Ransomware & HSE

kippy

penny piper wrote: »

Problem with the HSE is you have managers (highly undeserving of the salary scale) who don't even have a degree/clerical officers who have master's degrees (poorly paid and no chance of promotion...oh and if you know so and so...they'll probably put in a word and get your relative a job...along with having their wife/brother/son/daughter stuck in somewhere...

I don't get the relevance of this in relation to the comments I was responding to/making.

Infini

Regardless of the threats they make or how they try to string it out, the government should not waste time or resources entertaining these toerags and operate under the assumption that this data has been leaked and already been sold and that all that it accomplishes to "pay" them is nothing except wasting more money that is likely a lost cause anyways. They call this a criminal attack but I would classify it as Cyber Terrorism for attacking a health system during a pandemic and causing people to potentially lose their lives. The same should go for any attack on critical infrastructure like power etc, these arent the kinds of attacks I would call normal criminal behaviour this is the kind of shít that kills people by proxy.

Stuff like this needs to be countered on an EU wide level with serious penalties inside the EU for example for this kind of behaviour and whatever is necessary to deal with this.

whippet

Infini wrote: »

Stuff like this needs to be countered on an EU wide level with serious penalties inside the EU for example for this kind of behaviour and whatever is necessary to deal with this.

The chances of the attackers being in the EU is probably zero

These guys operate under the radar and quite often in friendly juristrictions

él statutorio

ineedeuro wrote: »

Would you not disconnect external connectivity and then isolate all the systems?
Hard to disgnose the issue when everything is turned off.

Also as Mandiant/FireEye are involved they will install FireEye onto everything, this is EDR similar to Carbon Black/CrowdStrike etc. How do they install it when the systems are off?

I seen no press release from FireEye saying it was a Zeroday?

No you turn it all off first.
If the malware is still spreading then you give yourself a shot of some devices not being encrypted.
You can bring those machines back online in an isolated network environment to check them for encryption and (where possible) extract some data.
It's a crapshoot.
In the cases I've been involved in, not all servers and workstations were encrypted and data was recoverable from some of them.
The data was extracted and scanned. The servers were all rebuilt.

Have been through a number of these events in a consultancy capacity.

hmmm

Gang are claiming to have provided a decryption tool, but still want a ransom for the data. Fingers crossed we see some movement.

flask_fan

hmmm wrote: »

Gang are claiming to have provided a decryption tool, but still want a ransom for the data. Fingers crossed we see some movement.

Fingers crossed how?

ixoy

hmmm wrote: »

Gang are claiming to have provided a decryption tool, but still want a ransom for the data. Fingers crossed we see some movement.

Where did you see this? Is it a case of someone having a smidge of conscience?
Sure even if they did decrypt, you wouldn't trust that they're not snooping around afterwards.

él statutorio

hmmm wrote: »

Gang are claiming to have provided a decryption tool, but still want a ransom for the data. Fingers crossed we see some movement.

The decryption tools typically only work for a subset of the encrypted files. That's if the tool even works at all.

It's a waste of time negotiating with them.

VinLieger

hmmm wrote: »

Gang are claiming to have provided a decryption tool, but still want a ransom for the data. Fingers crossed we see some movement.

Even if they decrypt the data there's no guarantee they haven't left some nastiness in there also replacing all the compromised hardware is gonna take time we, are far from out of the woods.

hmmm

ixoy wrote: »

Where did you see this? Is it a case of someone having a smidge of conscience?
Sure even if they did decrypt, you wouldn't trust that they're not snooping around afterwards.

I don't want to post it as it's from a third party posting on Twitter, and I can't verify the legitimacy of the source or whether it is real.

Agreed with your point, no matter the outcome here we (Ireland) can't afford to have potentially compromised systems in Health so unfortunately it probably will have to be a rebuild.

radiospan

So if those tweets are to be believed, it seems the HSE now have a decryption tool which has been confirmed working on the previously released sample by a 3rd party.

The ransom demand now only relates to not releasing the data on Monday.

Surely cyber security experts can analyze the decryption tool to ensure its safe before running it to decrypt everything, or that too naïve?

BattleCorp

radiospan wrote: »

So it seems the HSE now have a decryption tool which has been confirmed working on the previously released sample by a 3rd party.

The ransom demand now only relates to not releasing the data on Monday.

Surely cyber security experts can analyze the decryption tool to ensure its safe before running it to decrypt everything, or that too naïve?

Why would the criminals give a decryption tool if the ransom wasn't paid? Sounds like fake news to me.

Belfunk

BattleCorp wrote: »

Why would the criminals give a decryption tool if the ransom wasn't paid? Sounds like fake news to me.

Because taking a countries health system offline will generate unwanted attention to their activities. Give them a decryption tool and get the health service back up and running while still threatening to release patient data in return for money.

ineedeuro

Data is out
This is been reported across social media. People getting calls, person has name, DOB, PPS etc,....say they need to refund from last visit and can you give credit card to refund

VinLieger

Belfunk wrote: »

Because taking a countries health system offline will generate unwanted attention to their activities. Give them a decryption tool and get the health service back up and running while still threatening to release patient data in return for money.

Its nowhere near that easy all the compromised hardware needs to be replaced as it cannot be trusted after they have had free reign for those 2 weeks. Getting the data back in reality does nothing for the HSE operationally in the short term.

VinLieger

ineedeuro wrote: »

Data is out
This is been reported across social media. People getting calls, person has name, DOB, PPS etc,....say they need to refund from last visit and can you give credit card to refund

Source?

Belfunk

VinLieger wrote: »

Its nowhere near that easy all the compromised hardware needs to be replaced as it cannot be trusted after they have had free reign for those 2 weeks. Getting the data back in reality does nothing for the HSE operationally in the short term.

Completely agree. I’d imagine even if they were to use the tool it would take weeks to decrypt.

tobefrank321

What's the bets the extra money needed for cyber protection in the HSE went instead on bonuses to management?

And the idea that the Russians don't know who is responsible doesn't hold water. St. Petersburg is hacker central, many of them working for the Russian government. Very likely they know directly or indirectly who exactly is to blame and choose to turn a blind eye.

Esel

VinLieger wrote: »

Even if they decrypt the data there's no guarantee they haven't left some nastiness in there also replacing all the compromised hardware is gonna take time we, are far from out of the woods.

How exactly has any hardware been compromised?

saabsaab

Belfunk wrote: »

Completely agree. I’d imagine even if they were to use the tool it would take weeks to decrypt.

The basic fact is they can't be trusted. Even if they give the decrypt key.

Tow

ineedeuro wrote: »

Data is out
This is been reported across social media. People getting calls, person has name, DOB, PPS etc,....say they need to refund from last visit and can you give credit card to refund

This is probably another well know breach. I got an automated phone call (female American voice) a few hours ago claiming to be from Social Welfare and that my PPSN number was breached. Press number 1.. Then it hung up, which was no fun.

martco

curious, anyone know who the poor unfortunates with the contract for the bulk of the affected servers/estate are? thought it used to be a large American tier 1 vendor over leixlip direction but...

VinLieger

Esel wrote: »

How exactly has any hardware been compromised?

For the same reason the encrypted data cannot be trusted, they had access for 2 weeks to do quite a lot.

Shebean

The criminals, likely our friend Putin supported, have the information.
The threat is they'll release it.
My question is how and how worse could it be than it already is?
No social media will platform it. Criminals already have it.
Phishing scams can be countered by telling people not to bite based on a phone call or unsolicited email. Banks can be told to change personal security.

I understand the lack of access to the system but I'm surprised there is no file back up. I thought it was common practice to back up data off line. Seemingly the HSE was in a bad state IT wise for some time.

FileNotFound

It's times like this I am happy i haven't been near the HSE for years haha.
Anything on me is about as much use as sh1t on the hackers shoes.

Of the full opinion to make the official F off announcement and then just get to fixing the mess.

Lessons to be learned I suppose.

barry181091

https://www.bleepingcomputer.com/news/security/conti-ransomware-gives-hse-ireland-free-decryptor-still-selling-data/

I wonder did the Kremlin have a hand in this?

plodder

VinLieger wrote: »

For the same reason the encrypted data cannot be trusted, they had access for 2 weeks to do quite a lot.

But, they can't interfere with the hardware as such. The worst that would be needed (and it's still pretty bad) is that all hard drives be reformatted, all software re-installed and data restored from backups - assuming everything affected is backed up.

VinLieger

plodder wrote: »

But, they can't interfere with the hardware as such. The worst that would be needed (and it's still pretty bad) is that all hard drives be reformatted, all software re-installed and data restored from backups - assuming everything affected is backed up.

Its not just hard drives, motherboards and anything else with even a basic level of storage is compromised

frozenfrozen

barry181091 wrote: »

https://www.bleepingcomputer.com/news/security/conti-ransomware-gives-hse-ireland-free-decryptor-still-selling-data/

I wonder did the Kremlin have a hand in this?

Sorry hackers but we have a tender process your bid of $20 million to not release the information has been noted and we will get back to you at a later date if we choose to go with your quote.

regards

FileNotFound

frozenfrozen wrote: »

Sorry hackers but we have a tender process your bid of $20 million to not release the information has been noted and we will get back to you at a later date if we choose to go with your quote.

regards

That would be the perfect response haha.

What fools they were, bet they never bothered to send the brown envelope in advance.