Jump to content

Ransomware virus


Dirtyhip

Recommended Posts

It hit our hospital.  All the med staff are hand charting again.

People are horrible.  It is so sad that evil people would attack a hospital, where people are being treated. In the middle of a pandemic no less.  

:(

I read about this today, but it hit us two days ago.

https://www.marketwatch.com/story/fbi-warns-major-ransomware-attack-threatens-to-hobble-hospitals-01603936303?mod=home-page

  • Sad 1
Link to comment
Share on other sites

Just now, JerrySTL said:

Unfortunately hospitals and many other businesses consider IT to be a necessary evil at best and often shortchange it. This leads to hiring insufficient, undertrained staff which leads to security holes. This makes for an easy target.

I feel like ALL businesses short change IT security (with a few good ones out there), so it is no surprise that the hospital systems get hit.  It is surprising more aren't hit, but likely MANY more are hit than are reported.  Like the Garmin outage - would we have known had there not been a massive public visibility for days?

Link to comment
Share on other sites

A local school district had to delay reopening for over a week due to a ransomware attack that encrypted all the data on the ISD computer system.  Nothing stolen, etc,   Just encrypted and unusable until they paid.  Most places have insurance for stuff like this.

Link to comment
Share on other sites

Our county got hit by ransomware back in January.  It took MONTHS for them to recover. They used pen, paper and typewriters.  The newspaper recently had an article they spent $500,000+ (not to the ransomware thugs) for recovery.   The thing that I was surprised, they had an insurance policy for the attack.  The tax payers only paid $5000.  Now they are working on being more prepared to avoid ransomware attacks. 

I would have hoped a hospital would have more security and/or training than our county, but I guess not. I hope they can recover quickly.  

  • Heart 1
Link to comment
Share on other sites

1 minute ago, Razors Edge said:

I feel like ALL businesses short change IT security (with a few good ones out there), so it is no surprise that the hospital systems get hit.  It is surprising more aren't hit, but likely MANY more are hit than are reported.  Like the Garmin outage - would we have known had there not been a massive public visibility for days?

All 50 States have laws about reporting security breaches. However they are a mixture of different rules and requirements. There are many loopholes. The federal government is working towards the DATA BREACH NOTIFICATION ACT but it's not public law yet.

Link to comment
Share on other sites

3 minutes ago, JerrySTL said:

All 50 States have laws about reporting security breaches. However they are a mixture of different rules and requirements. There are many loopholes. The federal government is working towards the DATA BREACH NOTIFICATION ACT but it's not public law yet.

I can imagine lawyers using plenty of semantic arguments to show that while some group got into the system and encrypted the information, there is no proof the data was "taken", so there is no need to consider it a data breach and hence no need to notify users?

I actually don't think I ever got anything from Garmin about my info being compromised.  I have, at different times, gotten the random notice from a banking institution about things like that, and even got "free" monitoring on my SSN due to one big breach. 

Link to comment
Share on other sites

Article on this is in today’s WaPo and mentions the Klamath Falls Hospital:

National Security Hospitals being hit in coordinated, targeted ransomware attack from Russian-speaking criminals By Ellen Nakashima and Jay Greene October 28 at 10:12 PM ET Russian-speaking cybercriminals in recent days have launched a coordinated attack targeting U.S. hospitals already stressed by the coronavirus pandemic with ransomware that analysts worry could lead to fatalities. In the space of 24 hours beginning Monday, six hospitals from California to New York have been hit by the Ryuk ransomware, which encrypts data on computer systems, forcing the hospitals in some cases to disrupt patient care and cancel noncritical surgeries, analysts said. The criminals have demanded a ransom ranging upward of $1 million to unlock the system, and some hospitals have paid, they said. On Tuesday, the FBI, the Department of Homeland Security and the Department of Health and Human Services issued a joint advisory alerting health-care providers to the threat. “The events unfolding right now have the potential to cause the loss of life, potentially across multiple hospitals,” said Charles Carmakal, chief technology officer for Mandiant, a cybersecurity firm, which has helped some of the hospitals affected try to recover their data. The cybercriminals have been discussing their intent to target hundreds of U.S. health-care organizations, said Alex Holden, chief information security officer and president of Milwaukee-based Hold Security. One of those hospitals alone has more than 60 locations in the country, he said. The criminals, who operate out of Eastern Europe, are not targeting election-related infrastructure in this campaign, the analysts said. But they are known to have gone after other targets, including state and local government networks. [Cyber Command sought to disrupt world’s largest botnet, one used to deliver ransomware] Earlier this month, Microsoft and U.S. Cyber Command, the Pentagon’s offensive cyberunit, in separate campaigns sought to disrupt the criminals by dismantling the network of infected computers they used to deploy Ryuk. One goal, Microsoft and U.S. officials said, was to prevent the “botnet” from being used to deliver damaging ransomware that could lock up voter registration and other systems in the lead-up to the election. But the criminals behind that botnet, known as Trickbot, have mostly moved to a new set of infected computers, analysts said. Microsoft said earlier that it expected the criminals to try to rebuild their network. [Microsoft won court order to disrupt ransomware-linked botnet] Though criminals have been deploying ransomware against hospitals since the beginning of the pandemic, having one group hit six separate hospital organizations in 24 hours is a step up in tactics, said Allan Liska, intelligence analyst at the cyberfirm Recorded Future. “If they can do this to six hospitals, there’s no reason they can’t do this to a dozen,” he said. “That means that patient care could be seriously impacted and people could die from something like that.” A woman in Germany died last month when the hospital she went to for emergency care turned her away because it had suffered a ransomware attack. She died en route to another facility. It is unclear whether Ryuk was involved in that case, which is said to represent the first death linked to ransomware. The attacks have shut down some procedures at Sky Lakes Medical Center in Klamath Falls, Ore., spokesman Tom Hottman said. The hospital is unable to offer cancer treatments that are computer-controlled, and the attack has curbed some diagnostic imaging as well. Doctors and nurses have turned to paper for patient records with the electronic system offline, Hottman said. The hospital was hit by the ransomware Monday morning, and staff were told to shut down their computers to slow the spread of the malware, he said. A cybersecurity firm arrived Wednesday afternoon at the hospital, Hottman said. “It’s an evolving situation,” he said. Sonoma Valley Hospital in Sonoma, Calif., was also infected, said people familiar with the matter. In a statement, the hospital, which acknowledged a cyberattack but did not specify ransomware, said it was “maintaining operations while computer systems are being fully restored.” Likewise, St. Lawrence Health System in Potsdam, N.Y., was hit Monday, according to WWNY television. The hospital disconnected its computer systems to prevent the malware from spreading.
 

Ellen Nakashima is a two-time Pulitzer Prize-winning reporter covering intelligence and national security matters for The Washington Post. She joined The Post in 1995 and is based in Washington, D.C. Jay Greene is a reporter for The Washington Post who is focused on technology coverage in the Pacific Northwest. 

  • Heart 1
Link to comment
Share on other sites

Yeah it’s been a common tactic for a while now. Remember Sony got hit with it a few years back.  We have a very robust cyber security dept here which is why I surf the net on my phone and stay off company systems. We also have a good training & education program.

I have been targeted numerous times by phishing attempts.  Often times it’s the employee who allows the hacker in by unknowingly opening attachments & links sent by hackers but figures the emails legit as the hackers makes them look legit.

Funny aside our HR tried to implement an employee rewards program during Covid.  Where would you like us to send your gift type email.  None of the warning signs were there, it looked totally legit except nobody opened it!  Everyone who got it reported it to a InfoSec! InfoSec has to send an email out that it was a legit email and to please accept the gift!

  • Haha 4
Link to comment
Share on other sites

That is the problem with Ransomware - it often only takes one careless (or overworked and tired) employee to make a mistake. But it does seem especially rotten to target hospitals during a pandemic, but they're also the organizations who might have the most pressure to keep operating and pay the ransom.

Link to comment
Share on other sites

3 hours ago, Razors Edge said:

I feel like ALL businesses short change IT security (with a few good ones out there), so it is no surprise that the hospital systems get hit.  It is surprising more aren't hit, but likely MANY more are hit than are reported.  Like the Garmin outage - would we have known had there not been a massive public visibility for days?

The other problem is that hospital information is so realtime that too many hospitals pony up the ransom.

Oh, you have a backup from 2 hours ago? Not good enough, pay them the money. Prescriptions got entered in since then, patient admittance, etc. etc.

As long as there are organizations that will pay the ransom, ransomware will be successful.

Link to comment
Share on other sites

1 hour ago, LoneWolf said:

Oh, you have a backup from 2 hours ago?

A back-up from 2hrs ago, 2 days ago, or even 2 weeks ago may still (very likely) have the same infected code waiting to strike again :(

I think that was likely part of Garmin's woes - hit by the encryption, quick, let's go to the back-ups, and then the realization that the back-ups needed to be shown to be either virus free or the virus mitigated prior to restoring.  I have no idea if there are easy and/or effective ways to remove it once it is loose on your network, but since Garmin seems to have paid the ransom even after trying to get going with their back-ups indicates it is surely not very easy once you're infected.

Link to comment
Share on other sites

3 minutes ago, Forum Administrator said:

Our IT guy did not believe in cloud or remote storage. He also neglected to make sure the backups were actually happening. We lost about 2.5 years of data. 

OMG that is sooooo wrong.

Years ago (think floppy disks) I lost data once at home when a disk got corrupt. And I couldn't fix the disk or retrieve the data.   I hated losing the data.  That's when I started backing up data.  I learned the hard way.

Now my personal data is backed up by Windows, but that's not enough.  I also backup my all of data to an external drive.  My 'critical' data (financial stuff)  is also backed up to a SD card, and to a cloud that I trust, all encrypted. 

Even our county that was attacked recovered 95% of their data.   The losses they experienced was data that people kept on their computer hard drives in locations that was not automatically backed up to the network.  

Link to comment
Share on other sites

On 10/29/2020 at 2:42 PM, Razors Edge said:

A back-up from 2hrs ago, 2 days ago, or even 2 weeks ago may still (very likely) have the same infected code waiting to strike again :(

I think that was likely part of Garmin's woes - hit by the encryption, quick, let's go to the back-ups, and then the realization that the back-ups needed to be shown to be either virus free or the virus mitigated prior to restoring.  I have no idea if there are easy and/or effective ways to remove it once it is loose on your network, but since Garmin seems to have paid the ransom even after trying to get going with their back-ups indicates it is surely not very easy once you're infected.

It can, although the backup systems we use for managing clients have predictive algorithms for malware based on how much has changed.

Encrypting files changes their MD5 hash. If enough file hashes change in a short period of time, our backup software alerts us to the possibility of malware.

A Fortune 500 company or hospital should (keyword "should") be doing incremental backups every 15 minutes for safety.

  • Awesome 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...