainly feel sorry for anyone who is personally harmed by losing data housed on these systems, I also hope it serves as a wake up call. "Centralized" is not usually the best option.
Blaming the victim, if you claim the Hospital is the victim, is actually appropriate. Blaming the person who's identity may be stolen or trashed was not being done, and those are the real victims here.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Jesus H. Christ. That is a perfectly asinine view. I cannot believe anyone is that morally bankrupt. So some scum kidnaps your elderly mother, threatens you that you will neer see her again, and you pay the ransom. Do you really think you should be charged with being accomplice to kidnapping? THINK. I know it's hard, but try.
Look, I know the situation with this ransomware shit is exasperating. It's pretty much a no-brainer that you pay the ransom if it makes financial sense and you can't rescue it otherwise, but after that is done and the data is restored, and maybe after you take serious and effective steps to make sure that it can never happen again, you (and the system) go after the scum-sucking low-lifes who are responsible for the ACTUAL law-breaking, and all others like them, with a fury and resolve that knows no bounds. These ransomware attacks should be crimes of a very high order, and a first offense should be a minimum multi-decade sentence.
Making the victim a double victim (victim of the law as well as victim of micreants) is absolutely the worst idea I ever heard of.
Because victims never contribute to their state of being a victim?
Saying victim blaming is wrong is saying that if you become a victim you instantly become infallible, could not have contributed to the problem in anyway and are a completely innocent party.
I really don't see why it isn't illegal. Get both the US and EU to pass laws banning the paying of ransomware and you've destroyed the lion's share of their income. You can't totally prevent people from paying, but you'll stop most of it.
Being infected by ransomware should basically become "bad news - your data was destroyed in a file".
Hourglass says she knows a kid in Iowa who grows up to be president.
Would it cost more than a lawsuit filed against the hospital by the next of kin of a patient that died because the equipment needed to keep them alive was disabled by an attack like this?
Because victims never contribute to their state of being a victim? Saying victim blaming is wrong is saying that if you become a victim you instantly become infallible, could not have contributed to the problem in anyway and are a completely innocent party.
There's two fundamentally different but overlapping meanings of blame. One is the perp's blame - the thief, the murderer, the rapist who is obviously the ultimate cause of everything. But we also used it in the meaning "failed to protect", like if the President got shot many people would blame the Secret Service even though they didn't have any part in it. They just failed to prevent it. The first one isn't really a subject of debate. The second? Well you can implicate almost anyone and everyone if you want to, like take the terror attacks in Brussels. Some will blame the police for not being able to stop it. Some will blame the politicans, the mosques and so on. Who could have done something? Who should have done something differently?
The latter often ends up in some conflict of idealism versus reality. Nobody has any more right to steal from me because I forget to lock the door. But I obviously made it a lot easier for them. Or the mere absence, does the fact that I don't have a home alarm mean I'm more to blame if burglars loot my apartment? This is where victim blaming comes in, you shouldn't do that, be there, get that drunk, wear that skirt, walk those streets. Idealistically, the answer is of course hell no you shouldn't let that control your life. Practically, it's a mixed bag. I lock my door, I don't live in a prepper's bunker. But if bad shit happen, I'd be pretty pissed if you blamed me for not doing enough because it's still not my fault.
Live today, because you never know what tomorrow brings
CIOs go to jail over incidents like that.
If only that were true. Executives almost never go to jail, even for knowingly engaging in practices that are killing people. Just ask Volkswagon, or Enron, or BP, etc...
I wish I had a good sig, but all the good ones are copyrighted
Network segmentation, internal firewalls, client firewalls and admin isolation are the keys to preventing this.
Local Server and client firewalls prevent access to system shares from unauthorized sources.
Firewalls segmenting the network help isolate an outbreak.
Admin isolation: No logging onto your desktop as admin ever! management tasks are done by remote access to workstations isolated in their own hardened network segment and built for admin tasks.
Overkill? depends on your point of view. I know of places doing it this way.
Admins will fight not having their tool set local on their machines but after you get used to it it's better.
If you think it's expensive to hire a professional to do the job, wait until you hire an amateur. --Red Adair