Ransomware & HSE

Dempo1

Sierra Oscar wrote: »

Bloomberg reporting decryption key provided after intervention of EU & US officials and high level negotiations with Russia. Also linked to Colonial Pipeline attack apparently which would make sense.

It’s been suggested that the possibility of imposing further crippling sanctions against Russia was floated. Although I suspect the opposite has happened, don’t be surprised if we hear about sanctions relief in the coming weeks …

The ransom is micky mouse stuff in the grand scheme of things.

And if I recall ransom was actually paid by Colonial???

Joshua J

Dempo1 wrote: »

And if I recall ransom was actually paid by Colonial???

They did indeed. The US couldnt help their own but they came flying to the aid of little old Ireland.

Donald Trump

saabsaab wrote: »

Might stand out a bit too much?

Not at all. Masters of disguise

MrMusician18

Sierra Oscar wrote: »

Bloomberg reporting decryption key provided after intervention of EU & US officials and high level negotiations with Russia. Also linked to Colonial Pipeline attack apparently which would make sense.

It’s been suggested that the possibility of imposing further crippling sanctions against Russia was floated. Although I suspect the opposite has happened, don’t be surprised if we hear about sanctions relief in the coming weeks …

The ransom is micky mouse stuff in the grand scheme of things.

The US has lifted sanctions proposed on nordstream 2.
Maybe a coincidence?

Hibernicis

Dempo1 wrote: »

So RTE reporting the Hackers have supplied a decryption Key, can it be assumed payment recieved?????

Difficult to know. I can think of 4 scenarios:

1. Government/HSE paid part/all of the ransom
2. Somebody else paid part/all of the ransom
3. Diplomatic back channelling by US/EU/Irl to Russia made clear that this was going to have significant life/death consequences and was a step too far - wiping out a Western nation's entire public health infrastructure would not be tolerated
4. The protagonists came to the same conclusion (i.e. no. 3 above) by themselves having seen the combined efforts by the various European and International cyber security agencies.

Two very interesting things emerged in the High Court today:

That database contained data which could be categorised under three headings –
1) Clinical, laboratories, diagnostics, oncology;
2) patient administration such as medical cards and administration systems and;
3) corporate (payroll, HR, finance).

“All of this data is potentially compromised,” said Mr Reid. (My emphasis)

Source: Indo

The first clear indication that it wasn't some; part; a little; a good bit, it is potentially MOST or ALL

Fran Thompson, interim Chief Information Officer of the HSE, said on the day in question a call was logged about 2.50am with his office to report the patient management systems and printers were unavailable at St Luke’s Hospital.

At 3am, Our Lady’s Hospital advised their systems were also down. On investigation, a ransomware note was discovered on a personal computer at the latter hospital. At 3.22am, multiple sites were reporting multiple issues across multiple systems.

At 4.41am, a critical incident was declared and the critical incident process was commenced. It was decided to implement a “Contain” phase and all systems were shut down.

Source: Indo

First clear indication that the encryption process was running for hours (i. e. from trigger time which was certainly prior to 2:50am to shutdown which was after 4:41am - so at least 2 hours. Anybody who was seen these processes in action will realise the extent of the damage it can do in that time frame. Especially if the perpetrators had spent weeks understanding the domain structure and planting the encryption tool in the most critical locations (the file stores/servers).

So we have the first really clear picture of the extent of the damage: All devices and all data, or something in that region. The scale of the domain was also mentioned and reaches to thousands of servers. A doomsday scenario and confirmation that the HSE didn't have a lucky break.

Faced with a bare metal restore of this magnitude, never mind the effort involved in trying to validate each individual backup image/file (and there must be tens of thousands of these at server level) you quickly understand that the task may actually have been assessed as pretty close to impossible. And that's without even considering desktop devices.

I'm making a number of assumptions here, but at least they are based on statements by those involved.

On this basis, in answer to the initial question, my guess would be that 2 is the most likely, followed by 3 or 4.


Several other statements fed into my thinking:

A Government spokesperson said:“It is to be emphasised that the Government has not paid a ransom and will not pay a ransom in respect of this crime. This has been the firm position of the Government from the outset and it will continue to maintain that position.”

Source: Indo

Paul Reid also said today that "The HSE will not pay the ransom demanded" (I'll add the source if I can retrace it)

The careful wording in these makes me very suspicious. Any normal person would say "The ransom won't be paid" or "We won't pay the ransom"

And finally, as I mentioned earlier, the potential damage (for the next 50 years) if the contents of the Tusla database were to be released. That one makes my stomach churn.

I genuinely hope and wish it wasn't the case, but I fear there simply may not have been an alternative. I'm on the outside looking in (as are most people here) thankfully. I wish them every success in getting this sorted. It must be a living hell for all involved.

Ash.J.Williams

The media seen to think they took something physical that they can give back and that’s it,

THEY WILL KEEP A COPY

Dempo1

Joshua J wrote: »

They did indeed. The US couldnt help their own but they came flying to the aid of little old Ireland.

A pigs might fly, I remember when Biden was elected it was suggested he'd set up an oval office in Ballina, now he's due at a conference in Wales shortly and the closest he'll get to Ballina are the clouds passing by

RogerThis

Sierra Oscar wrote: »

The ransom is micky mouse stuff in the grand scheme of things.

It's not really. It's the reason the hackers do it.

The ransom is paid by the insurance company, not by the state or HSE.
That's what cyber insurance is for.

Dempo1

Hibernicis wrote: »

Difficult to know. I can think of 4 scenarios:

1. Government/HSE paid part/all of the ransom
2. Somebody else paid part/all of the ransom
3. Diplomatic back channelling by US/EU/Irl to Russia made clear that this was going to have significant life/death consequences and was a step too far - wiping out a Western nation's entire public health infrastructure would not be tolerated
4. The protagonists came to the same conclusion (i.e. no. 3 above) by themselves having seen the combined efforts by the various European and International cyber security agencies.

Two very interesting things emerged in the High Court today:



The first clear indication that it wasn't some; part; a little; a good bit, it is potentially MOST or ALL



First clear indication that the encryption process was running for hours (i. e. from trigger time which was certainly prior to 2:50am to shutdown which was after 4:41am - so at least 2 hours. Anybody who was seen these processes in action will realise the extent of the damage it can do in that time frame. Especially if the perpetrators had spent weeks understanding the domain structure and planting the encryption tool in the most critical locations (the file stores/servers).

So we have the first really clear picture of the extent of the damage: All devices and all data, or something in that region. The scale of the domain was also mentioned and reaches to thousands of servers. A doomsday scenario and confirmation that the HSE didn't have a lucky break.

Faced with a bare metal restore of this magnitude, never mind the effort involved in trying to validate each individual backup image/file (and there must be tens of thousands of these at server level) you quickly understand that the task may actually have been assessed as pretty close to impossible. And that's without even considering desktop devices.

I'm making a number of assumptions here, but at least they are based on statements by those involved.

On this basis, in answer to the initial question, my guess would be that 2 is the most likely, followed by 3 or 4.


Several other statements fed into my thinking:




Paul Reid also said today that "The HSE will not pay the ransom demanded" (I'll add the source if I can retrace it)

The careful working in these makes me very suspicious. Any normal person would say "The ransom won't be paid" or "We won't pay the ransom"

And finally, as I mentioned earlier, the potential damage (for the next 50 years) if the contents of the Tusla database were to be released. That one makes my stomach churn.

I genuinely hope and wish it wasn't the case, but I fear there simply may not have been an alternative. I'm on the outside looking in (as are most people here) thankfully. I wish them every success in getting this sorted. It must be a living hell for all involved.

If Paul Reid told me something was black, I'd believe it to be white, if he coukd actually hear himself talk, he'd actually shut up

Donald Trump

Their High Court Order would, by default, want to apply to ALL data. Even if they thought that nothing was taken, they'd need to get it to cover ALL.

Dempo1

RogerThis wrote: »

It's not really. It's the reason the hackers do it.

The ransom is paid by the insurance company, not by the state or HSE.
That's what cyber insurance is for.

You've got to be joking? Seriously, do you think an inept organisation like the HSE even knows what crypto insurance is?

Dempo1

Just about this High Court injunction re releasing Data, is it actually them that would be at fault as such, an injunction against themselves seems quite odd, besides does anyone seriously belive for a second Cyber Criminals would adhere to such an injunction, its a bizzare move and most likely a move in desperation on the HSE"S part, more farce I fear.

saabsaab

RogerThis wrote: »

It's not really. It's the reason the hackers do it.

The ransom is paid by the insurance company, not by the state or HSE.
That's what cyber insurance is for.

There is no state cyber insurance!

Turtwig

Dempo1 wrote: »

Just about this High Court injunction re releasing Data, is it actually them that would be at fault as such, an injunction against themselves seems quite odd, besides does anyone seriously belive for a second Cyber Criminals would adhere to such an injunction, its a bizzare move and most likely a move in desperation on the HSE"S part, more farce I fear.

I thought the injunction was to stop the ordinary Joe or the media from sharing the contents of the data.

Find it very hard to believe a ransom was paid if no data was returned. Rather all we know is they've leaked some already, are threatening a massive data dump and have provided an encryption key as proof of concept that the files can actually be decrypted.

That all seems fairly standard to this armchair ignoramus.

Amirani

Dempo1 wrote: »

Just about this High Court injunction re releasing Data, is it actually them that would be at fault as such, an injunction against themselves seems quite odd, besides does anyone seriously belive for a second Cyber Criminals would adhere to such an injunction, its a bizzare move and most likely a move in desperation on the HSE"S part, more farce I fear.

This would allow action to be taken about third parties who use or distribute the data. So if Paddy down the road decides to find some juicy stuff on the dark web and starts spreading it about the neighbourhood, then he'll be breaching the injuction.

RogerThis

saabsaab wrote: »

There is no state cyber insurance!

The HSE isn't a state body, like the department of health. They would need insurance.

J Mysterio

RogerThis wrote: »

The HSE isn't a state body, like the department of health. They would need insurance.

The HSE is a state body.

hmmm

If we were going to pay a ransom (which I doubt we ever would), we'd have paid to stop the data being released.

The key is useful if we have something which wasn't backed up and might help us speed up recovery, otherwise it doesn't give us all that much and it will be a bit of a distraction in the days to come. We'll have lots of clueless TDs saying "just run the decryption" and shaking their heads when they are told it will still take weeks to restore some systems.

I'm hopeful that the key was released as a result of diplomatic pressure, and we should keep the pressure up. We're a small country, but we have lots of friends - and even those who are not our friend know that we cannot allow this ransomware plague to continue or everyone is at risk.

MrMusician18

RogerThis wrote: »

It's not really. It's the reason the hackers do it.

The ransom is paid by the insurance company, not by the state or HSE.
That's what cyber insurance is for.

The state doesn't take out insurance on anything afaik. It self insures.

RogerThis

J Mysterio wrote: »

The HSE is a state body.

The staff aren't civil servants, they are public servants, like teachers. The HSE is not a state body.

Dempo1

J Mysterio wrote: »

The HSE is a state body.

Agreed, part of the Department of Health

saabsaab

hmmm wrote: »

If we were going to pay a ransom (which I doubt we ever would), we'd have paid to stop the data being released.

The key is useful if we have something which wasn't backed up and might help us speed up recovery, otherwise it doesn't give us all that much and it will be a bit of a distraction in the days to come. We'll have lots of clueless TDs saying "just run the decryption" and shaking their heads when they are told it will still take weeks to restore some systems.

I'm hopeful that the key was released as a result of diplomatic pressure, and we should keep the pressure up. We're a small country, but we have lots of friends - and even those who are not our friend know that we cannot allow this ransomware plague to continue or everyone is at risk.

Might be worried we'd send the boys 'round.

RogerThis

Dempo1 wrote: »

Agreed, part of the Department of Health

The HSE is funded by the Department of Health. It's separate from the department of health. The HSE is not a state body.

MrMusician18

Amirani wrote: »

This would allow action to be taken about third parties who use or distribute the data. So if Paddy down the road decides to find some juicy stuff on the dark web and starts spreading it about the neighbourhood, then he'll be breaching the injuction.

Exactly. The injunction is to stop the media reporting the contents but the main thing this injunction wants to achieve is to stop someone creating a portal on the clear web to search the database. Or start sharing contents on SM.

Of course this only applies in Ireland.. so may be limited in its effectiveness.

ixoy

So thejournal is now reporting that it started with an employee clicking a link:

A HSE worker, apparently struggling to access a non-functioning computer, sought help when prompted to do so in a file on their computer.

“It appears that the person was trying to use their computer but received some sort of a message to use a messaging service to contact someone who could fix the problem,” a source with knowledge of the situation said.

What followed was a lengthy exchange in which the hackers told the employee that they had accessed 700 gigabytes of data of patients’ home addresses and other personal details through their computer.

Not quite sure what "when prompted to do in a file". The headline implies it started then but likely it was lurking and then activated. The employee, either way, would want to remain anonymous such will be the righteous fury heaped upon them by a large swathe of the Irish population who are 100% IT security vigilant.

kippy

Joshua J wrote: »

Thats great and all but the most likely scenario is they got paid.

Based on what?
There's zero chance thewe guys are getting their ransom.

frozenfrozen

Could easily just be the first person to notice the your files are now encrypted page...

FileNotFound

ixoy wrote: »

So thejournal is now reporting that it started with an employee clicking a link:

Not quite sure what "when prompted to do in a file". The headline implies it started then but likely it was lurking and then activated. The employee, either way, would want to remain anonymous such will be the righteous fury heaped upon them by a large swathe of the Irish population who are 100% IT security vigilant.

Be interesting if they can trace it back.

I assume that at some point someone will have used a link/saved a file that allowed the original access - unless this is some mad "hackers movie" thing where you plonk keys and magic into systems.

Joshua J

kippy wrote: »

Based on what?
There's zero chance thewe guys are getting their ransom.

Based on the fact the HSE are in possession of the decrypt key. I thought that was obvious.

Floppybits

Joshua J wrote: »

Based on the fact the HSE are in possession of the decrypt key. I thought that was obvious.

Was the ransom paid? Why did the hackers give them a decrypt key?