Slashdot Mirror
Kentucky Hospital Calls State of Emergency In Hack Attack (cnbc.com)
An anonymous reader quotes a report from CNBC: A Kentucky hospital is operating in an internal state of emergency following an attack by cybercriminals on its computer network, Krebs on Security reported. Methodist Hospital, based in Henderson, Kentucky, is the victim of a ransomware attack in which hackers infiltrated its computer network, encrypted files and are now holding the data hostage, Krebs reported Tuesday. The criminals reportedly used new strain of malware known as Locky to encrypt important files. The malware spread from the initial infected machine to the entire internal network and several other systems, the hospital's information systems director, Jamie Reid, told Krebs. The hospital is reportedly considering paying hackers the ransom money of four bitcoins, about $1,600 at the current exchange rate, for the key to unlock the files.
Why such a low ransom for such a high risk?
I bet the hospital has more $ in its petty cash drawer...
And who benefits from all this drama? They could have been back up and running before they went to the press. How does the hospital not suffer from this PR (like that they have no network isolation, perimeter security, or backups)? Something else is going on.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Let's use a car analogy.
Say you are "stupid enough" drive to a bad neighborhood. You leave your car parked, but accidentally left one of the doors unlocked. Should it now be perfectly legal to steal that car, or smash the windows, or commit whatever property crime you want on it?
No, but you're a fucking idiot if you don't expect it to happen.
I've seen huge upswings in locky and other ransomware hitting the email gateway since the first. Literal 30x upswing.
Lots of the locky infected messages are mimicking fax gateways and network-to-email scanner/mfp devices. The others are the usual tracking, invoice, tax, payment, etc social engineering schemes.
Via email, most use executables in zip files.
I've banned zip file attachment just to cut down on the load.
I've heard reports that there are some really aggressive targeting via ad networks too.
Backup, backup, and backup some more. Then audit. Then do DR drills. Then Audit the DR drills.
Your user's endpoints aren't secure. Locky and company work inside a user's context and do not need admin privs. Backup is the only thing that will save you.
Good luck with that... As an infra-engr guy for over a decade now, I can't tell you how many times I've been told to go pound sand by the people in charge of the company when I suggest things like that that cost money upfront to stop things that may cost money later. Pretty much anyone asking for actual backup systems or real DR hits similar walls. Not saying it's right or that I agree with it.. But, it's not as simple as saying it's time they learn. They don't. They never do.
Security people have for decades said "STOP PUTTING EVERYTHING ON THE INTERNET!". And yet we have just about everything including public infrastructure on the Internet. The lies about "why" are very consistent. "Saves money" is probably the most popular, yet who is seeing that savings? Has the cost for you improved, or are the savings are going to execs and bureaucrats? You (Consumer) are the most at risk due to these policy decisions.
A specific class of people saying "do it anyway" does not mean it should be done, it means that people should be better than lemmings. Eventually it will happen, because it will have to happen.
While I certainly feel sorry for anyone who is personally harmed by losing data housed on these systems, I also hope it serves as a wake up call. "Centralized" is not usually the best option.
Blaming the victim, if you claim the Hospital is the victim, is actually appropriate. Blaming the person who's identity may be stolen or trashed was not being done, and those are the real victims here.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
If someone dies in the hospital and it can be traced to critical files being unavailable, the malware owners could be charged with murder.
https://en.wikipedia.org/wiki/...
But not in Kentucky.
https://en.wikipedia.org/wiki/...
The world is made by those who show up for the job.
Jesus H. Christ. That is a perfectly asinine view. I cannot believe anyone is that morally bankrupt. So some scum kidnaps your elderly mother, threatens you that you will neer see her again, and you pay the ransom. Do you really think you should be charged with being accomplice to kidnapping? THINK. I know it's hard, but try.
Look, I know the situation with this ransomware shit is exasperating. It's pretty much a no-brainer that you pay the ransom if it makes financial sense and you can't rescue it otherwise, but after that is done and the data is restored, and maybe after you take serious and effective steps to make sure that it can never happen again, you (and the system) go after the scum-sucking low-lifes who are responsible for the ACTUAL law-breaking, and all others like them, with a fury and resolve that knows no bounds. These ransomware attacks should be crimes of a very high order, and a first offense should be a minimum multi-decade sentence.
Making the victim a double victim (victim of the law as well as victim of micreants) is absolutely the worst idea I ever heard of.
Since the past decade. Enumerating viruses is useless. There are too many. Machine learning can be fooled and has high false positive rates. A French researcher at Kiwicon in 2014 showed that the parsers most AVs use run as the System user. He was able to use broken JPEGs and PDFs against the parser and get code execution as the System users (read: you don't even have to open the file. The virus scanner ran the executable code!)
Active virus scanners are totally worthless today and actually increase the attack vectors to machines. Passive virus scanners are about equally as useless.
Would it cost more than a lawsuit filed against the hospital by the next of kin of a patient that died because the equipment needed to keep them alive was disabled by an attack like this?
Because victims never contribute to their state of being a victim? Saying victim blaming is wrong is saying that if you become a victim you instantly become infallible, could not have contributed to the problem in anyway and are a completely innocent party.
There's two fundamentally different but overlapping meanings of blame. One is the perp's blame - the thief, the murderer, the rapist who is obviously the ultimate cause of everything. But we also used it in the meaning "failed to protect", like if the President got shot many people would blame the Secret Service even though they didn't have any part in it. They just failed to prevent it. The first one isn't really a subject of debate. The second? Well you can implicate almost anyone and everyone if you want to, like take the terror attacks in Brussels. Some will blame the police for not being able to stop it. Some will blame the politicans, the mosques and so on. Who could have done something? Who should have done something differently?
The latter often ends up in some conflict of idealism versus reality. Nobody has any more right to steal from me because I forget to lock the door. But I obviously made it a lot easier for them. Or the mere absence, does the fact that I don't have a home alarm mean I'm more to blame if burglars loot my apartment? This is where victim blaming comes in, you shouldn't do that, be there, get that drunk, wear that skirt, walk those streets. Idealistically, the answer is of course hell no you shouldn't let that control your life. Practically, it's a mixed bag. I lock my door, I don't live in a prepper's bunker. But if bad shit happen, I'd be pretty pissed if you blamed me for not doing enough because it's still not my fault.
Live today, because you never know what tomorrow brings
CIOs go to jail over incidents like that.
If only that were true. Executives almost never go to jail, even for knowingly engaging in practices that are killing people. Just ask Volkswagon, or Enron, or BP, etc...
I wish I had a good sig, but all the good ones are copyrighted
Network segmentation, internal firewalls, client firewalls and admin isolation are the keys to preventing this.
Local Server and client firewalls prevent access to system shares from unauthorized sources.
Firewalls segmenting the network help isolate an outbreak.
Admin isolation: No logging onto your desktop as admin ever! management tasks are done by remote access to workstations isolated in their own hardened network segment and built for admin tasks.
Overkill? depends on your point of view. I know of places doing it this way.
Admins will fight not having their tool set local on their machines but after you get used to it it's better.
If you think it's expensive to hire a professional to do the job, wait until you hire an amateur. --Red Adair