Ransomware & HSE

rf1980

More details on https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf

él statutorio

rf1980 wrote: »

More details on https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf

Standard playbook for recovery.

No real details on if the backups got compromised or not. But, depending on what they use for backup, they were probably toast if shadow copies were deleted.

I'd be curious to know what protection measures were in place on endpoints. If it was just a bog standard AV or something more sophisticated like Crowdstrike.

TomOnBoard

Galwayguy35 wrote: »

Hospital rang me today to say my appointment for tomorrow was still on, guess I'm one of the lucky ones.

Nice One! Good luck with it!! Be patient when you get there, and expect a bit of chaos.

CiDeRmAn

Galwayguy35 wrote: »

Hospital rang me today to say my appointment for tomorrow was still on, guess I'm one of the lucky ones.

I was in with my dad to a Chemo appt which went ahead, in Beaumont, but a nurse there told me all radiotherapy appts in Luke's have been cancelled thanks to these assholes.

TomOnBoard

él statutorio wrote: »

Standard playbook for recovery.

No real details on if the backups got compromised or not. But, depending on what they use for backup, they were probably toast if shadow copies were deleted.

I'd be curious to know what protection measures were in place on endpoints. If it was just a bog standard AV or something more sophisticated like Crowdstrike.

Where would Crowdstrike fit into such a landscape? Wondering, as i dont know..

él statutorio

TomOnBoard wrote: »

Where would Crowdstrike fit into such a landscape? Wondering, as i dont know..

You'd have it on all endpoints, workstations and servers. Literally everywhere.

You can use it standalone or in conjunction with a regular AV solution.

It's not a silver bullet, but in my experience it has given us the best results in terms of stopping crypto attacks.

TomOnBoard

CiDeRmAn wrote: »

I was in with my dad to a Chemo appt which went ahead, in Beaumont, but a nurse there told me all radiotherapy appts in Luke's have been cancelled thanks to these assholes.

That's where these ****ers are going to seriously impact life and limb!! Glad your Dad's appt. went ahead!

TomOnBoard

él statutorio wrote: »

You'd have it on all endpoints, workstations and servers. Literally everywhere.

You can use it standalone or in conjunction with a regular AV solution.

It's not a silver bullet, but in my experience it has given us the best results in terms of stopping crypto attacks.

But its not an application that's running per se? More like a service that's called from the Cloud? I've read about it but afraid I'm not sure how it works, so chances are I'm talking bollox.

hmmm

On Prime Time now. Please let Ciaran Martin speak, a genuine expert who has tackled cybercrime at the highest levels.

TomOnBoard

DublinWriter wrote: »

It was via email, but would be interested in hearing your learned opinion.

While it may have used a phishing / infected attachment (probably a zip file containing Javascript/IceID/BokBot &/or Cobalt Strike) in the 1st instance (and that's NOT definitive), everything beyond the earliest probe was very much hands-on hacking from what I'm reading. This was sophisticated hijacking of services and capabilities by humans in real time, with fast-propagating exploits used to spread like wildfire after the initial rummaging gave them a picture of the overall landscape into parts of which they dug their claws to extract the data piece of their plan, before finally launching the encryption/destruction.

kippy

DublinWriter wrote: »

Well, that obviously failed.

And software/policies/procedures never fail - right?

él statutorio

TomOnBoard wrote: »

But its not an application that's running per se? More like a service that's called from the Cloud? I've read about it but afraid I'm not sure how it works, so chances are I'm talking bollox.

It runs locally.

TomOnBoard

él statutorio wrote: »

It runs locally.

K. I'm lost so.. Back 2 Skul!

CiDeRmAn

TomOnBoard wrote: »

That's where these ****ers are going to seriously impact life and limb!! Glad your Dad's appt. went ahead!

Thanks, I'm a nurse manager myself, in a residential setting, and 3 years of my work has been encrypted in this attack and I won't be seeing it again, I think

kippy

DublinWriter wrote: »

I never said that. Maybe you need to give your head a wobble if you're confusing CMS with CRM.

Even still - they would use access for fck all at this point.

TomOnBoard

CiDeRmAn wrote: »

Thanks, I'm a nurse manager myself, in a residential setting, and 3 years of my work has been encrypted in this attack and I won't be seeing it again, I think

No, You will.. Parts of the past fortnight may be lost, but proper backup strategies would leave you with good data at end April in a worst case scenario... assuming good strategies are in place chez vous...

Anyway, in the scheme of things, for your own soul, getting Dad to Chemo today was your.call to arms! Well done!

Ash.J.Williams

Attacks are a fact of life, to mitigate future attacks means ensuring the threat is contained.

Enterprise Users cannot have any special permissions on their devices

Remove the admin accounts and replace with temporary access for the IT dept to work in equipment which expires after a predefined period (hours)

Adopt the purdue model as best as possible

Machines out of support or unpatched for a specific reason need to be risk assessed and segregated to a safe zone.

Cost; lots and lots of new switches firewalls and consultants. It’s not rocket science anymore because these threats are a fact of life that we have to live with

Donald Trump

TomOnBoard wrote: »

No, You will.. Parts of the past fortnight may be lost, but proper backup strategies would leave you with good data at end April in a worst case scenario... assuming good strategies are in place chez vous...

Anyway, in the scheme of things, for your own soul, getting Dad to Chemo today was your.call to arms! Well done!

Network drives are possibly backed up by the organisation. Local drives may not be.

Ash.J.Williams

I wouldn’t be listening to anyone here about getting data back

mrjoneill

Ash.J.Williams wrote: »

Attacks are a fact of life, to mitigate future attacks means ensuring the threat is contained.

Enterprise Users cannot have any special permissions on their devices

Remove the admin accounts and replace with temporary access for the IT dept to work in equipment which expires after a predefined period (hours)

Adopt the purdue model as best as possible

Machines out of support or unpatched for a specific reason need to be risk assessed and segregated to a safe zone.

Cost; lots and lots of new switches firewalls and consultants. It’s not rocket science anymore because these threats are a fact of life that we have to live with

One of the key benefits of IT was its interoperability, in the possibility of being able to access any system that was on line any place. That will have to be seriously examined for critical systems, in having individual clusters specific to the task that are closed to access from outside the cluster. The comeback of the “dumb" terminal has to be seriously considered for this. Even back then in the age of the dinosaur I remember the VAX having to be patched because of virus issues when it got linked to the outside world and this was very limited access. We just can’t continue as is with critical sys not knowing what day or what hour it will fail. It will have to be considered having completely independent access to the web for staff who want to check their personal emails and surf the web on their own smartphones or laptops leaving the critical sys totally independent of the internet. This would be a big disincentive to the malware producing industry which is obv feeding on its success of critical systems. While we are seeing individual attacks now on critical systems one wonders will a day come when the whole WWW will totally collapse or shutdown because of a COVID like situation.

Ash.J.Williams

mrjoneill wrote: »

One of the key benefits of IT was its interoperability, in the possibility of being able to access any system that was on line any place. That will have to be seriously examined for critical systems, in having individual clusters specific to the task that are closed to access from outside the cluster. The comeback of the “dumb" terminal has to be seriously considered for this. Even back then in the age of the dinosaur I remember the VAX having to be patched because of virus issues when it got linked to the outside world and this was very limited access. We just can’t continue as is with critical sys not knowing what day or what hour it will fail. It will have to be considered having completely independent access to the web for staff who want to check their personal emails and surf the web on their own smartphones or laptops leaving the critical sys totally independent of the internet. This would be a big disincentive to the malware producing industry which is obv feeding on its success of critical systems. While we are seeing individual attacks now on critical systems one wonders will a day come when the whole WWW will totally collapse or shutdown because of a COVID like situation.

A shop floor environment I guess

mrjoneill

Ash.J.Williams wrote: »

Attacks are a fact of life, to mitigate future attacks means ensuring the threat is contained.

Enterprise Users cannot have any special permissions on their devices

Remove the admin accounts and replace with temporary access for the IT dept to work in equipment which expires after a predefined period (hours)

Adopt the purdue model as best as possible

Machines out of support or unpatched for a specific reason need to be risk assessed and segregated to a safe zone.

Cost; lots and lots of new switches firewalls and consultants. It’s not rocket science anymore because these threats are a fact of life that we have to live with

Until the next attack succeeds

Same thing has happened to New Zealand
https://www.stuff.co.nz/national/125163367/no-ransom-will-be-paid--waikato-hospitals-reeling-after-cyber-attack

https://www.nzherald.co.nz/nz/nz-spy-agency-assisting-waikato-dhb-after-cyber-attackransom-demand/V2Q3ESGHZC3KPHUUQ7R7PNNRWU/
"Cyber security expert Bruce Armstrong told the Herald he believes it is a ransomware attack on Waikato DHB from Asia or the Middle East, similar to what has hit the Irish health system in recent days."

realdanbreen

Keyzer wrote: »

Its a very valid point.

Sadly, like a lot of things in human nature, we leave things to the last minute, don't do something until there is impending danger or react when something bad happens. Many organisations I have seen in my time operate this way. IT and, more specifically, IT Security are seen as a cost. Cost's are, generally speaking, minimised. Until something really bad happens.

A great example of this is Maersk - they almost went out of business a couple of years ago because of NotPetya. Its a fascinating story. They had to rebuild over 4000 servers. Their entire Active Directory system (simply put, a critical system which allows you access to your Windows machine when you logon in the morning) was significantly affected. In Maersks case, because this system was down, they couldn't open the gates of their shipping ports because it was all managed through Active Directory.

They eventually found one Active Directory (domain controller, you have multiple domain controllers in a large organisation which replicate with each other) server somewhere in Africa which was offline due to an electrical storm, the guy in Africa was ordered not to turn it back on under any circumstances, to take out the hard drives, put them in a stainless steel briefcase, handcuff the briefcase to his wrist and fly to Maersk offices in London immediately. He couldn't because he didnt have a visa so Maersk flew one of their guys to Kenya, met the guy, got the brief case and prayed the hard drives were operational.

Thankfully for Maersk, they were. They rebuilt their entire Active Directory system using this one hard drive. If that drive failed, the company was gone.

But consider that for a moment, a company of the size of Maersk, a company the global economy is dependent on, almost going out of business. And they almost did.

After this fiasco, Maersk's entire approach to Information Security changed. Sometimes you have to go the edge of oblivion before you decide to make a change.

Then would that not mean that all a a large company has to do to prevent serious consequences from an attack is to always have one domain controller offline at any one time?

Deliverance XXV

They are now reporting on Newstalk that some samples of patient data, amongst other data has been released online. They are referencing this Financial Times article (behind paywall).

This article somewhat sums up what is referenced in the FT article.

Medical and personal information about Irish patients stolen by hackers last week is now being shared online, and the Financial Times shows screenshots and files.

The records offered online by hackers to further their demands for nearly $ 20 million in ransom also include internal healthcare services files, such as meeting minutes, equipment purchase details, and correspondence with patients.

The files were offered by the ‘ContiLocker Team’ as samples to prove they had confidential information, according to screenshots seen by FT.

The 27 files include personal records of 12 people. A file reviewed by FT includes admission records and lab results from a man who was admitted to hospital for hospice care. The general details in that file coincided with a later death notice seen by the FT.

VinLieger

Deliverance XXV wrote: »

They are now reporting on Newstalk that some samples of patient data, amongst other data has been released online. They are referencing this Financial Times article (behind paywall).

This article somewhat sums up what is referenced in the FT article.

Jesus, now im on board with them paying if indeed they did get the data

kippy

VinLieger wrote: »

Jesus, now im on board with them paying if indeed they did get the data

Paying would be the stupidist thing ever done -
think about it.
They have the data - what would paying them do?

VinLieger

kippy wrote: »

Paying would be the stupidist thing ever done -
think about it.
They have the data - what would paying them do?

Stop them releasing it maybe? I didnt think they had the data tbh so i was all on board with ignoring the ransom and hoping the backups were sufficiently protected.

20m is a drop in the bucket compared to the cost for the required replacement of every compromised piece of hardware.

20m is worth the chance of them not releasing it imo.

kippy

kippy wrote: »

Paying would be the stupidist thing ever done -
think about it.
They have the data - what would paying them do?

I think in the context of a health service, you have to look at the potential impact on life by holding out against the ransom. Every minute is valuable. Its not black and white as to not paying.

A Financial Services company or other types would be well able to ansorb the data loss.

Would all our PPS details be caught up in this I wonder?

archfi

Eamon Ryan was on Morning Ireland and he flatout said the National Cyber security Centre was adequately funded (5m) and the salary for it's vacant position of Director had been increased (reports said it was 89k a year) Someone had been lined up but it fell through.
He said HSE has a 203 million budget for IT (I didn't catch whether that was just for security or totality of IT)