Slashdot Mirror
Kentucky Hospital Calls State of Emergency In Hack Attack (cnbc.com)
An anonymous reader quotes a report from CNBC: A Kentucky hospital is operating in an internal state of emergency following an attack by cybercriminals on its computer network, Krebs on Security reported. Methodist Hospital, based in Henderson, Kentucky, is the victim of a ransomware attack in which hackers infiltrated its computer network, encrypted files and are now holding the data hostage, Krebs reported Tuesday. The criminals reportedly used new strain of malware known as Locky to encrypt important files. The malware spread from the initial infected machine to the entire internal network and several other systems, the hospital's information systems director, Jamie Reid, told Krebs. The hospital is reportedly considering paying hackers the ransom money of four bitcoins, about $1,600 at the current exchange rate, for the key to unlock the files.
Looks like someone opened it there....
As well they should pay it.
I have ZERO sympathy for insecure IT systems. I also have ZERO sympathy for "victims" of scams. If you're stupid enough to leave your shit wide open, or Western Union money to Albania, that's on you. It should be perfectly legal to take advantage of stupid people. Consider it a learning experience.
This is a good time to test their disaster recovery.
...this clearly wouldn't have happened.
I want to congratulate Methodist Hospital, for digitizing and not investing in proper architecture (security, backups, partitioned infrastructure). They're lucky that the damage is limited to the loss of data and productivity. We can only hope that they go out of business, and that a hospital with a better IT administration takes their place.
Those employees better not be thinking of running an ad-blocker after this! Those heathens!
Why such a low ransom for such a high risk?
I bet the hospital has more $ in its petty cash drawer...
Perhaps this is a proof-of-concept run for the attackers...
$1.6K is like what half a day in the ER chump change for them.
When the FBI has everything backdoored, we will be safe.
The option of proper backups or better security seems to be in the past and remaining options are to pay up or figure out to get by without the data. For an hospital ponying up 4k$ or losing tons of important data shouldn't be much of a choice at all, most important step is to understand that coughing up the cash is the only hope of getting the data back.
Backups people, it's not hard using current technology and you get extra points for verifying those backups once you've done them. After all, a set of blank tapes in the safe are no good to man nor beast. This is a damn hospital with people's lives at stake and you'd think that they would take more care with their date!
The people who sent the ransomware, and their families should be rounded up and tortured , and killed. I'm actually quite serious. It will send a message to those who think that they can get away with this crap.
I've seen huge upswings in locky and other ransomware hitting the email gateway since the first. Literal 30x upswing.
Lots of the locky infected messages are mimicking fax gateways and network-to-email scanner/mfp devices. The others are the usual tracking, invoice, tax, payment, etc social engineering schemes.
Via email, most use executables in zip files.
I've banned zip file attachment just to cut down on the load.
I've heard reports that there are some really aggressive targeting via ad networks too.
Backup, backup, and backup some more. Then audit. Then do DR drills. Then Audit the DR drills.
Your user's endpoints aren't secure. Locky and company work inside a user's context and do not need admin privs. Backup is the only thing that will save you.
electronic medical records.
If this turns out to be a typical outcome of medical facility IT administration, then electronic medical records might not be such a good idea, at least not without adjustments to how the records are hosted.
Just like "critical infrastructure" should not be connected to the Internet, it seems medical facility records infrastructure needs to be separate as well. Perhaps this is a general architectural strategy that should be implemented wherever organizations process sensitive information - one level of infrastructure for general purpose communications and Internet access, another (separate) level of infrastructure for the sensitive information, with an acceptance of the higher cost of maintaining the proper separation. One big mashup appears to have some significant risks.
literally a taste of their own medicine!
Do they have any?
thegodmovie.com - watch it
Good thing a big fancy place like a hospital, you know, with all that juicy mission critical data, has a solid and well tested disaster recovery plan, right?
Right?
hahahaahhaah
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Immutable, append-only event streams cannot be crypto-lockered away. Bonus: also trivial to send securely to an offsite location for additional secure archiving.
Methodists obviously don't have good computer security because they don't smoke enough pot.
You're being too kind. Most of a decade ago 2 hours in ER cost me way over $4k - and that's after months of negotiation and paying some cash under the table.
Why guess when you can know? Measure!
Not that they are behind this.
people on here cackling about the incompetence of government workers in regards to the iPhone issue (no MDM software installed), the IRS hack and a few other items.
Considering the near daily reports of private industry being hacked or compromised, it looks like the government has some work to do if it wants to run its operations like private industry does as some say should be done.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
So, a stupid macro virus open thousand files on a PC at full speed, delete them, and create another one with .locky extension. No AV software has he capability to detect something unusual ? dangerous ? Suspect ? (I wonder how AV waste my CPU and disk IOs so badly...)
This locky shit has been around for a few month, and no AV can do anything about it ?? seriously ? They did not even bother changing the .locky file extension...
Is there a fuckin' echo in here?? AIRGAP THE FUCKING NETWORKS!!
[Filter error: Don't use so many caps. It's like YELLING.]
Tell everyone far and wide that the scammers took your money and REFUSED to give the encryption key, and that you had to restore everything from old backups.
Ruin the assholes' business model, since no one is going to pay if they are known to take the ransom and skip out.
hackers infiltrated its computer network, encrypted files and are now holding the data hostage
There's a meat slicer from the beginning of the original Children of the Corn with their name on it.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Security people have for decades said "STOP PUTTING EVERYTHING ON THE INTERNET!". And yet we have just about everything including public infrastructure on the Internet. The lies about "why" are very consistent. "Saves money" is probably the most popular, yet who is seeing that savings? Has the cost for you improved, or are the savings are going to execs and bureaucrats? You (Consumer) are the most at risk due to these policy decisions.
A specific class of people saying "do it anyway" does not mean it should be done, it means that people should be better than lemmings. Eventually it will happen, because it will have to happen.
While I certainly feel sorry for anyone who is personally harmed by losing data housed on these systems, I also hope it serves as a wake up call. "Centralized" is not usually the best option.
Blaming the victim, if you claim the Hospital is the victim, is actually appropriate. Blaming the person who's identity may be stolen or trashed was not being done, and those are the real victims here.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
How come these hackers aren't using proper encryption with a government back door?
Are they criminals or something?
Who knows? Pricing for hospital services is all over the place and not public. That may only buy a couple of hours in one hospital's ER while at another it may pay for an entire day.
It's absurd. Imagine if all restaurants did the the same thing. And it was "Chef's Choice" each time. Now, the chef is the expert and can make some delicious meals, but you never know what food you'll be served and you never know how much it's going to cost.
If someone dies in the hospital and it can be traced to critical files being unavailable, the malware owners could be charged with murder.
https://en.wikipedia.org/wiki/...
But not in Kentucky.
https://en.wikipedia.org/wiki/...
The world is made by those who show up for the job.
and then you get a bill in the mail from the runner / server for there own work. (it's not part of the bill you paid at the restaurants)
Bad guys are only asking for $1600? Without hesitation they should, pay it, get their shit together, and move on. $1600 is chump change.
I can see you haven't been in an ER for half a day, or know anybody who has.
I can't think of a rational or moral excuse for letting these people remain on earth, to encourage more. If you don't stop it, it won't stop.
For several years now, every single security analyst, including the FBI (https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/) I've come across has said the same thing about crypto-ransomware: pay them.
There is time to be idealistic later. Right now, you're being mugged: Do what you need to survive.
The Daddy casts sleep on the Baby. The Baby resists!
well that may be there profit after paying out the staff and buying the drugs.
The fact that there was a crime does not negate or diminish the poor decisions that led up to the crime taking place. Everything is not pure black or pure white. In fact the overwhelming majority of the world is gray. Sure, hold the criminals accountable for their actions. That said you also must hold the actors who presented the opportunity accountable for their actions.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
$1600? At a hospital, that's about the price of of a band-aid and a few Ibuprofen.
Ketucky. KET.
Even the NSA allowed Snowden, a SharePoint administrator working for a contractor, access to some pretty critical data. If they can't properly control access to information, especially given how many tools there are out there to do so, it's not a shocker that private businesses fail to do so also.
The ransomware epidemic illustrates a very good point -- companies still treat their internal networks as 100% trusted. Once a machine is plugged in, there's nothing stopping it from roaming around the interior. This is the main problem -- laptops get taken home, executives demand admin access to the OS, they bring a virus, Trojan or other nasty in, and suddenly everyone has a bad day.
Internal networks should at the very least have separation of critical systems, preferably air-gaps between seriously critical systems. But that's expensive and companies refuse to spend any money on IT.
Just revert to the backup. Right?
Seven puppies were harmed during the making of this post.
Curious how you failed to mention that Locky requires Windows & Office to work ..
$1.6K is the cost of an aspirin in the ER.
The IT Manager was probably at his pizza parlor making pizzas when this all went down.
It's a but of a stretch to be saying that hackers infiltrated the network blah blah blah.
A hospital employee opened an email with a Locky file attachment and it then encrypted what that user had access to.
Ransomware sucks donkey dicks. There are various mitigation techniques, some effective, some not so much, and sometimes the effective methods are too much of an impediment to do company work. But, a decent administrator should have backups.
The effective recovery from ransomware is restoring from backup. Paying these cock gobblers is just encouraging more of them.
Of course it's chump change, since even most individuals could actually afford that payment if they really needed to. What they're considering is either the negative publicity paying off criminals would have on their organization, or perhaps the moral implications of paying off criminals.
Irony: Agile development has too much intertia to be abandoned now.
Joe_Dragon may not be from the US. ERs in other countries often charge far less than what the US charges.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Just silly. Every single iota of your LAN does not need to be on the WAN Those days are long gone.
Maybe it's just me, but as an I.T. security guy, this sounds like a shoddy admin had no backups when common encrypting malware hit. I'd be stunned if this were an 'active hack'.
What gets overlooked, and I'll argue intentionally, is that people are not being held accountable for their actions. This is the flaw I constantly see in discussions regarding "Social Justice". You just attempted to do just that, using a very odd example. Given your example, the secret service would be blamed if the President got shot. And they should be blamed. Numerous people assigned to Presidential detail failed if that was to happen. Bob gets paid to take a bullet for the President, and he hid when trouble started. Jerry neglected email about a shooter, Beth ignored the metal detector because that lady just looked nice, etc.. etc...
Sure, the person who pulled the trigger is a criminal. The other people don't get a free pass at negligence and/or bad decisions because of the crime.
One more example: Say you are in a public park and a big guy sits across from you on a different bench. You start tossing pebbles and they land close to his feet. He gives you a look that lets you know he's not happy, but you continue to toss pebbles. A dozen or so pebbles later he walks over and punches you in the face.
Was he right to punch you in the face? No, he is absolutely guilty of assault. On the other hand, you instigated the encounter and are accountability for your actions. Your broken nose in no way negates the fact that you were instigating the encounter.
You don't have to learn the lesson that you were taught, and the next big guy coming along will still be wrong to punch you in the face. You will still be an instigator deserving of a broken nose.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
I've spent a lot of time in that hospital -- not in their care -- but as a recurrent visitor of friends and family.
Most of the physicians who work there are refugees from malpractice lawsuits.
Based on what we've experienced there, it would be a service to the community to turn the whole place into a nice park with swings and playgrounds.
In this one case, I wish the black hats the best of luck and suggest they raise the ransom.
just try https://noransom.kaspersky.com
besides, one of recent ransomwares had plain-text unlocking pass in one of the files - so long for "strong encryption"
An email that originated from inside the network pretended to be from the U.S. Postal Service. A few hundred systems were infected. Everyone was told to turn off the viewing pane in Outlook to avoid automatically launching the script inside the email. Nasty little bugger.
And learn from it. Secure your networks, introduce user training, a decent enterprise virus checker and lock down PC's. Also setup a disaster recovery system.
We got hit by a rootkit ransom ware virus a couple of years ago and I admit our virus checking and control of user pc's was piss poor - it took out nearly everything, proved impossible to remove without destroying the pc setups.
Fortunately we had virtualised all our workstations a year before (Proxmox Cluster - kvm) and had full image backups of everything with a 6 month rolling history, plus online data backups. We were able to rollback the whole cluster two months and restore data from online. Took a weekend but saved our bacon.
Since then we have rolled out webroot to all the VM's and forced firewalls plus windows defender via group policy. Haven't had a problem since.
We've been knee deep in this malware swamp and sinking since Win98. This shit happens when you use shit and there is no need to panic and scare the horses.
There are plenty of options, all time consuming and expensive, but having to rebuild the critical information by getting the medical histories of everyone in the place is not the end of the world. The rest, frankly (but we miss it because we are IT geeks) doesn't really matter and can be put together from scratch and whatever bits remain as needed. While robust systems, real backups etc would be nice there's no point crying about having a home computer system running a hospital after the fact.
Outlook not so good.
I have most people on Thunderbird but a couple of people who insisted on using MS Outlook were hit by something similar on different occasions. The servers all had regular file system snapshots (ZFS FTW!) and those variants of cryptolocker made encrypted copies of files then deleted the originals so "photorec" recovered the local files that were needed. Of course I had to reinstall (on new disks while I was recovering files from the old ones) because you never know what sort of things could be lurking on a machine that has been "0wned" by criminals. As the antivirus saying paraphrased from a movie goes "dust off and fdisk from orbit, it's the only way to be sure".
You can cheat with a lot of filesystems with different levels of access - but in large orgs middle management that want to snoop on others and have a desire to appear to be more important than their superiors can throw a spanner in the works demanding full access to everything. In large places it's policy that fucks you up more than actual technical issues so even the real segmented ideal can be screwed up by such things.
Similarly on the MS side you can run virtual machines for some segregation but not really security other than by obscurity. On the *nix side there are zones and containers to give the appearance of multiple machines for segregated tasks and it was designed with security in mind so can be trusted a bit more than virtual machines
Please contact me, for $40,000 I will deliver the 4 bitcoins to the ransomware attackers and retrieve your stolen data.
Why is this just now on here? Has it happened again? All of this was fixed last week.
Or that once you pay, you're known as a likely payout.
The bad guys want to be paid with Bit Coins. Is there anything related to Bit Coins that enables criminals to cover their tracks easily? Do Bit Coins enable crime?
Well you are completely right in all your suggestions. Do these few things and your world will be safer. I've been a Pen Tester for over 15 years. I've seen it all. Hospital network security IS! a fucking joke on EVERY hospital I have tested. I've tested 100s. When I see the word "hospital" on a project I know I will pwn them in less than an hour and have the whole network in my pocket before the day is out. My 10 year old Granddaughter could crack a hospital.
Just last month I tested a hospital and big one in Florida. In less than an hour I found that the Domain Administrator's password was "password" YEP! password and from there you can guess where the rest of the test went. I even checked Fred Flintstone into the hospital got him a room set up and operation for him the next day to have his woman parts removed. Got into the Drug web app and could have sent myself all the drugs I could ever want. I also locked out the CIO's account and the Information Security Officer;s account just as a joke and iceing on the cake.
Admins of hospitals would have no clue of how to set up what you suggest. I have often wonder why is it EVERY hospital is this way? You hear all the shit about HIPPA but you have to remember there is no controlling body over enforcement of the rules with HIPPA. Just words on a paper. With credit cards you do have PCI which does require testing and requires you TO PASS IT. I have tested one hospital two years in a row and the exact same problems including the same passwords were still there. You know how that one went too.
There is better network security at an adult toy store site than at a hospital. I'm not joking. A dildo is safer than your health records.
You post removed your moderation! HAH!