Ransomware & HSE

Dempo1

RogerThis wrote: »

The HSE is funded by the Department of Health. It's separate from the department of health. The HSE is not a state body.

Semantics, The HSE is part of a government department (State) its insurance is underwritten by the department of Health (State) so it does not have its own insurance coverage, it would be prohibitively expense and completely unsustainable.

Beechwoodspark

Folks can anyone explain why the hackers “provided” the de encryption key to the hse earlier on?

Why would they do that?

Is it likely a ransom was paid or why did the hackers suddenly give it ?

kippy

Joshua J wrote: »

Based on the fact the HSE are in possession of the decrypt key. I thought that was obvious.

Have you read anything that the alleged hackers said when notifying the public about the key?
Have you read anything about what every element of the state is saying about the payment of a ransom?

Joshua J

Floppybits wrote: »

Was the ransom paid? Why did the hackers give them a decrypt key?

Why do you think the hackers gave them the decrypt key?.

Dempo1

kippy wrote: »

Based on what?
There's zero chance thewe guys are getting their ransom.

What makes you assume this? The HSE was clearly on its knee's, it is far more likely a ransom was paid than not, had this gone into next week a chaotic situation in our health system would even ended in total collapse and that coming from Medical professionals working in the system.

kippy

Beechwoodspark wrote: »

Folks can anyone explain why the hackers “provided” the de encryption key to the hse earlier on?

Why would they do that?

Is it likely a ransom was paid or why did the hackers suddenly give it ?

It wasn't 'sudden' -there could be a lot going on behind the scenes that we are unaware of.
There could be a number of reasons :

This key may just decrypt a subset of data. To prove that they can decrypt the rest of paid.
As a gesture of 'good faith' - pay the ransom and we will give you the data back.
As a result of pressure from some angle for some means.

This is a major data breach on an international, potentially life or death scale.
There are a lot of interests who see this as a step too far(despite what some might think here) There are a lot more than Irish technical resources being thrown at this to track down the culprits.
It is essentially an act of cyber terrorism.

kippy

Dempo1 wrote: »

What makes you assume this? The HSE was clearly on its knee's, it is far more likely a ransom was paid than not, had this gone into next week a chaotic situation in our health system would even ended in total collapse and that coming from Medical professionals working in the system.

There's a lot more likely scenarios based on what we know than a ransom being paid.

gctest50

Dempo1 wrote: »

Semantics, The HSE is part of a government department (State) its insurance is underwritten by the department of Health (State) so it does not have its own insurance coverage, it would be prohibitively expense and completely unsustainable.

Who else would insure them ?

........"Have you any claims against you luv ?"



https://www.irishtimes.com/news/health/state-faces-2-8bn-in-hse-legal-claims-1.3921203

The cost of claims against the HSE and settled last year by the agency jumped 13 per cent to €318.7 million, from €283.2 million in 2017.

Dempo1

MrMusician18 wrote: »

Exactly. The injunction is to stop the media reporting the contents but the main thing this injunction wants to achieve is to stop someone creating a portal on the clear web to search the database. Or start sharing contents on SM.

Of course this only applies in Ireland.. so may be limited in its effectiveness.

Kind of pointless, its the hackers the HSE should be worrying about, no reputable media outlet is going to report a person's medical data. The HSE was stung by the FT reports yesterday that they saw files on the dark net, this morning the Minister confirmed the story, whilst Paul Reid said there was no evidence, this about two hours after the Minister said there was. This injunction more about shutting down any unflattering reporting, it's typical game play the HSE specialise in.

FileNotFound

kippy wrote: »

It wasn't 'sudden' -there could be a lot going on behind the scenes that we are unaware of.
There could be a number of reasons :

This key may just decrypt a subset of data. To prove that they can decrypt the rest of paid.
As a gesture of 'good faith' - pay the ransom and we will give you the data back.
As a result of pressure from some angle for some means.

This is a major data breach on an international, potentially life or death scale.
There are a lot of interests who see this as a step too far(despite what some might think here) There are a lot more than Irish technical resources being thrown at this to track down the culprits.
It is essentially an act of cyber terrorism.

There was a guy on RTE a few nights back that deals with these scenarios for companies.

By his account they do not really know who they have hacked until the victim makes contact.

Say these are Russians and while not supported by the state are at least ignored. It may be a case of this one had too much diplomatic heat. Not like hitting a superpower. They have attacked a neutral nations health service and prevented cancer treatment and dialysis.

saabsaab

FileNotFound wrote: »

Be interesting if they can trace it back.

I assume that at some point someone will have used a link/saved a file that allowed the original access - unless this is some mad "hackers movie" thing where you plonk keys and magic into systems.

I wonder if they have an inside (wo)man in the HSE?

radiospan

ixoy wrote: »

So thejournal is now reporting that it started with an employee clicking a link

I think there's a huge misunderstanding in the report here.

How the Conti attacks have unfolded at other companies is:

1. Employee clicks on a dodgy link (to the malware).
2. Malware gets installed, encrypts everything and leaves a plaintext readme.txt file.
3. Computer stops working.
4. Employee finds readme.txt file, which contains a different link (to the negotiation with the hackers)

What everyone has been asking lately is confirmation if step 1 above is truly what happened. This is not what the Journal article confirms.

"THE HSE RANSOMWARE attack started when a single computer stopped working, causing its user to reach out for help by clicking on a link, The Journal has learned.

A HSE worker, apparently struggling to access a non-functioning computer, sought help when prompted to do so in a file on their computer.

The Journal article only confirms steps 3 and 4 happened. It says the computer was already non-functioning, so the malware was already installed. How that came to be installed is not yet clear. The only link the Journal reports someone clicking on was the link in step 4 above, not step 1. Big difference.

This detail will likely be lost in the mud in the discussion over the next few days.

hurikane

Ash.J.Williams wrote: »

The media seen to think they took something physical that they can give back and that’s it,

THEY WILL KEEP A COPY

DUN DUN DUNNNNNN

RogerThis

Dempo1 wrote: »

Semantics, The HSE is part of a government department (State) its insurance is underwritten by the department of Health (State) so it does not have its own insurance coverage, it would be prohibitively expense and completely unsustainable.

Is there insurance and tax on any of the vehicles owned by the HSE?

kippy

FileNotFound wrote: »

There was a guy on RTE a few nights back that deals with these scenarios for companies.

By his account they do not really know who they have hacked until the victim makes contact.

Say these are Russians and while not supported by the state are at least ignored. It may be a case of this one had too much diplomatic heat. Not like hitting a superpower. They have attacked a neutral nations health service and prevented cancer treatment and dialysis.

Maybe I wasn't clear - perhaps these hackers didn't intentionally set out to disrupt the health service of an EU state - who knows - but they have.

I wouldn't underplay the signifance of this on the international stage.

TomOnBoard

RogerThis wrote: »

Is there insurance and tax on any of the vehicles owned by the HSE?

Yes!

kippy

radiospan wrote: »

I think there's a huge misunderstanding in the report here.

How the Conti attacks have unfolded at other companies is:

1. Employee clicks on a dodgy link (to the malware).
2. Malware gets installed, encrypts everything and leaves a plaintext readme.txt file.
3. Computer stops working.
4. Employee finds readme.txt file, which contains a different link (to the negotiation with the hackers)

What everyone has been asking lately is confirmation if step 1 above is truly what happened. This is not what the Journal article confirms.



The Journal article only confirms steps 3 and 4 happened. It says the computer was already non-functioning, so the malware was already installed. How that came to be installed is not yet clear. The only link the Journal reports someone clicking on was the link in step 4 above, not step 1. Big difference.

This detail will likely be lost in the mud in the discussion over the next few days.

As you say, I think there's a lot of misunderstanding everywhere to be fair, as would be normal in a situation like this.

Based on the report released a few days ago (discussed a few times here) - the initial egress was via a RAT that was installed by someone clicking on a link, with a shed load of actions taken afterwards before any encryption was done at all.
This is still worth a read - even if it is a few days old as it is essentially the only "official" read on what had happened up to that point.
https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf

AndrewJRenko

penny piper wrote: »

Problem with the HSE is you have managers (highly undeserving of the salary scale) who don't even have a degree/clerical officers who have master's degrees (poorly paid and no chance of promotion...oh and if you know so and so...they'll probably put in a word and get your relative a job...along with having their wife/brother/son/daughter stuck in somewhere...

Honestly, you're stuck in the 1980s. Things have moved on.

tobefrank321 wrote: »

What's the bets the extra money needed for cyber protection in the HSE went instead on bonuses to management?

The bets would be low, given that the HSE doesn't have a bonus scheme.

RogerThis wrote: »

The HSE isn't a state body, like the department of health. They would need insurance.

RogerThis wrote: »

The staff aren't civil servants, they are public servants, like teachers. The HSE is not a state body.

The HSE is a statutory body, under the aegis of the Department of Health. Most staff are public servants, though they would have some civil servants, some who would have transferred from Dept Social Protection.

plodder

radiospan wrote: »

I think there's a huge misunderstanding in the report here.

How the Conti attacks have unfolded at other companies is:

1. Employee clicks on a dodgy link (to the malware).
2. Malware gets installed, encrypts everything and leaves a plaintext readme.txt file.
3. Computer stops working.
4. Employee finds readme.txt file, which contains a different link (to the negotiation with the hackers)

What everyone has been asking lately is confirmation if step 1 above is truly what happened. This is not what the Journal article confirms.



The Journal article only confirms steps 3 and 4 happened. It says the computer was already non-functioning, so the malware was already installed. How that came to be installed is not yet clear. The only link the Journal reports someone clicking on was the link in step 4 above, not step 1. Big difference.

This detail will likely be lost in the mud in the discussion over the next few days.

Exactly, there is nothing much of interest in that report. The useful lesson to be learned is step 1. which was probably a different (unknown) employee, a few weeks earlier.

RogerThis

TomOnBoard wrote: »

Yes!

Where have you seen this insurance?
The Garda cars did not have tax or insurance.

Donald Trump

HSE should have just announced that they guessed the decryption key - "Put1n1sah0m0" - and sat back and watched the Russians take them out overnight

RogerThis

AndrewJRenko wrote: »

The HSE is a statutory body, under the aegis of the Department of Health. Most staff are public servants, though they would have some civil servants, some who would have transferred from Dept Social Protection.

Do you think the HSE has cyber insurance or any other insurance?

Dempo1

RogerThis wrote: »

Is there insurance and tax on any of the vehicles owned by the HSE?

Now your being silly, we are referring to Public /Health, Liability insurance, not motor vehicle insurance, two very different things

Cypher_sounds

Beechwoodspark wrote: »

Folks can anyone explain why the hackers “provided” the de encryption key to the hse earlier on?

Why would they do that?

Is it likely a ransom was paid or why did the hackers suddenly give it ?

They spent the week reading up on the HSE and realised they are already so badly run that they felt sorry for the Irish citizens so decided to return access.

TomOnBoard

RogerThis wrote: »

Where have you seen this insurance?
The Garda cars did not have tax or insurance.

https://ipb.ie/

Dempo1

RogerThis wrote: »

Where have you seen this insurance?
The Garda cars did not have tax or insurance.

Garda cars do have insurance, Motor insurance, taxation a seperate matter, again vehicle insurance cover seperate from public liability insurance which is underwritten by the department of Justice (State)

Dempo1

Adrian Weckler from the Indo acting the expert on the late debate, a complete G******

él statutorio

Dempo1 wrote: »

Adrian Weckler from the Indo acting the expert on the late debate, a complete G******

Weckler doesn't know his arse from his elbow.

He should stick to reviewing phones and the like.

skimpydoo

Dempo1 wrote: »

Adrian Weckler from the Indo acting the expert on the late debate, a complete G******

What's he saying now?

RogerThis

Dempo1 wrote: »

Garda cars do have insurance, Motor insurance, taxation a seperate matter, again vehicle insurance cover seperate from public liability insurance which is underwritten by the department of Justice (State)

Garda cars don't have any insurance on them. They are fully state insured. I know a guy that works for the Parks and Wildlife and he doesn't have any tax or insurance on his work van, he just needs a DOE. As he is a civil servant.

This is where the HSE would get their cyber insurance from: https://ipb.ie/cyber-and-data-security-insurance/

IPB Insurance is wholly Irish-owned and is the only indigenous mutual general insurance company in the Irish market. We specialise in bespoke insurance solutions within our core public service, education and health market segments and are now one of the largest liability insurers in the market. An experienced underwriter of major liability, property and motor risks, we insure some of the largest risks in the State in the public sector and complementary markets in the semi-state and private sectors.