Slashdot Mirror
Kentucky Hospital Calls State of Emergency In Hack Attack (cnbc.com)
An anonymous reader quotes a report from CNBC: A Kentucky hospital is operating in an internal state of emergency following an attack by cybercriminals on its computer network, Krebs on Security reported. Methodist Hospital, based in Henderson, Kentucky, is the victim of a ransomware attack in which hackers infiltrated its computer network, encrypted files and are now holding the data hostage, Krebs reported Tuesday. The criminals reportedly used new strain of malware known as Locky to encrypt important files. The malware spread from the initial infected machine to the entire internal network and several other systems, the hospital's information systems director, Jamie Reid, told Krebs. The hospital is reportedly considering paying hackers the ransom money of four bitcoins, about $1,600 at the current exchange rate, for the key to unlock the files.
Looks like someone opened it there....
Backups people, it's not hard using current technology and you get extra points for verifying those backups once you've done them. After all, a set of blank tapes in the safe are no good to man nor beast. This is a damn hospital with people's lives at stake and you'd think that they would take more care with their date!
Why such a low ransom for such a high risk?
I bet the hospital has more $ in its petty cash drawer...
And who benefits from all this drama? They could have been back up and running before they went to the press. How does the hospital not suffer from this PR (like that they have no network isolation, perimeter security, or backups)? Something else is going on.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Let's use a car analogy.
Say you are "stupid enough" drive to a bad neighborhood. You leave your car parked, but accidentally left one of the doors unlocked. Should it now be perfectly legal to steal that car, or smash the windows, or commit whatever property crime you want on it?
No, but you're a fucking idiot if you don't expect it to happen.
I've seen huge upswings in locky and other ransomware hitting the email gateway since the first. Literal 30x upswing.
Lots of the locky infected messages are mimicking fax gateways and network-to-email scanner/mfp devices. The others are the usual tracking, invoice, tax, payment, etc social engineering schemes.
Via email, most use executables in zip files.
I've banned zip file attachment just to cut down on the load.
I've heard reports that there are some really aggressive targeting via ad networks too.
Backup, backup, and backup some more. Then audit. Then do DR drills. Then Audit the DR drills.
Your user's endpoints aren't secure. Locky and company work inside a user's context and do not need admin privs. Backup is the only thing that will save you.
electronic medical records.
If this turns out to be a typical outcome of medical facility IT administration, then electronic medical records might not be such a good idea, at least not without adjustments to how the records are hosted.
Just like "critical infrastructure" should not be connected to the Internet, it seems medical facility records infrastructure needs to be separate as well. Perhaps this is a general architectural strategy that should be implemented wherever organizations process sensitive information - one level of infrastructure for general purpose communications and Internet access, another (separate) level of infrastructure for the sensitive information, with an acceptance of the higher cost of maintaining the proper separation. One big mashup appears to have some significant risks.
Problem is, if you're a hospital you have thousands of people who can screw up. Any time you have thousands of people who can screw up, it's just a matter of time before someone does.
I also read in another article that they just said "No." and restored from backups.
The sad thing is, I don't think this is limited to certain hospitals ... their core competency is health care, and the fact that IT in hospitals has been underfunded or badly done for years isn't exactly news.
We've been hearing these same stories for years now.
Yes, brilliant, let's hope hospitals go out of business so we can waste money starting from scratch, that will totally be efficient.
Lost at C:>. Found at C.
There is no real risk for the attackers.
And, if the ransom is that low, there is more incentive to just pay it rather than spend the time/money to recover everything themselves (and miss some things and have to pay it anyway).
The attackers are in this for the money. One HUGE score would mean more incentive for politicians / police / FBI / etc to try to find them.
A thousand smaller scores mean that this is just-something-that-happens and we-should-get-used-to-it. And the money keeps rolling in.
The people who sent the ransomware, and their families should be rounded up and tortured , and killed
"...and their families?!" This person, and whatever sick fuck modded them up, need a major ass-kicking.
Not necessarily. These criminals want to provide good "service" to their "customers". If it gets out that this sort of extortion payment has no effect on getting back their data, no one will pay it and they will lose their "business".
That doesn't prevent "me too" organizations from walking in and hacking them as well, of course.
And be aware that these organizations are often extremely professional these days, using very sophisticated spear phishing attacks and other means. It is increasingly less true that this is simply due to someone clicking on a link to a viagra spam email. They're making very concerted efforts to learn organizational charts and watching emails to ensure that they send their emails as people who you'd usually trust to send you a link.
Here's a long read about how these pro hacker outfits are using spear phishing and sophisticated attacks that could be pretty scary even to a place that takes security fairly seriously. If they fell prey to something like that, they wouldn't have to be idiots.
http://www.infoworld.com/artic...
So, a stupid macro virus open thousand files on a PC at full speed, delete them, and create another one with .locky extension. No AV software has he capability to detect something unusual ? dangerous ? Suspect ? (I wonder how AV waste my CPU and disk IOs so badly...)
This locky shit has been around for a few month, and no AV can do anything about it ?? seriously ? They did not even bother changing the .locky file extension...
their core competency is health care
I have yet to observe a hospital that this actually applies to.
Tell everyone far and wide that the scammers took your money and REFUSED to give the encryption key, and that you had to restore everything from old backups.
Ruin the assholes' business model, since no one is going to pay if they are known to take the ransom and skip out.
hackers infiltrated its computer network, encrypted files and are now holding the data hostage
There's a meat slicer from the beginning of the original Children of the Corn with their name on it.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Security people have for decades said "STOP PUTTING EVERYTHING ON THE INTERNET!". And yet we have just about everything including public infrastructure on the Internet. The lies about "why" are very consistent. "Saves money" is probably the most popular, yet who is seeing that savings? Has the cost for you improved, or are the savings are going to execs and bureaucrats? You (Consumer) are the most at risk due to these policy decisions.
A specific class of people saying "do it anyway" does not mean it should be done, it means that people should be better than lemmings. Eventually it will happen, because it will have to happen.
While I certainly feel sorry for anyone who is personally harmed by losing data housed on these systems, I also hope it serves as a wake up call. "Centralized" is not usually the best option.
Blaming the victim, if you claim the Hospital is the victim, is actually appropriate. Blaming the person who's identity may be stolen or trashed was not being done, and those are the real victims here.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
I've seen more and more malware make it through my spam filters (amavis + spam assassin + clamav). I can tell by looking at it. Occasionally I pull the zips into a VM and look at the fake excel files filled with Javascript.
You can't protect against this kind of stuff as an IT admin, without making e-mail even more unreliable than it actually is (I wrote a post about this last year: http://penguindreams.org/blog/how-google-and-microsoft-made-email-unreliable/).
Sure, you shouldn't let workstations have write access to critical data infrastructure, but how knows how this happened? What if it was opened in user mode, someone called help desk, they remoted in and ran some tools as an admin user and boom, it goes and encrypts their rdesktop shaed volumes and spreads that way.
It's more complicated than you think.
...this clearly wouldn't have happened.
Found the Spook.
If someone dies in the hospital and it can be traced to critical files being unavailable, the malware owners could be charged with murder.
https://en.wikipedia.org/wiki/...
But not in Kentucky.
https://en.wikipedia.org/wiki/...
The world is made by those who show up for the job.
I see where you are coming from, but I fail to see the point of punishing someone for taking an action that might free their relative or friend from a kidnapper who the government is clearly unable to prevent from operating.
It feels very wrong that the only person who managed to save the kidnapped person from being killed might be the only one who would be going to jail.
Yes, let the cops do their job. However, if the cops fuck up, or they can't protect you, then you do what you need to do.
That's an excuse for one computer getting infected. That's not an excuse for the whole hospital getting infested.
Hourglass says she knows a kid in Iowa who grows up to be president.
Jesus H. Christ. That is a perfectly asinine view. I cannot believe anyone is that morally bankrupt. So some scum kidnaps your elderly mother, threatens you that you will neer see her again, and you pay the ransom. Do you really think you should be charged with being accomplice to kidnapping? THINK. I know it's hard, but try.
Look, I know the situation with this ransomware shit is exasperating. It's pretty much a no-brainer that you pay the ransom if it makes financial sense and you can't rescue it otherwise, but after that is done and the data is restored, and maybe after you take serious and effective steps to make sure that it can never happen again, you (and the system) go after the scum-sucking low-lifes who are responsible for the ACTUAL law-breaking, and all others like them, with a fury and resolve that knows no bounds. These ransomware attacks should be crimes of a very high order, and a first offense should be a minimum multi-decade sentence.
Making the victim a double victim (victim of the law as well as victim of micreants) is absolutely the worst idea I ever heard of.
Because victims never contribute to their state of being a victim?
Saying victim blaming is wrong is saying that if you become a victim you instantly become infallible, could not have contributed to the problem in anyway and are a completely innocent party.
I modded you troll. Its your own fault because you posted here and knew perfectly well how easy it is to get modded as a troll.
For several years now, every single security analyst, including the FBI (https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/) I've come across has said the same thing about crypto-ransomware: pay them.
There is time to be idealistic later. Right now, you're being mugged: Do what you need to survive.
The Daddy casts sleep on the Baby. The Baby resists!
Victim blaming? I hate this attitude when it comes to these sorts of things, it always sends the message that people don't have to worry about their own security and safety. In the end, it is partially the victim's fault because if the victim had decided to employ more security and caution, they would not have had their car stolen. Same as how it's the criminal's fault because if they had not decided to be a shitty person on that day, no car would have been stolen. There's a legitimate difference between employing all the security measures you could but still finding yourself in a situation where you are forcefully unlocking your car door by gun point, and in a different scenario having said "fuck security, it's never the victim's fault" and just leaving your car door unlocked of your own volition.
Curious how you failed to mention that Locky requires Windows & Office to work ..
That was never going to happen - the question was about whether to restore from backups, or pay the trivial ransom amount. They made the right call, and went to backups, despite that costing more than $1600 in people's time.
Socialism: a lie told by totalitarians and believed by fools.
Clearly; their core competency is in invoicing.
Because victims never contribute to their state of being a victim? Saying victim blaming is wrong is saying that if you become a victim you instantly become infallible, could not have contributed to the problem in anyway and are a completely innocent party.
There's two fundamentally different but overlapping meanings of blame. One is the perp's blame - the thief, the murderer, the rapist who is obviously the ultimate cause of everything. But we also used it in the meaning "failed to protect", like if the President got shot many people would blame the Secret Service even though they didn't have any part in it. They just failed to prevent it. The first one isn't really a subject of debate. The second? Well you can implicate almost anyone and everyone if you want to, like take the terror attacks in Brussels. Some will blame the police for not being able to stop it. Some will blame the politicans, the mosques and so on. Who could have done something? Who should have done something differently?
The latter often ends up in some conflict of idealism versus reality. Nobody has any more right to steal from me because I forget to lock the door. But I obviously made it a lot easier for them. Or the mere absence, does the fact that I don't have a home alarm mean I'm more to blame if burglars loot my apartment? This is where victim blaming comes in, you shouldn't do that, be there, get that drunk, wear that skirt, walk those streets. Idealistically, the answer is of course hell no you shouldn't let that control your life. Practically, it's a mixed bag. I lock my door, I don't live in a prepper's bunker. But if bad shit happen, I'd be pretty pissed if you blamed me for not doing enough because it's still not my fault.
Live today, because you never know what tomorrow brings
Sorry, but NO!!!
There exist, or used to exist, hackers who didn't deserve any blame. The "cookie monster" hack, e.g., was a warning and didn't do any harm. The implementers of that were hackers who didn't secerve any blame. I don't quite remember the context, but the Morris Worm was, IIRC, an edge case. IIRC he didn't intend any harm, but he made a programming mistake that let the worm get out of control. Sorry, blame is deserved, though not in huge amounts.
The distinction is between warnings and damage. And, or course, intention...which doesn't change the culpability, but may change the deserved amount of blame.
Malicious hackers are going to exist, but they deserve to be blamed for the damage they do. Even unintentional damage, though in that case proving that it was unintentional would be quite a feat.
And guess what? There *IS* no perfect security. NONE! Even instantaneous writes to a WORM aren't perfect security, and are ghastly expensive to run and store, much less to retrieve from. And all storage media have a certain risk of failure.
That said, I agree that most computer systems don't pay sufficient attention to system security. But there's always a trade off, you invest your time and effort where it seems worthwhile to you. And nobody can predict things perfectly. Computer people tend to be aware of computer security, but don't pay enough attention to the service degradation that enhanced security can sometimes cause. And often make silly choices, or choices that don't consider all the effects. Like requiring passwords to be changed every week to something impossible to memorize, and not expecting post-it notes to appear on monitors.
I think we've pushed this "anyone can grow up to be president" thing too far.
What gets overlooked, and I'll argue intentionally, is that people are not being held accountable for their actions. This is the flaw I constantly see in discussions regarding "Social Justice". You just attempted to do just that, using a very odd example. Given your example, the secret service would be blamed if the President got shot. And they should be blamed. Numerous people assigned to Presidential detail failed if that was to happen. Bob gets paid to take a bullet for the President, and he hid when trouble started. Jerry neglected email about a shooter, Beth ignored the metal detector because that lady just looked nice, etc.. etc...
Sure, the person who pulled the trigger is a criminal. The other people don't get a free pass at negligence and/or bad decisions because of the crime.
One more example: Say you are in a public park and a big guy sits across from you on a different bench. You start tossing pebbles and they land close to his feet. He gives you a look that lets you know he's not happy, but you continue to toss pebbles. A dozen or so pebbles later he walks over and punches you in the face.
Was he right to punch you in the face? No, he is absolutely guilty of assault. On the other hand, you instigated the encounter and are accountability for your actions. Your broken nose in no way negates the fact that you were instigating the encounter.
You don't have to learn the lesson that you were taught, and the next big guy coming along will still be wrong to punch you in the face. You will still be an instigator deserving of a broken nose.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.