Months After Hacks, DHS Sends a Warning About Hospital Ransomware

An anonymous reader writes: Since February, at least a dozen hospitals have been affected by ransomware, malware that encrypts a victim's files until they cough up a bounty to the hackers. In response, US-CERT, the country's Computer Emergency Readiness Team, issued an alert on March 31 warning potential victims of the risks, and how to protect themselves. But, considering that some hospitals have already had to divert emergency services, push high-risk operations to future dates, and even turn away some patients, is the alert too little, too late?

Contents of warning email from "CERT"

[JoeyRox]

To Hospital Facility,

Hello, my name is Mandori Tugelli, and I am a foreign national from the country of Nigeria. With great sadness and events my great uncle has passed away. To help in my sorrow I have learned that my uncle has left me a very large inheritance. Unfortunately to collect this money I require the help of a USA business such as yours because my uncle left all his funds in US Dollars. If you could kindly click the link provided below and fill out the banking information for you business I will gladly offer you 50% of the proceeds for helping me collect my inheritance.

Kind Regards,

Mr. Mandori Tugelli

Re: Contents of warning email from "CERT"

Mr. Mandori,

My name is Manjeet. I am in the USA but unable to get my money from Afghanistan. If you would kindly provide your routing number and bank account, I will transfer my money and allow you to keep $200,000USD. This will solve our mutual problem of no money.

Thank you.

Re:Contents of warning email from "CERT"

[Joe_Dragon]

Mandori Tugelli,

After our bill your uncle inheritance is -$50K and we are willing to wave the -$50K. Sorry for your loss.

Re: Contents of warning email from "CERT"

94349734828632643984598549t8403574892637862876398440594-69902-2043095408584397829478748743847

Re:Contents of warning email from "CERT"

[110010001000]

Where is the link? I would love to help!

Re: Contents of warning email from "CERT"

[tripleevenfall]

Thank you Manjeet. Here is my banking info.

111101000111111111000000 000111111111110000 000000011111111111111110000 0000011010000111000000000000011100 0001101000011100000000110100001 1100000000110100001110000000011010000111 0000000011010000111000000001 1010000111000000001101000011100000

Re:Contents of warning email from "CERT"

[ole_timer]

Please send link! I must click on it!

Re:Contents of warning email from "CERT"

[KGIII]

I am currently having an email conversation (it has gone on for almost two weeks now) with some Chinese spammer. So far, so good but I'm not really sure where to go with it. They make glass doors. I'm thinking about having them send me a sample.

Re:Contents of warning email from "CERT"

Silly spammers, selling a product no one wants.

Haven't they heard that glass ceilings are where it's at?

Re:Contents of warning email from "CERT"

[KGIII]

I really have 'em on the hook, too. I've not once lied to them - I'm kind of keen on that. I do, in fact, know not just one but two people who are involved in building materials at the retail outlet and both of those people actually own, in part or in whole, the companies to which I refer.

Both of them do, in fact, sell windows and doors.

One of them is actually fairly large for that physical area - they've got multiple locations across the State of Maine. They're Hammond Lumber and Ware-Butler. Although the "kid" owns Ware-Butler now and I'm more familiar with his father.

Now, if I could find a product they were interested in purchasing and make a good deal on them - then I might consider it. However, I hate to reward spammers so that is *really* the least likely outcome from all of this. So, a more nefarious outcome is desired... I'm thinking about getting free samples sent - maybe even a display model or two. Do you have any idea how bulky and heavy a glass door is? They make some triple-pane doors, gas-sealed, and they've gotta weigh a hell of a lot. Maine's in the northern climes and the greater the R-value the better it will sell, after all.

So, I'm thinking about trying to get at least one sample door sent to me.

Err... I can't be the only one here who has a little fun at spammer's expense? Yes? No? I mean, they're fair game - they opened themselves up for contact.

Another fun one is the people who ask me about a product that I have for sale or the search engine optimization for my site. I always ask them what product(s) or site(s) they're asking about. I get back some of the damnedest answers and no, not one single product or site is correct. I do, technically, have several products that you could say I sell. (I do not do so directly. An incorporated body that I control sells wood from my land.) I do, also, have a web presence but they don't actually spam that address.

Speaking of web presence... I gotta get back to debugging this damned thing - something keeps spiking the CPU.

Now that's what I call proactive!

Thanks govt for looking out for us citizens!

Re:Now that's what I call proactive!

[NotDrWho]

ALERT: The horse has escaped the barn! Please secure the barn door immediately!

So Govt Can Hack Phones But Not Ransomware

[zenlessyank]

Someone is fucking lying. Nevermind, I've been told everyone is fucking lying.

Re:So Govt Can Hack Phones But Not Ransomware

[PolygamousRanchKid+]

Have you ever thought that the government is running the ransomware gang? It's more or less the same as the IRS. Unfortunately the woman at the IRS running the scheme plead the 5th Amendment before Congress, before she jumped out of Tante Ju with a golden parachute . . .

Interesting

[The-Ixian]

I happened to be watching broadcast TV yesterday and I saw a PSA put on by some kind of law enforcement organization.

The PSA was about public wifi hotspots and told people to turn off their wifi when they leave the house and if you do connect to a public wifi hotspot, don't do e-commerce or other sensitive transactions.

I was floored. It was such a good and informative message I couldn't believe its source.

Perhaps there is a governmental push for these types of messages now...

Re:Interesting

[bluefoxlucid]

I just use SSL. My browser loses its shit if my bank or Amazon uses a non-verisigned SSL certificate, and I don't put my credit card number in crazy.

No Ransomware at THIS Hospital

[WheezyJoe]

Obligatory loosely-related Monty Python bit: Now I know some hospitals where you get the patients lying around in bed... well that's not how we do things here, right!

No discussion of what kinds of OS are vulnerable

[david.emery]

Why not, CERT? Don't you think this is relevant?

Can someone tell me

[fredrated]

what a SLASHVERTISEMENT is?

Re:Can someone tell me

No, sorry. That information is restricted.

But if you must know, I believe it has something to do with a Vertisement that has a slash in front of it. Like /vertisement

Re:Can someone tell me

[sims+2]

Alright! Now /. Is being more clear with their advertising.

Although I didn't expect to find out that every single post was paid.

SLASHVERTISEMENT: What /. users call paid (aka sponsored) posts that are not identified as such...Except today!

Re:Can someone tell me

It is a portmanteux (2) of Slashdot Advertisement. It was first typed by a member of the Slashdot Numbered Rage Brigade in response to a story on Slashdot that he perceived as an advertisement. While the original thread is lost to antiquity, Slasheologists are unanimous in opinion that the offending story was probably about something new from Microsoft.

Re:Can someone tell me

[Marginal+Coward]

It's simply an anagram for "Heavers Smelt Nits." (Isn't that mostly what we do here?)

Re:Can someone tell me

portmanteux (2)

How on earth did you manage to LINK TO THE RIGHT PAGE while simultaneously managing to misspell "portmanteau"?

Re:Can someone tell me

Although I didn't expect to find out that every single post was paid.

It's April Fools. They're not all paid.

Re:Can someone tell me

Read the link.

Re:Can someone tell me

[Marginal+Coward]

Or maybe it's a commentary on Candidate Trump, and Former Candidate Rubio for trying to beat him at his own game: "Statesmen Shrivel"

Re:Can someone tell me

[Marginal+Coward]

Or maybe part of the endless Vim vs. Emacs debate: Vim fans tout "the Vim's alertness" and Emacs folks, tired of hearing it, respond with "threaten less Vims" and are relieved to hear that The Prophet Stallman "reseals tenth Vims" just in time to avert the coming apocalypse.

Re:Can someone tell me

It's simply an anagram for "Heavers Smelt Nits." (Isn't that mostly what we do here?)

Really? You had the opportunity to write "Smelt Neavers shit" and you didn't take it?

STOP USING XP

[Billly+Gates]

I for one refuse to work for hospitals. Not only do they treat IT like plumbers and do not respect them if they have no PHD, but they run XP SP 2 ... SP 3 might be ready someday??! They use IE 6 and IE 7. Their cisco routers are turn of the century and still BSD Unix based.

Oh and it is IT's fault if they get ransomware.

The whole FDA certification created this mess! But worse, insurance companies are nickle and diming their budgets. If XP works DON"T touch it.

If people used WIndows 8/10 (yeah it looks funny boo hiss ) with secureboot it wouldn't load half of these ransomware as rootkits could be blocked.

A lesson here for those who use XP with no updates with a smile :-) ... if it happened to them it could happen to you.

Re: STOP USING XP

That's an insult to plumbers. Most IT people are lazy and useless, don't understand the technology they are supposed to support, and have zero communication skills!

Re: STOP USING XP

It is IT's fault. You are the morons letting exe, bat, and other file types through to your users. In addition, you are the same IT morons who are too stupid/lazy to segment your networks. Most of those PC's are using T/S. There is no reason that the terminal server should be on the same network with the PCs.

You add no cost to segment your network but you're simply to lazy or lack education; both of which indicate you shouldn't be in the field.

Many of them I've met wouldn't even make good Walmart greeters.

Re: STOP USING XP

The recent Medstar incident was due to an unpatched exploit in JBOSS that's been known for over a year on a public facing web server. It had zero to do with stupid users or email. Medstar has an interim CIO who's first order of business was budget cuts. Guess which got cut first? If you said IT Security you win a cookie.

And I'm told things are a lot worse there than Medstar is saying. And critical patient records are definitely inaccessible.

Re:STOP USING XP

If people used WIndows 8/10 (yeah it looks funny boo hiss ) with secureboot it wouldn't load half of these ransomware as rootkits could be blocked.

However, X-rays of my teeth will be sent to Microsoft Telemetry for analysis. Thanks, but no thanks.

Re:STOP USING XP

[Billly+Gates]

If people used WIndows 8/10 (yeah it looks funny boo hiss ) with secureboot it wouldn't load half of these ransomware as rootkits could be blocked.

However, X-rays of my teeth will be sent to Microsoft Telemetry for analysis. Thanks, but no thanks.

yeah ok but running XP with a possible keylogger on the friendly receptionist entering your credit card and social security numbers is fine

Re:STOP USING XP

You have one government agency telling you that you cannot update your software/systems until they are FDA certified, you have another government agency telling you that you should upgrade your systems immediately to prevent attack, you have vendors that are non-responsive when it comes to upgrading their systems because "it works", not to mention the cost to upgrade is so high. Also these systems have to be on the network to download and upload data...

Re:STOP USING XP

[plover]

The credit card sector figured out how to incorporate patching into their requirements - not applying regular patches means no PCI certification. The FDA has to climb into this millennium and start requiring the ongoing patching of medical systems as well. And that means everything from nurse's station PCs to ultrasound units to drug pumps.

This is how I see it (roughly estimating the numbers):

A machine with an FDA-approved configuration performs safely 99.99% or more of the time.
FDA approval is needed for any change to a machine, including patches. Non-certified patches take a machine out of compliance.
FDA approval for testing a patched configuration takes lots of money, which is negative incentive on the manufacturer to release frequent patches.
FDA approval for testing a patched configuration takes a long time.
A tested machine is vulnerable to all exploits discovered since the creation time of the tested configuration.
Loss of availability is less risky to patient health than incorrect or erratic functioning, which is less risky than deliberately harmful functioning.
A bad patch will most likely cause loss of availability instead of incorrect functioning; and will never cause deliberate harm.
Malware may cause prolonged loss of availability, incorrect or erratic functioning, or even deliberately harmful functioning.

I conclude:
A machine with an FDA-approved configuration is vulnerable to more exploits than a recently patched machine.
A machine with patches that take it out of FDA approval will perform safely 99.9% of the time, with the delta being primarily loss of availability.
A machine infested with malware performs safely anywhere from 0% - 95% of the time, with the possibility of deliberately created patient harm.
Therefore, the current FDA approval process is exposing patients to more risk than patching.

The FDA should therefore immediately require the ongoing patching of operating systems controlling medical devices.

Re:STOP USING XP

The credit card sector figured out how to incorporate patching into their requirements - not applying regular patches means no PCI certification. The FDA has to climb into this millennium and start requiring the ongoing patching of medical systems as well. And that means everything from nurse's station PCs to ultrasound units to drug pumps.

This is how I see it (roughly estimating the numbers):

A machine with an FDA-approved configuration performs safely 99.99% or more of the time.
FDA approval is needed for any change to a machine, including patches. Non-certified patches take a machine out of compliance.
FDA approval for testing a patched configuration takes lots of money, which is negative incentive on the manufacturer to release frequent patches.
FDA approval for testing a patched configuration takes a long time.
A tested machine is vulnerable to all exploits discovered since the creation time of the tested configuration.
Loss of availability is less risky to patient health than incorrect or erratic functioning, which is less risky than deliberately harmful functioning.
A bad patch will most likely cause loss of availability instead of incorrect functioning; and will never cause deliberate harm.
Malware may cause prolonged loss of availability, incorrect or erratic functioning, or even deliberately harmful functioning.

I conclude:
A machine with an FDA-approved configuration is vulnerable to more exploits than a recently patched machine.
A machine with patches that take it out of FDA approval will perform safely 99.9% of the time, with the delta being primarily loss of availability.
A machine infested with malware performs safely anywhere from 0% - 95% of the time, with the possibility of deliberately created patient harm.
Therefore, the current FDA approval process is exposing patients to more risk than patching.

The FDA should therefore immediately require the ongoing patching of operating systems controlling medical devices.

CEO of medical equipment company ACME to board shareholder meeting ....

Shareholder: Why aren't hospitals throwing out their ultra expensive perfectly good working medical equipment with new ones every year? WTF they keep using what works to save customer money??!

CEO: I know. Wouldn't it be great if there was some way we could force people to keep rebuying half a million dollar medical equipment agaisn't their will?

Shareholder: I can buy out some politicians. Hmm what law could be enabled?

CEO: Well the FDA and IRS are the only 2 things our customers care about. How can we make the FDA enforce customers to always buy our equipment? .....

Re:STOP USING XP

[AlphaBro]

I'm sure out of the hundreds of millions of installs, yours is the telemetry they're after, and it will be personally reviewed by Satya Nadella. It's not, you know, usage data to improve the reliability of the software.

Re:STOP USING XP

This isnt just hospitals, but a lot of companies. There are so many companies that are running old vendor apps using ancient versions of java, active x among the use of XP. It always blows me away but management wont spend the money or lazy IT are fully confident that their decades old firewall will protect them.

Re:No discussion of what kinds of OS are vulnerabl

It is all the same operating system.

Windows.

You know - that piece of junk from Microsoft. The least secure operating system in the world.

Hmm

Please shutdown domain googlevideo.com and analyse any change over zombie networks information.

But -- they're the Government ...

... and they are here to help.

What?

Most ransomware comes disguised as a legitimate email and the user is stupid enough to open the zip file, run the javascript, and then ok the .exe file that is downloaded and executed. Some basic security measures would fix this but it has zero to do with Windows.

Re:What?

[Billly+Gates]

Most ransomware comes disguised as a legitimate email and the user is stupid enough to open the zip file, run the javascript, and then ok the .exe file that is downloaded and executed. Some basic security measures would fix this but it has zero to do with Windows.

You can't stop stupid. Especially if the employee doesn't care as he or she doesn't own the computer. If it is from a boss they will open it.

However, you can block with GPO's, security updates, modern endpoint protection AV suites, and even have ports in Cisco routers shut off during detection with network protection services.

XP is not patched. It won't be updated. You can't block everything. ALSR and sandboxing cuts back on holes. network protection services has better support in a modern OS to prevent spreads.

Re: What?

What? You can filter email easily. You can also protect your environment with a proxy server with filtering. Very inexpensively (if not free) and prevent viruses from entering your old Windows XP environment.

Re: What?

[Billly+Gates]

What? You can filter email easily. You can also protect your environment with a proxy server with filtering. Very inexpensively (if not free) and prevent viruses from entering your old Windows XP environment.

Hello IT! This is the director of Internal Medicine WHERE DID MY PDF files from Labcorp. I have patient lives REQUIRING THIS PDFS. Get em up!

Re: What?

Medstar's infection didn't come in via email, it was a web server hack.

Backups?

[Dunbal]

I find it amazing that none of these hospitals are making regular backups of their files. Storage is not the expensive part.

Re:Backups?

Why should we backup PATIENT files? It's not our data, we don't give a fuck about it.

No, it's not too little, too late.

[SecurityGuy]

Ransomware has been around for quite a long time. The solution (backups, training, patching, etc) have, too. So am I upset that DHS hasn't already issued a warning about a threat that's been around longer than DHS? No. Anybody responsible for medical IT security already knows. Now, whether they're actually allowed to do anything about it may be a different story entirely.

Re:No, it's not too little, too late.

Issuing a warning is nice, but why are they not doing anything about it? Wars have been started for less.

IRS????

I would laugh my ass off if somebody managed to Ransomeware the IRS.

Where are the regulators?

[zerofoo]

I was the Director of Network Services for a small community bank. Since we were an FDIC insured bank, we were regulated by the Office of Thrift Supervision (OTS).

We were never permitted to run any software or hardware that was not supported by the manufacturer. We also had tons of security requirements (intrusion detection, the most restrictive permissions delegated to allow someone to do their job, putting all internet facing devices in a DMZ, database auditing and logging...etc...etc...etc).

I've never worked IT in healthcare. How does a provider of medical services not have similar regulatory requirements?

I call - April Fools Prank

The US Government "Never" moves that swiftly.. 3 months.. you have got to be kidding

Wrong audience

[Rick+Zeman]

Anyone who reads US-CERT alerts probably wouldn't be in their predicament to begin with.

Ban Microsoft Windows in Hospitals

[khz6955]

The solution is to totally ban Microsoft Windows in Hospitals:

"Microsoft excludes all implied warranties and conditions, including those of merchantability, fitness for a particular purpose, and non-infringement." ref

Re:Ban Microsoft Windows in Hospitals

Better yet ban the management that dont keep informed and cut costs or lazy IT. JBOSS is java based and runs on Linux too. They were running an exploited unpatched version of JBOSS and the exploit came through server side with the Samsam exploit. Read before you speak. In fact, no article has yet specified what Server OS JBOSS was running on. It could have been red hat since they own jboss.

Re:Ban Microsoft Windows in Hospitals

[khz6955]

it's always nice to be corrected by some anonymous coward :)