Ransomware & HSE

Beasty

Beasty wrote: »

Things have moved on/are moving on in the Corporate World. Many large quoted businesses now have policies that would ban such payments. Shareholders sign up to such policies when they purchase shares

A ransomware attack or a series of them could destroy a business and reduce its value to zero. Does boards.ie have this policy of banning such payments?

Seth Brundle

Dempo1 wrote: »

There's alot he doesn't know generally, Colm Henry on Newstalk now at least he's got some medical knowledge

I haven't heard Reid or Henry discussing it but I'm curious to know how posessing some medical knowledge will help resolve an IT security problem?

Seth Brundle

Seth Brundle wrote: »

I haven't heard Reid or Henry discussing it but I'm curious to know how posessing some medical knowledge will help resolve an IT security problem?

Good at finding and diagnosing viruses I suppose.

Fantomas9mm

Fantomas9mm wrote: »

Does anybody know what vulnerability was exploited ?
Who is working on this do we know? As in i hope some outside SME specialist contractors have been engaged.

If this vulnerability/malware has been used in other attacks around the world then it possible other countries/orgs have made more progress on this already.

The HSE have engaged FireEye to act as incident responders.

Even if they know what was exploited they won't be saying.

harmless

When I was in hospital earlier this year I noticed my files were stored on an MS DOS database(possibly dataease) these files were accessed on Windows XP PCs using the built in MS DOS emulator. The same hospital has had minimal disruption compared to others.

Is it possible the use of these ancient systems saved them?

Flinty997

harmless wrote: »

When I was in hospital earlier this year I noticed my files were stored on an MS DOS database(possibly dataease) these files were accessed on Windows XP PCs using the built in MS DOS emulator. The same hospital has had minimal disruption compared to others.

Is it possible the use of these ancient systems saved them?

Unlikely. They might through dumb luck not be linked with any other systems. But such a system would be on a backup somewhere, may even be on a VM.

Floppybits

Deleted User wrote: »

That's like where I worked in local authority, Windows 7. Public services always go for the cheapest available anything, not the most cost-effective in the long run.

Having my first taste of dealing with Public Services in an IT capacity and all I can see it is Technological desert. I knew the Public Services wasn't the best of IT but it is shocking just how bad it is.

radiospan

Fantomas9mm wrote: »

Does anybody know what vulnerability was exploited ?
Who is working on this do we know? As in i hope some outside SME specialist contractors have been engaged.

If this vulnerability/malware has been used in other attacks around the world then it possible other countries/orgs have made more progress on this already.

The group behind it is called Wizard Spider (reported on RTE News last night), using ransomware called Conti. There is a "Conti News" onion site where they have published leaks in recent months.

Wizard Spider info:
https://adversary.crowdstrike.com/adversary/wizard-spider/#:~:text=Wizard%20Spider%20is%20a%20criminal,most%20commonly%20known%20as%20TrickBot.

Conti info:
https://en.wikipedia.org/wiki/Conti_(ransomware)
https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/
https://securityaffairs.co/wordpress/118001/cyber-crime/ireland-health-service-executive-conti-ransomware.html?utm_source=rss&utm_medium=rss&utm_campaign=ireland-health-service-executive-conti-ransomware

Fantomas9mm

Blowfish wrote: »

That's not quite true.

CEO's have a fiduciary responsibility to the businesses shareholders. In other words, if they 'on principle' refuse to pay the ransom and it negatively affects the shareholders then legally they can be held personally liable. This is why ransomware often works, if it's a bad enough incident, paying is the correct business decision.

Naturally, it's a different judgement call when it comes to public bodies like the HSE.

What major companies or org’s have paid the Ransom Ware ?

boardise

boardise wrote: »

If the cybercriminals publish the captured data on the internet -would the Irish IT experts be able to quickly trace it and either start taking it down or encrypt it or otherwise make it unusable before any other parties would be alert to the fact that it was available ?

Awww bless!

Theres a movie called The Core, where the core of the earth has stopped spinning and the world is doomed, unless they can burrow into the Earths core in a kind of heavily armoured submarine, and set off nuclear bombs in sequence to restart it. One sub-plot of the movie involves the US military hiring a hacker to control any references to the problem on the internet. Even he scoffs at the idea initially, but then agrees to do it because he gets unlimited resources to do it. It's a wonderfully ridiculous movie. One of those "its so bad its good" kind of movies.

Once the data goes online, thats it.

The movie industry have been fighting piracy for years and yet you can still download every movie ever made for free. Collectively, the film industry is worth something like 130 Billion. If they can't stop things being shared online, little old Ireland hasn't a hope.

magicbastarder

AXA in asia have been hit by a ransomware attack (and they used to sell ransomware insurance AFAIK - now hastily withdrawn!)

https://www.ft.com/content/4443da60-6d90-4d27-b300-b0896425f99f

Blowfish

Fantomas9mm wrote: »

What major companies or org’s have paid the Ransom Ware ?

For some of them, you won't even know they've paid it, but SentinelOne did a report on it a few years back here: https://go.sentinelone.com/rs/327-MNM-087/images/Ransomware%20Research%20Data%20Summary%202018.pdf

On slide 23 you can add up the totals to see that ~47% of businesses hit paid at least one ransom.

It's hopefully dropped a bit as more people have become aware of the risks over the past few years, but it's still a significant amount.

harmless

Blowfish wrote: »

For some of them, you won't even know they've paid it, but SentinelOne did a report on it a few years back here: https://go.sentinelone.com/rs/327-MNM-087/images/Ransomware%20Research%20Data%20Summary%202018.pdf

On slide 23 you can add up the totals to see that ~47% of businesses hit paid at least one ransom.

It's hopefully dropped a bit as more people have become aware of the risks over the past few years, but it's still a significant amount.

I would think both sides have an interest in not announcing the ransom was paid.

VinLieger

Ciara Kelly on NT was this morning saying consultants she has been talking to say the ransom has to be paid due to the impact its having.


How naive are these people? Paying the ransom MIGHT get the data back but theres no guarantee they wont just leave it encrypted or even just release anything they have publicly just for the craic. Also the entire HSE IT system may still need to be replaced depending on how severely compromised its been so paying the ransom might really not solve anything at all in the short term.

harmless

What annual budget does the HSE have for IT security?

penny piper

Seems strange that the topic of salary is not coming up.........if you are expecting a salary this week and work for the hse you won't be getting paid quite simple....doctors/nurses/clerical staff/admin/health workers etc anyone who is due this week...unless this is sorted.

Green Peter

Floppybits wrote: »

Having my first taste of dealing with Public Services in an IT capacity and all I can see it is Technological desert. I knew the Public Services wasn't the best of IT but it is shocking just how bad it is.

Alot of public sector IT is serviced by the private sector. In fact huge amounts of public sector money finance private sector businesses who owe there existence to public sector money. Once a public sector contract comes up the prices are inflated by the private sector and this is part of the problem. The county is small and options available to public sector are limited and hence they get screwed and maybe are slower to update

Seth Brundle

harmless wrote: »

What annual budget does the HSE have for IT security?

I don't know but I'd be surprised if their IT budget is publicly broken down. Also announcing the spend on security surely would in itself be a security risk.

JibJabWibWab

VinLieger wrote: »

Ciara Kelly on NT was this morning saying consultants she has been talking to say the ransom has to be paid due to the impact its having.


How naive are these people? Paying the ransom MIGHT get the data back but theres no guarantee they wont just leave it encrypted or even just release anything they have publicly just for the craic. Also the entire HSE IT system may still need to be replaced depending on how severely compromised its been so paying the ransom might really not solve anything at all in the short term.

There's no chance of "getting the data back", the virus used in these scams just destroys the data. There is no recovery.

The only protection from this type of thing is an automated back-up system.
It's criminally negligent if any state body doesn't have public data protected with such a system.

Also, does anyone actually believe this was a "targeted attack"?

This was obviously caused by some careless idiot clicking a link in a phishing email...

harmless

JibJabWibWab wrote: »

Also, does anyone actually believe this was a targeted "attack"?

This was obviously caused by some careless idiot clicking a link in a phishing email...

I too doubt they were a target. The best way for these groups to operate would be to spam attack as many systems as they can and then filter to see which ones have enough finance to pay a sizable ransom.

Pandiculation

The issue is in a large organisation with tens of thousands of staff, the vast majority of whom aren’t at all focused on IT aren’t ever able to ensure that everyone’s going to be entirely virus aware. Computers are tools. They need to be able to operate safely. Blaming the end users is a bit ludicrous.

The reality is IT systems are a tool and need to be able to work safely.

It’s a bit like saying if a nurse flushes a toilet the wrong way they could collapse the health service. Any reasonable analysis would conclude that the problem is the plumbing.

If you plug a kettle into the wrong socket you aren’t going to take down the national grid, yet that’s where we are with IT systems.

Someone clicks a misleading link and the whole system is suddenly owned by hackers?! That’s just not good design.

Placing the blame on non savvy end users is a very weak excuse.

JDxtra

Pay the ransom and they just screw others as you increase the number of attacks in the future. Also, the HSE will need to rebuild the impacted systems anyways. Decryption tools provided by hackers cannot be trusted. This is where the HSE are dependent on offline backups or snapshots of impacted systems.

If the HSE don’t have sufficient backups then there is obviously an issue – but paying these guys is not the solution.

JibJabWibWab

Pandiculation wrote: »

The issue is in a large organisation with tens of thousands of staff, the vast majority of whom aren’t at all focused on IT aren’t ever able to ensure that everyone’s going to be entirely virus aware. Computers are tools. They need to be able to operate safely. Blaming the end users is a bit ludicrous.

The reality is IT systems are a tool and need to be able to work safely.

It’s a bit like saying if a nurse flushes a toilet the wrong way they could collapse the health service. Any reasonable analysis would conclude that the problem is the plumbing.

If you plug a kettle into the wrong socket you aren’t going to take down the national grid, yet that’s where we are with IT systems.

The unions would have demanded training, and of course extra money, for their members to use the systems. Trained staff should be held responsible...

Potatoeman

They’re years behind. Last time it was laptops with unencrypted harddrives. Probably not working off a backed up NAS so can’t just do a rollback restore. Doubt they had a firewall to stop this before it started.

Pussyhands

I don't believe the HSE have all the backups that's "understood to be the case".

If we had all the backups, it would be a pretty straight forward decision to rebuild. I think it's more likely a ploy to put up a front to make out we weren't defeated.

Even the fact Coveney came out and said there's consequences to paying the ransom....why would he even answer like that...if we had the backups it would be a no brainer NOT to pay the ransom.

I think it's likely they're going to try shore up security then eventually pay these off.

Hurrache

penny piper wrote: »

Seems strange that the topic of salary is not coming up.........if you are expecting a salary this week and work for the hse you won't be getting paid quite simple....doctors/nurses/clerical staff/admin/health workers etc anyone who is due this week...unless this is sorted.

No, it's not really quite simple. All their systems aren't neccessarily integrated.

hmmm

JDxtra wrote: »

Pay the ransom and they just screw others as you increase the number of attacks in the future. Also, the HSE will need to rebuild the impacted systems anyways. Decryption tools provided by hackers cannot be trusted. This is where the HSE are dependent on offline backups or snapshots of impacted systems.

Yes. We (Ireland) will be marked out as an easy target - they'll target some other parts of our infrastructure, and probably loop back around to hit the health system again some time in the future.

Plus you are financing criminal gangs, who will use that money to target somewhere else after the HSE.

The data is compromised, we just have to accept that. We'll probably have to spend a lot of money updating Health IT systems, but we would have had to do that anyway. The problem now is figuring out how far into the systems this group has gone, and whether we can safely restore services.

The Russian state has turned a blind eye to a lot of these attackers for reasons. As someone else said, this leads to a potential problem that these 20 years old can end up implementing foreign policy as a consequence. Hopefully Ireland is making it clear to Russia that we consider this to be exceptionally serious, and small as we are we have significant diplomatic influence.

Fantomas9mm

harmless wrote: »

What annual budget does the HSE have for IT security?

Great question.

Another question is when did they last have an independent security audit or penetration test done ?
Also what security awareness training do they do for staff ?

I “may” have heard horror stories of one user getting their password reset and it causing multiple systems/PC’s to become unusable as the one user was signed in on all those systems. They had been sharing credentials.

MrMusician18

Pussyhands wrote: »

I don't believe the HSE have all the backups that's "understood to be the case".

If we had all the backups, it would be a pretty straight forward decision to rebuild. I think it's more likely a ploy to put up a front to make out we weren't defeated.

Even the fact Coveney came out and said there's consequences to paying the ransom....why would he even answer like that...if we had the backups it would be a no brainer NOT to pay the ransom.

I think it's likely they're going to try shore up security then eventually pay these off.

Of course there are backups. The problem is determining which backups are compromised. The earlier you roll back to results in data lost. While old records have their value It's the most current information that's the most diagnosticly important.

I guess the 10's of millions of cost that's being reported is largely due to diagnostic work having to be carried out again.

Alun

hmmm wrote: »

The Russian state has turned a blind eye to a lot of these attackers for reasons. As someone else said, this leads to a potential problem that these 20 years old can end up implementing foreign policy as a consequence. Hopefully Ireland is making it clear to Russia that we consider this to be exceptionally serious, and small as we are we have significant diplomatic influence.

Yes, it's not that the Russian government is actively behind any of these attacks, it's just that it suits them politically to ignore the gangs who carry them out from within their territory and to make no attempt to bring them to justice.