Slashdot Mirror
Kentucky Hospital Calls State of Emergency In Hack Attack (cnbc.com)
An anonymous reader quotes a report from CNBC: A Kentucky hospital is operating in an internal state of emergency following an attack by cybercriminals on its computer network, Krebs on Security reported. Methodist Hospital, based in Henderson, Kentucky, is the victim of a ransomware attack in which hackers infiltrated its computer network, encrypted files and are now holding the data hostage, Krebs reported Tuesday. The criminals reportedly used new strain of malware known as Locky to encrypt important files. The malware spread from the initial infected machine to the entire internal network and several other systems, the hospital's information systems director, Jamie Reid, told Krebs. The hospital is reportedly considering paying hackers the ransom money of four bitcoins, about $1,600 at the current exchange rate, for the key to unlock the files.
Why such a low ransom for such a high risk?
I bet the hospital has more $ in its petty cash drawer...
And who benefits from all this drama? They could have been back up and running before they went to the press. How does the hospital not suffer from this PR (like that they have no network isolation, perimeter security, or backups)? Something else is going on.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Let's use a car analogy.
Say you are "stupid enough" drive to a bad neighborhood. You leave your car parked, but accidentally left one of the doors unlocked. Should it now be perfectly legal to steal that car, or smash the windows, or commit whatever property crime you want on it?
No, but you're a fucking idiot if you don't expect it to happen.
I've seen huge upswings in locky and other ransomware hitting the email gateway since the first. Literal 30x upswing.
Lots of the locky infected messages are mimicking fax gateways and network-to-email scanner/mfp devices. The others are the usual tracking, invoice, tax, payment, etc social engineering schemes.
Via email, most use executables in zip files.
I've banned zip file attachment just to cut down on the load.
I've heard reports that there are some really aggressive targeting via ad networks too.
Backup, backup, and backup some more. Then audit. Then do DR drills. Then Audit the DR drills.
Your user's endpoints aren't secure. Locky and company work inside a user's context and do not need admin privs. Backup is the only thing that will save you.
electronic medical records.
If this turns out to be a typical outcome of medical facility IT administration, then electronic medical records might not be such a good idea, at least not without adjustments to how the records are hosted.
Just like "critical infrastructure" should not be connected to the Internet, it seems medical facility records infrastructure needs to be separate as well. Perhaps this is a general architectural strategy that should be implemented wherever organizations process sensitive information - one level of infrastructure for general purpose communications and Internet access, another (separate) level of infrastructure for the sensitive information, with an acceptance of the higher cost of maintaining the proper separation. One big mashup appears to have some significant risks.
Problem is, if you're a hospital you have thousands of people who can screw up. Any time you have thousands of people who can screw up, it's just a matter of time before someone does.
I also read in another article that they just said "No." and restored from backups.
The sad thing is, I don't think this is limited to certain hospitals ... their core competency is health care, and the fact that IT in hospitals has been underfunded or badly done for years isn't exactly news.
We've been hearing these same stories for years now.
Yes, brilliant, let's hope hospitals go out of business so we can waste money starting from scratch, that will totally be efficient.
Lost at C:>. Found at C.
So, a stupid macro virus open thousand files on a PC at full speed, delete them, and create another one with .locky extension. No AV software has he capability to detect something unusual ? dangerous ? Suspect ? (I wonder how AV waste my CPU and disk IOs so badly...)
This locky shit has been around for a few month, and no AV can do anything about it ?? seriously ? They did not even bother changing the .locky file extension...
Good luck with that... As an infra-engr guy for over a decade now, I can't tell you how many times I've been told to go pound sand by the people in charge of the company when I suggest things like that that cost money upfront to stop things that may cost money later. Pretty much anyone asking for actual backup systems or real DR hits similar walls. Not saying it's right or that I agree with it.. But, it's not as simple as saying it's time they learn. They don't. They never do.
Security people have for decades said "STOP PUTTING EVERYTHING ON THE INTERNET!". And yet we have just about everything including public infrastructure on the Internet. The lies about "why" are very consistent. "Saves money" is probably the most popular, yet who is seeing that savings? Has the cost for you improved, or are the savings are going to execs and bureaucrats? You (Consumer) are the most at risk due to these policy decisions.
A specific class of people saying "do it anyway" does not mean it should be done, it means that people should be better than lemmings. Eventually it will happen, because it will have to happen.
While I certainly feel sorry for anyone who is personally harmed by losing data housed on these systems, I also hope it serves as a wake up call. "Centralized" is not usually the best option.
Blaming the victim, if you claim the Hospital is the victim, is actually appropriate. Blaming the person who's identity may be stolen or trashed was not being done, and those are the real victims here.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
If someone dies in the hospital and it can be traced to critical files being unavailable, the malware owners could be charged with murder.
https://en.wikipedia.org/wiki/...
But not in Kentucky.
https://en.wikipedia.org/wiki/...
The world is made by those who show up for the job.
That's an excuse for one computer getting infected. That's not an excuse for the whole hospital getting infested.
Hourglass says she knows a kid in Iowa who grows up to be president.
Jesus H. Christ. That is a perfectly asinine view. I cannot believe anyone is that morally bankrupt. So some scum kidnaps your elderly mother, threatens you that you will neer see her again, and you pay the ransom. Do you really think you should be charged with being accomplice to kidnapping? THINK. I know it's hard, but try.
Look, I know the situation with this ransomware shit is exasperating. It's pretty much a no-brainer that you pay the ransom if it makes financial sense and you can't rescue it otherwise, but after that is done and the data is restored, and maybe after you take serious and effective steps to make sure that it can never happen again, you (and the system) go after the scum-sucking low-lifes who are responsible for the ACTUAL law-breaking, and all others like them, with a fury and resolve that knows no bounds. These ransomware attacks should be crimes of a very high order, and a first offense should be a minimum multi-decade sentence.
Making the victim a double victim (victim of the law as well as victim of micreants) is absolutely the worst idea I ever heard of.
Because victims never contribute to their state of being a victim?
Saying victim blaming is wrong is saying that if you become a victim you instantly become infallible, could not have contributed to the problem in anyway and are a completely innocent party.
For several years now, every single security analyst, including the FBI (https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/) I've come across has said the same thing about crypto-ransomware: pay them.
There is time to be idealistic later. Right now, you're being mugged: Do what you need to survive.
The Daddy casts sleep on the Baby. The Baby resists!
Would it cost more than a lawsuit filed against the hospital by the next of kin of a patient that died because the equipment needed to keep them alive was disabled by an attack like this?
Curious how you failed to mention that Locky requires Windows & Office to work ..
Or, maybe, they should learn to have good backup policies so a ransomware infection would result in, at most, loss of 1 day's data while the last pre-infection backup is restored. Data integrity 101, people.
Because victims never contribute to their state of being a victim? Saying victim blaming is wrong is saying that if you become a victim you instantly become infallible, could not have contributed to the problem in anyway and are a completely innocent party.
There's two fundamentally different but overlapping meanings of blame. One is the perp's blame - the thief, the murderer, the rapist who is obviously the ultimate cause of everything. But we also used it in the meaning "failed to protect", like if the President got shot many people would blame the Secret Service even though they didn't have any part in it. They just failed to prevent it. The first one isn't really a subject of debate. The second? Well you can implicate almost anyone and everyone if you want to, like take the terror attacks in Brussels. Some will blame the police for not being able to stop it. Some will blame the politicans, the mosques and so on. Who could have done something? Who should have done something differently?
The latter often ends up in some conflict of idealism versus reality. Nobody has any more right to steal from me because I forget to lock the door. But I obviously made it a lot easier for them. Or the mere absence, does the fact that I don't have a home alarm mean I'm more to blame if burglars loot my apartment? This is where victim blaming comes in, you shouldn't do that, be there, get that drunk, wear that skirt, walk those streets. Idealistically, the answer is of course hell no you shouldn't let that control your life. Practically, it's a mixed bag. I lock my door, I don't live in a prepper's bunker. But if bad shit happen, I'd be pretty pissed if you blamed me for not doing enough because it's still not my fault.
Live today, because you never know what tomorrow brings
CIOs go to jail over incidents like that.
If only that were true. Executives almost never go to jail, even for knowingly engaging in practices that are killing people. Just ask Volkswagon, or Enron, or BP, etc...
I wish I had a good sig, but all the good ones are copyrighted
Network segmentation, internal firewalls, client firewalls and admin isolation are the keys to preventing this.
Local Server and client firewalls prevent access to system shares from unauthorized sources.
Firewalls segmenting the network help isolate an outbreak.
Admin isolation: No logging onto your desktop as admin ever! management tasks are done by remote access to workstations isolated in their own hardened network segment and built for admin tasks.
Overkill? depends on your point of view. I know of places doing it this way.
Admins will fight not having their tool set local on their machines but after you get used to it it's better.
If you think it's expensive to hire a professional to do the job, wait until you hire an amateur. --Red Adair
What gets overlooked, and I'll argue intentionally, is that people are not being held accountable for their actions. This is the flaw I constantly see in discussions regarding "Social Justice". You just attempted to do just that, using a very odd example. Given your example, the secret service would be blamed if the President got shot. And they should be blamed. Numerous people assigned to Presidential detail failed if that was to happen. Bob gets paid to take a bullet for the President, and he hid when trouble started. Jerry neglected email about a shooter, Beth ignored the metal detector because that lady just looked nice, etc.. etc...
Sure, the person who pulled the trigger is a criminal. The other people don't get a free pass at negligence and/or bad decisions because of the crime.
One more example: Say you are in a public park and a big guy sits across from you on a different bench. You start tossing pebbles and they land close to his feet. He gives you a look that lets you know he's not happy, but you continue to toss pebbles. A dozen or so pebbles later he walks over and punches you in the face.
Was he right to punch you in the face? No, he is absolutely guilty of assault. On the other hand, you instigated the encounter and are accountability for your actions. Your broken nose in no way negates the fact that you were instigating the encounter.
You don't have to learn the lesson that you were taught, and the next big guy coming along will still be wrong to punch you in the face. You will still be an instigator deserving of a broken nose.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Let's calculate. Once upon a time I was a sysadmin in some Russian hospital. About 100 quite old computers with about 100 GB each. The critical data are about half of them. So you need about 10 TB to hold a reserve copy of everything - about US$500 of HDD. Maybe less. Then, you take any computer that has enough HDD ports - about US$150 since you don't need a new shiny computer, it would just work. Install there some software that would copy the modified files - it's free.
But it's not the solution. The correct solution is the order of Chief Doctor that everybody who does not cooperate with Sysadmin would pay the ransom from their own pocket.