Ransomware & HSE

TomOnBoard

Dempo1 wrote: »

I'm curious about why MRI scans are being cancelled given the Hospital I'm due to attend for a long awaited MRI does not run the MRI equipment, it's run by a private company and I believe in a number of other hospitals . Whilst I assume the issue might be to do with Doctors getting access to results, it just seems odd this IT systems attack would also be affecting a private companies operations. Surely Scans could be done with a slight delay in accessing results? I'm keeping my fingers crossed my appointment won't be cancelled on the 25th

Sorry to tell you, while the I.T. systems are inaccessible, you dont even exist! The private MRI techs have no idea of who's due in on any day, no access to charts to know what is needed etc.etc. They're not just going to do an MRI 'on spec' without the referral etc. All that stuff's inside a System that cannot be used at the moment.

I hope its sorted soon also, as sooo many such procedures have been delayed for many months due to Covid..

kippy

Dempo1 wrote: »

Thanks, I'm beginning to feel this issue far worse than being reported on

It would be standard practice when dealing with an initially unknown threat to power off as many devices as possible to at least contain the threat until a full analysis and risk assessment could be completed.
It doesn't mean every device or system is compromised.

Remember the same thing happening back when sasser and lovebug came out first back in the day in various organisations.

magicbastarder

re the amount of data involved, even just building a single desktop or laptop, depending on how it's done, would easily take 10GB+ of data. granted, that data would have predictable sources; but an organisation which has a headcount (direct and indirect) of 100,000 employees, you'd expect them to be building several hundred systems a day probably.

Pandiculation

They’ve a big medical image management system (relatively new) so I would assume that’s been taken offline for security reasons, hence the cancelled MRIs.

magicbastarder

this dates from dec 2020:
"The HSE has since replaced 9,000 of the 46,000 computers leaving 37,000 depending on the old software - 12,000 of those cannot be replaced because they are needed to run radiology and other systems that cannot run on newer software. "
https://www.rte.ie/news/ireland/2020/1209/1183265-hse-technology/

note that the article confirms they're paying for extended support.

paul71

dubrov wrote: »

So how do you spend bitcoins from a dodgy wallet that the authorities are aware of?

I'd imagine the large Bitcoin heists had cashed out the coins using phony/mule bank accounts long before the fraud was detected.

By being physically located in a legal juristiction that either does not care about or actively encourages criminal behaviour.

cnocbui

These Russian 'gangs' are really part of the Russian security services. I'd ask the Russian government what they are going to do about it, and if they shrug their shoulders, tell them to pack up their embassy and take it home with them.

Danonino.

TomOnBoard wrote: »

People's full name, phone number and address are all publicly available where they have landline numbers and dont opt out of being in telephone directories. The DOB piece may be a clincher, but the rest has been freely available for decades all around the world, and require no hacks to obtain them.

The way that info is used has changed dramatically in the last few years though. Last 10 years especially. There’s a huge difference between being able to opt out of having your name and address listed for a landline and personal details being scraped from a source that you used for authentication and were to never be shared publicly or even worse, never gave in the first place. Some of the phone numbers/email addresses/names scraped were never given to Facebook, it was merged when they purchased WhatsApp iirc.

The data isn’t being used to cold call ‘Glengary Glen Ross’ style anymore. It’s being used in far more creative ways. Some of the phishing attempts I’ve seen in work have been seriously convincing. Email phishing scams have progressed from ‘you’ve won the jackpot that grows your Willy bigger’ to ‘this is almost indistinguishable from an official mail and has 90% of my details already.’

But I do agree that a lot of information has been available for the longest time and it can and has been fairly useless in the vast majority of cases.

Doesn’t mean a company that had a net profit of over 20 BILLION last year harvesting data for advertisers can just ignore a massive leak. It breaches data protection law that has monetary repercussions. I’m surprised there isn’t a thread on it, maybe there is. Pretty much they fooked up, and are taking the stance of ignore it and it’ll be forgotten.
The law is there and being used:

https://www.google.ie/amp/s/www.csoonline.com/article/3410278/the-biggest-data-breach-fines-penalties-and-settlements-so-far.amp.html

But the all the examples in that link combined equal roughly what? 9% of the profits Facebook made last year?


Apologies for straying off topic.

Ash.J.Williams

markgb wrote: »

They don't. They're just interested in the $20M they can extract from it.

We were hit by the Russians via Ukraine and the ransom part we noticed wasn’t working ie the ransom demand was part of the code and didn’t mean anything, it was just an act of pure badness

OscarMIlde

Pandiculation wrote: »

They’ve a big medical image management system (relatively new) so I would assume that’s been taken offline for security reasons, hence the cancelled MRIs.

Yeah, NIMUS was offline on Friday. I imagine it still is. An absolute nightmare if this continues.

ED E

Wombatman wrote: »

Probably using a variant of this. 700GB compressed not a lot over two weeks.

Sony lost 100 TB reportedly. 700G is nothing.

Fantomas9mm

FintanMcluskey wrote: »

Jack Chambers is saying on the week in politics that no ransom will be paid

Is that possible?

I thought this was a non negotiable problem, either pay up or your doomed?

Not something to try and play the big man with

The general rule is that you never pay the ransom.

Wanderer78

Fantomas9mm wrote:

The general rule is that you never pay the ransom.

Ransom won't be paid, they'll try get things back running via backups, but some data will be lost

Cerveza

Leo will do bank transfer this week. Ransom will be paid.

Dempo1

I see the erstwhile Minister saying this morning they've found backed up systems, rather concerning he's only finding this out now?

frozenfrozen

Maybe you're missing the nuance and they've found backed up systems which are not compromised

As there could have been a period of time where it sat dormant before being used so they can't just randomly restore to a week ago blindly

JDxtra

ED E wrote: »

Sony lost 100 TB reportedly. 700G is nothing.

Depends on the content. Even very small amounts of data can be devastating if it's sensitive.

TomOnBoard

frozenfrozen wrote: »

Maybe you're missing the nuance and they've found backed up systems which are not compromised

As there could have been a period of time where it sat dormant before being used so they can't just randomly restore to a week ago blindly

The thrust of this is that both live systems and some backups may have been compromised. Therefore, without a successful decryption, some data will have been lost. This is dreadful! Depending on when backups started being compromised, a serious hole in patient records will have been made.

Dempo1

TomOnBoard wrote: »

The thrust of this is that both live systems and some backups may have been compromised. Therefore, without a successful decryption, some data will have been lost. This is dreadful! Depending on when backups started being compromised, a serious hole in patient records will have been made.

I'm listening to (very difficult at the best of times) Paul Reid and I'm even more confused, he's not actually given a straight answer to a single question but this nothing new

Fantomas9mm

Does anybody know what vulnerability was exploited ?
Who is working on this do we know? As in i hope some outside SME specialist contractors have been engaged.

If this vulnerability/malware has been used in other attacks around the world then it possible other countries/orgs have made more progress on this already.

plastic glass

Dempo1 wrote: »

I'm listening to (very difficult at the best of times) Paul Reid and I'm even more confused, he's not actually given a straight answer to a single question but this nothing new

Thought he was very straight and up front. There is a lot he doesn’t know obviously at this time

Dempo1

plastic glass wrote: »

Thought he was very straight and up front. There is a lot he doesn’t know obviously at this time

There's alot he doesn't know generally, Colm Henry on Newstalk now at least he's got some medical knowledge

Do they know for sure yet who's behind it?

frozenfrozen

TomOnBoard wrote: »

The thrust of this is that both live systems and some backups may have been compromised. Therefore, without a successful decryption, some data will have been lost. This is dreadful! Depending on when backups started being compromised, a serious hole in patient records will have been made.

Not saying this will be done but in that case you could restore to a recent compromised state which was not yet encrypted and extract data from it even manually...

So unless they are unable to access backups(if the backups were encrypted... but they are probably offline / tape so not possible to encrypt everything) then there won't be any huge loss of data like you say

boardise

If the cybercriminals publish the captured data on the internet -would the Irish IT experts be able to quickly trace it and either start taking it down or encrypt it or otherwise make it unusable before any other parties would be alert to the fact that it was available ?

boardise

boardise wrote: »

If the cybercriminals publish the captured data on the internet -would the Irish IT experts be able to quickly trace it and either start taking it down or encrypt it or otherwise make it unusable before any other parties would be alert to the fact that it was available ?

Not really, it'll end up on the darkweb and the data would just proliferate rapidly.

youcancallmeal

cnocbui wrote: »

These Russian 'gangs' are really part of the Russian security services. I'd ask the Russian government what they are going to do about it, and if they shrug their shoulders, tell them to pack up their embassy and take it home with them.

If what you're suggesting is true then what is the purpose of disrupting the health service of a country that is a fraction the size of Russia? If it's for money that wouldn't make sense as the potential returns from a successful attack where the ransom is paid would be a drop in the ocean compared to the Russian GDP(1.7 Trillion in 2019). I just don't see any rationale for why this would be state backed rather than the currently accepted thinking that this is just an independent group of people(probably based in or around Russia) who are solely interested in monetary gain.

Blowfish

Fantomas9mm wrote: »

The general rule is that you never pay the ransom.

That's not quite true.

CEO's have a fiduciary responsibility to the businesses shareholders. In other words, if they 'on principle' refuse to pay the ransom and it negatively affects the shareholders then legally they can be held personally liable. This is why ransomware often works, if it's a bad enough incident, paying is the correct business decision.

Naturally, it's a different judgement call when it comes to public bodies like the HSE.

Keyzer

ED E wrote: »

Sony lost 100 TB reportedly. 700G is nothing.

You can't quantify a data breach in terms of how much data was lost, its the content of the data that determines the overall severity of the breach.

Beasty

Blowfish wrote: »

That's not quite true.

CEO's have a fiduciary responsibility to the businesses shareholders. In other words, if they 'on principle' refuse to pay the ransom if it would negatively affect the shareholders then legally they can be held personally liable. This is why ransomware often works, if it's a bad enough incident, paying is the correct business decision.

Naturally, it's a different judgement call when it comes to public bodies like the HSE.

Things have moved on/are moving on in the Corporate World. Many large quoted businesses now have policies that would ban such payments. Shareholders sign up to such policies when they purchase shares