Ransomware & HSE

Ash.J.Williams

whippet wrote: »

Sometimes it’s the only option.

I have no idea what state the HSE’s backups are in … but I personally know of three Irish companies of various sizes who had no option but to pay a ransom in the last 6 months.

Despite getting keys from the hackers it still took weeks and weeks to get all core systems back running properly.

Could take 3 months depending on the scale

ressem

Blowfish wrote: »

How do you have test patching of an MRI machine?

The service engineer will arrive at a scheduled time, update software the same way as they would replace any aging part, run validation tests against it, sign off, and give a copy to be kept by the hospital.

Blowfish wrote:

How do you patch out of hours in an ER that's 24/7?

Patching servers? For common updates, in a large organisation, you'll have a cluster of available servers that update in rotation. (Or virtually machines that power off running the old image, and power up with the new one ). Other servers like Redhat have live kernel patching as an option.

For clients, there's remote desktop services for desks that need high availability. A diskless desktop that network boots to a thin client, opening a windows/application session on the server. Disconnect from the old remote session, reconnect to the new session.

You're right that you couldn't trust leaving it doing windows 10 feature updates on a machine for half the night, but there are workarounds that enterprises have to pay a premium for.

thebourke

one they get the issue resolved...will they have to look at start upgrading systems etc?

RoamingDoc

thebourke wrote: »

one they get the issue resolved...will they have to look at start upgrading systems etc?

They will. Whether that will actually translate to anything meaningful is anyone's guess.
But that will only be after an inquiry that's framed as trying to find the individual or the group in the HSE who are responsible when really it's just chronic under-resourcing (same as nearly every other issue in the HSE).

RoamingDoc

ressem wrote: »

The service engineer will arrive at a scheduled time, update software the same way as they would replace any aging part, run validation tests against it, sign off, and give a copy to be kept by the hospital.

You're right that you couldn't trust leaving it doing windows 10 feature updates on a machine for half the night, but there are workarounds that enterprises have to pay a premium for.

This is what happens.

For some systems, we get as much notice as they can, they pick a low demand time, and we just go manual for as long as it takes. Then some poor admin has to come along and input all the data once it's all back online.

In emergencies, we just go full manual as soon as it happens. I've never experienced anything like this before but major incidents have happened before - you just resort to paper or viewing at source.

HalfAndHalf

Blowfish wrote: »

How do you have test patching of an MRI machine? How do you patch out of hours in an ER that's 24/7?

I can see someone else knowledgable has answered this so will leave it there.

HalfAndHalf

ressem wrote: »

The service engineer will arrive at a scheduled time, update software the same way as they would replace any aging part, run validation tests against it, sign off, and give a copy to be kept by the hospital.


Patching servers? For common updates, in a large organisation, you'll have a cluster of available servers that update in rotation. (Or virtually machines that power off running the old image, and power up with the new one ). Other servers like Redhat have live kernel patching as an option.

For clients, there's remote desktop services for desks that need high availability. A diskless desktop that network boots to a thin client, opening a windows/application session on the server. Disconnect from the old remote session, reconnect to the new session.

You're right that you couldn't trust leaving it doing windows 10 feature updates on a machine for half the night, but there are workarounds that enterprises have to pay a premium for.

This! Any critical system would be clustered or you’d have at least and active/passive pair.

HalfAndHalf

Junglejoe wrote: »

It's always an option

Somewhat, if you’re prepared to run on compromised servers from then on.....hence me saying it’s not an option.

Roger_007

There has been a huge increase in the number of employees working from home during the pandemic. Are organisations taking adequate precautions to protect their data and networks? Are employees using properly protected machines and wi-fi to work on their organisation systems. Do organisations know who might be viewing screen content when employees are working from home?
There are major security implications involved in working from home particularly regarding those employees who have high level access to company systems.

omerin

I haven't read all the posts, but someone needs to be sacked for this. Fool me once shame on you, fool me twice, shame on me.

boardise

McGaggs wrote: »

Didn't this happen to the HSE about 3 years ago? I wonder what lessons they learned from it?

Not sure but happened to the NHS in 2017.

skimpydoo

Roger_007 wrote: »

There has been a huge increase in the number of employees working from home during the pandemic. Are organisations taking adequate precautions to protect their data and networks? Are employees using properly protected machines and wi-fi to work on their organisation systems. Do organisations know who might be viewing screen content when employees are working from home?
There are major security implications involved in working from home particularly regarding those employees who have high level access to company systems.

On one of my Irish Tech News podcasts, about how secure remote working is, BYOD was being replaced by BYON (Bring Your Own Network) as a major threat. Our home Wi-Fi setup would not past muster in the workplace. This needs to be looked into.

skimpydoo

boardise wrote: »

Not sure but happened to the NHS in 2017.

Wannacry attack

dingding

HalfAndHalf wrote: »

?? Why would a system stop working with a latest patch? This is an unknown of patching so you have test servers of patch out of hours and if there’s an issue rollback. These servers should be vlan’d and behind firewalls regardless.

I think one of the banks had a big issue with a patch applied, was it Ulster Bank, Where there was transactions lost / duplicated

Dr Bob

Joanna Yellow Racer wrote: »

the purpose of crypto is to facilitate crime few understand

Ok. I'm not a grammar Nazi or anything but :
Do you mean
The purpose of crypto is to facilitate crime, few understand
or
The purpose of crypto is to facilitate crime few understand
? (as in weird new crimes )
I mean if you're going to post make an effort eh?

Anita Blow

Montage of Feck wrote: »

Maybe I'm a bit clueless when it comes to networking. But why can't big organisations and governments operate a closed network insulated from the www.

Remote access is important for many hospital operations and specialities- radiology, stroke medicine and off-site on-call access to labs and investigations mainly

HalfAndHalf

dingding wrote: »

I think one of the banks had a big issue with a patch applied, was it Ulster Bank, Where there was transactions lost / duplicated

Yeah, that’s why I say you have test, especially a bank who should have multicluster nodes or active/passive where you can patch one, test of all good rollout or if all bad rollback.

RoamingDoc

omerin wrote: »

I haven't read all the posts, but someone needs to be sacked for this. Fool me once shame on you, fool me twice, shame on me.

Called it!
This sentiment is nonsense. These major incidents are never the fault of one individual. If it was possible for one person to cause this much damage - it would be the fault of a hell of a lot of people.

RoamingDoc wrote: »

But that will only be after an inquiry that's framed as trying to find the individual or the group in the HSE who are responsible when really it's just chronic under-resourcing (same as nearly every other issue in the HSE).

harrylittle

its probably no coincidence there is also ransomware attacks in usa at the same time .... the NWO excuse to clap down on the internet

runawaybishop

harrylittle wrote: »

its probably no coincidence there is also ransomware attacks in usa at the same time .... the NWO excuse to clap down on the internet

There are malicious actions performed very single minute of every single day.

NWO. Lol.

harrylittle

runawaybishop wrote: »

There are malicious actions performed very single minute of every single day.

NWO. Lol.

not to the same degree as the last week or so

quote :The biggest fuel pipeline in the U.S., around 5500 miles long, was shut down Friday after hackers targeted it, pausing the flow of almost half of the East Coast's fuel supply. CNN reported that demand for gasoline was up 20 percent in the U.S., and 40 percent in some southern states, on Monday compared with the previous week.

dubrov

HalfAndHalf wrote:

Yeah, that’s why I say you have test, especially a bank who should have multicluster nodes or active/passive where you can patch one, test of all good rollout or if all bad rollback.

In the real world there is no such thing as 100% test coverage.

Patching comes with a risk as does not patching. I doubt patching was the cause here though

ongarite

skimpydoo wrote: »

On one of my Irish Tech News podcasts, about how secure remote working is, BYOD was being replaced by BYON (Bring Your Own Network) as a major threat. Our home Wi-Fi setup would not past muster in the workplace. This needs to be looked into.

Interesting, could be something that will put the brakes on WFH model and bring employees back to "secure" office network.
I can only imagine the amount of people using default router, WiFi passwords or simple to remember/share with household at home.
Homes are likely to have insecure personal laptops or IOT devices that could expose sensitive data to hackers.

jimmycrackcorm

ongarite wrote:

Interesting, could be something that will put the brakes on WFH model and bring employees back to "secure" office network. I can only imagine the amount of people using default router, WiFi passwords or simple to remember/share with household at home. Homes are likely to have insecure personal laptops or IOT devices that could expose sensitive data to hackers.

The "secure" office network is the actual target so it doesn't matter that people are WFH.

harrylittle

runawaybishop wrote: »

There are malicious actions performed very single minute of every single day.

NWO. Lol.

probably headed by this chap

https://www.youtube.com/watch?v=0DKRvS-C04o

irishgeo

I don't think people realise how quick things can be done. 5 hrs from phishing email to encryption of the network.

https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/

Secondly if it was a 0 day the HSE hadn't a chance.

Burgo

Don't know if it has been mentioned yet but looks like a ransom amount has been released; $20 million

https://www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/

numbnutz

Junglejoe wrote: »

It's always an option

had a guy pay once after an infection..it was the early days of ransomware.€300 euro in bitcoin...decryptor was supplied and we got the honeypot of data that he needed.We still had to thrash everything else and restore from what backups were relevant.
Hard lesson learned but no finger pointing and no heads on the block were called for which is the way it should be for the HSE IT team right now.
There is a lot of hysterical reactions on this thread from people who I suspect have never been involved in a ransomware infection.
It is the most stressful situation i have been involved in from discovery of infection to isolation of network and ultimately the restoration of services and data.

irishgeo

Burgo wrote: »

Don't know if it has been mentioned yet but looks like a ransom amount has been released; $20 million

https://www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/

The ransom note is rather business focused, they seem to think it's a private medical business.

HalfAndHalf

dubrov wrote: »

In the real world there is no such thing as 100% test coverage.

Patching comes with a risk as does not patching. I doubt patching was the cause here though

You’ve lost me there. If you read back through my posts I’ve never said patching or not patching was the issue, I’ve actually said that providers are aware of these vulnerabilities and leave them unresolved for months before they release fixes. You can’t defend something you don’t know about was my point.

Such as the Microsoft Exchange Hafnium hacks back in March/April that turned into ransomware attacks, Microsoft were made aware in January and took months to release fixes.