Ransomware & HSE

Marcos

ineedeuro wrote: »

Data is out
This is been reported across social media. People getting calls, person has name, DOB, PPS etc,....say they need to refund from last visit and can you give credit card to refund

I've heard the same thing. The best thing to do is just hang up.

Esel

VinLieger wrote: »

For the same reason the encrypted data cannot be trusted, they had access for 2 weeks to do quite a lot.

Not an answer really. I can understand software and data being compromised, but not hardware.

plodder

VinLieger wrote: »

Its not just hard drives, motherboards and anything else with even a basic level of storage is compromised

I guess that's possible in theory, but they probably should go on past experience of other organisations that had Conti, unless they actually find evidence of that sort of infection. Otherwise, the worst case assumption could mean replacing 88,000 PCs

ixoy

Shebean wrote: »

I understand the lack of access to the system but I'm surprised there is no file back up. I thought it was common practice to back up data off line. Seemingly the HSE was in a bad state IT wise for some time.

I keep seeing backups mentioned but the backups could easily have the same problem where, as soon as you restore them, they get encrypted again. They need to work out where the malware itself is to stop it being triggered again. That's why you can't just restore last night's backup immediately but only in careful stages.

VinLieger

plodder wrote: »

I guess that's possible in theory, but they probably should go on past experience of other organisations that had Conti, unless they actually find evidence of that sort of infection. Otherwise, the worst case assumption could mean replacing 88,000 PCs

No the worse case scenario is assuming they are clear and it happening again in a year or more because they did leave something that gave them a backdoor back in.

frozenfrozen

so on this thread simultaneously the HSE were meant to have world class leading completely faultless security


but also just accept the decryption and trust previously compromised hardware?

ineedeuro

VinLieger wrote: »

Source?

As I posted, social media

I seen it posted into numerous pages on facebook. Is it real? I dont know thats why i mentioned social media in post

VinLieger

ineedeuro wrote: »

As I posted, social media

I seen it posted into numerous pages on facebook. Is it real? I dont know thats why i mentioned social media in post

Nah id be 99% its fake, if theres no source or evidence and its only on social media its cant be taken seriously, we all should have learned that from the last year.

Dempo1

So RTE reporting the Hackers have supplied a decryption Key, can it be assumed payment recieved?????

frozenfrozen

the $20m USD they quote in that

when

A document published online claiming to show the gang wanted $20m has been dismissed by those who are dealing with ‘Wizard Spider’ as "nonsense".

4 days ago

dublin49

just wonder have the Hackers bitten off more than they can chew,would imagine Putin will come under pressure to sort these out now as can only imagine there will be high level international discussions on foot of the recent move away from attacking purely commercial entities.Maybe being naive but sometimes criminals over stretch ala John Gilligan bringing more attention then the normal expected response.

barry181091

Dempo1 wrote: »

So RTE reporting the Hackers have supplied a decryption Key, can it be assumed payment recieved?????

Nope. It can be assumed the situation around such a large hack on a states main healthcare institution became too hot to handle. Was the Russian Gov't involved? Who knows but its far easier to target companies where they will pay for resolution, while public/state opinion of such an incident is apathetic at best.

Dempo1

dublin49 wrote: »

just wonder have the Hackers bitten off more than they can chew,would imagine Putin will come under pressure to sort these out now as can only imagine there will be high level international discussions on foot of the recent move away from attacking purely commercial entities.Maybe being naive but sometimes criminals over stretch ala John Gilligan bringing more attention then the normal expected response.

Not sure but RTE reporting decryption Key supplied by Hackers in the last 10 minutes, I'm guessing payment recieved.........

Dempo1

barry181091 wrote: »

Nope. It can be assumed the situation around such a large hack on a states main healthcare institution became too hot to handle. Was the Russian Gov't involved? Who knows but its far easier to target companies where they will pay for resolution, while public/state opinion of such an incident is apathetic at best.

I'll respectively disagree, the Russian Government will avoid any involvement, whiff they've any influence on this type of activity, it would make a mockery of their well highlighted stance "nothing to do with us'

gmisk

I am guessing the hackers didn't like the heat this hack has brought to them?

RTE news : Decryption key provided to HSE and Dept of Health

http://www.rte.ie/news/2021/0520/1222857-hse-weekly-briefing/

Needs to be thoroughly tested obviously!

youcancallmeal

gmisk wrote: »

I am guessing the hackers didn't like the heat this hack has brought to them?

RTE news : Decryption key provided to HSE and Dept of Health

http://www.rte.ie/news/2021/0520/1222857-hse-weekly-briefing/

Needs to be thoroughly tested obviously!

I heard it reported that a few police forces in the US were caught by ransomware recently too so I'd doubt they gave up the key due to too much heat. I'd say it's a key to decrypt a subset of files to prove that they can get everything unlocked if they pay up

Dempo1

gmisk wrote: »

I am guessing the hackers didn't like the heat this hack has brought to them?

RTE news : Decryption key provided to HSE and Dept of Health

http://www.rte.ie/news/2021/0520/1222857-hse-weekly-briefing/

Needs to be thoroughly tested obviously!

Anyone listening or watching reports today were staff and senior managers explained how this is effecting day to day operations will have seen how brutal this attack was. More alarming was the obvious fact the HSE and their advisors were making NO PROGRESS in restoring systems, I've felt from the outset we were not being told the half of it. I'm more convinced having heard Paul Reids Hapless responses, Heather Humphries absurd comments about catching these criminals but more so the forensic walk through by the driector of Acute care at the HSE, this morning on morning Ireland on what frontline staff are dealing with, Bitcoin was dispatched with Gusto by close of business today

Joshua J

Dempo1 wrote: »

So RTE reporting the Hackers have supplied a decryption Key, can it be assumed payment recieved?????

Almost certainly.

Muahahaha

Dempo1 wrote: »

So RTE reporting the Hackers have supplied a decryption Key, can it be assumed payment recieved?????

No, the payment hasnt been sent yet. I just checked my Revolut account now and all that is there is three euro fiddy. I wish they would hurry up, Ive a basket full of Amazon purchases to pay for here and the wife needs her lady razors to shave off her lockdown beard.

Dempo1

Muahahaha wrote: »

No, the payment hasnt been sent yet. I just checked my Revolut account now and all that is there is three euro fiddy. I wish they would hurry up, Ive a basket full of Amazon purchases to pay for here and the wife needs her lady razors to shave off her lockdown beard.

LOL, €300 won't cut it I'm afraid

Van.Bosch

Novice question here.

Ignoring the encryption key, before today was it a case of the HSE just reloading backups and checking for malware after each reload so the whole process is slow but certain? Or is there a search to ensure the system gap was closed and then reload? Basically is there a path to recovery albeit slow or is there a risk the systems can’t be brought back?

Dempo1

Van.Bosch wrote: »

Novice question here.

Ignoring the encryption key, before today was it a case of the HSE just reloading backups and checking for malware after each reload so the whole process is slow but certain? Or is there a search to ensure the system gap was closed and then reload? Basically is there a path to recovery albeit slow or is there a risk the systems can’t be brought back?

My sense after listening to press briefing is systems could not be brought back up, Paul Reid of course try to spin it but Paul Cullen from irish times asked some probing questions that were not in essence answered.

ineedeuro

Van.Bosch wrote: »

Novice question here.

Ignoring the encryption key, before today was it a case of the HSE just reloading backups and checking for malware after each reload so the whole process is slow but certain? Or is there a search to ensure the system gap was closed and then reload? Basically is there a path to recovery albeit slow or is there a risk the systems can’t be brought back?

More or less the hackers have sat for weeks/months undetected by the HSE so they have no idea when they could do a restore

That is even if they have backed up the servers correctly which is another question Mark

Ash.J.Williams

whippet wrote: »

The chances of the attackers being in the EU is probably zero

These guys operate under the radar and quite often in friendly juristrictions

That’s not what he meant

Furze99

Furze99 wrote: »

Do many of these ransomware scams target state agencies and take on governments? They'd want to be knowing their stuff to avoid being tracked down as the heat will be on bigtime. They're not just taking on Ireland Inc but multiple states and agencies that will be focused on them.

As mentioned far above on this thread, the heat was always going to come on. Big difference between taking on a private business or a hospital group and the entire health care system of an EU state with good political links to the USA.

Ash.J.Williams

Van.Bosch wrote: »

Novice question here.

Ignoring the encryption key, before today was it a case of the HSE just reloading backups and checking for malware after each reload so the whole process is slow but certain? Or is there a search to ensure the system gap was closed and then reload? Basically is there a path to recovery albeit slow or is there a risk the systems can’t be brought back?

I would say all systems are gone and a full restore is required onto reimaged servers

BloodBath

barry181091 wrote: »

Nope. It can be assumed the situation around such a large hack on a states main healthcare institution became too hot to handle. Was the Russian Gov't involved? Who knows but its far easier to target companies where they will pay for resolution, while public/state opinion of such an incident is apathetic at best.

Why would a country with a 1.7 trillion economy target a non political enemy for a paltry 20 million ransom.

The idea that Putin or the Russian government has anything to do with this is laughably stupid.

Dempo1

Furze99 wrote: »

As mentioned far above on this thread, the heat was always going to come on. Big difference between taking on a private business or a hospital group and the entire health care system of an EU state with good political links to the USA.

Intrigued by this so called heat, barely a ment of this attack outside Ireland, Bloomberg news seems to be the only international news organisation that mentioned it, nothing reported on any UK media that I'm aware of. The only heat I'm aware of is the Hot air coming out of senior HSE management

skimpydoo

If a ransom has being paid, our government has just given in to Wizard Spider who now know we will pay in the future. They are going to be actively looking for other targets.

hmmm

Van.Bosch wrote: »

Novice question here.

Ignoring the encryption key, before today was it a case of the HSE just reloading backups and checking for malware after each reload so the whole process is slow but certain? Or is there a search to ensure the system gap was closed and then reload? Basically is there a path to recovery albeit slow or is there a risk the systems can’t be brought back?

The problem you have with this type of attack is you can't be sure your backups haven't been corrupted.

So you could restore a backup and bam, the ransomware restarts. Or you've just installed a backdoor into your network.

You have to really be confident that you understand how they got in, and what they have changed, and that's just incredibly difficult and time-consuming. In most cases you can't really be sure you know everything.

Even with a decryption key, it's not like you just run it on your network and everything goes back to normal. It's useful in case you have some data that wasn't properly backed up, but you can't trust anything in your environment and most security people will tell you to rebuild nearly everything.

It's an incredibly destructive type of attack.

My hope with them providing the key is they are getting leaned on by someone, and they may be less inclined to leak the actual data.