Ransomware & HSE

RogerThis

Has IT started turning on machines yet, to see what's infected yet?

Ubbquittious

seamus wrote: »

A national health service in the midst of a national health crisis gets a ransomware attack?

Seems too much of a coincidence to be an accident. The HSE would be a good target as the criminals' hope would be that the HSE would just pay up to get back on track as soon as possible.

Blacknight were also the victim of a huge directed DDOS yesterday. A single customer was targetted and when Blacknight began mitigation the DDOS redirected to attack their entire infrastructure.

I wonder if it's related; were the HSE the customer being targetted?

The head of IT has only been recently appointed. Transformation projects take years, shoring up security holes across disparate networks takes years. Firing a head of IT without having even the slightest bit of knowledge about the attack or the nature of the HSE IT infrastructure is reactionary nonsense.

People can throw around all the jokes like they like about dinosaur infrastructure in the HSE, but at the end of the day if an attacker has sufficient resources and desire to get in, they will get in. So to say that someone must have clicked a link in a dodgy email or that there was an obvious unpatched security flaw that let them in, is to make gigantic assumptions based on nothing.

They are saying now that was indeed the case. One big eejit (OBE) clicked on a link. If the system was anyway half decent an OBE could only do a very limited amount of damage. I'd hate to be that OBE now, I'd be quietly handing in my resignation and trying to find a new job serving coffee in a cafe, hoping nobody finds out it was me.

hmmm

Hibernicis wrote: »

It's over 15 pages since anybody mentioned "WINDOWS 7" in this thread.

But but clearly the fully patched and supported (through extended support) Windows 7 PCs were the cause of this?

I also love the newspapers this morning shouting about how the auditors said there were control weaknesses in their last assessment. Has any audit report ever said there wasn't control weaknesses? "All is well, no need for you to hire us next year."

hmmm

Ubbquittious wrote: »

They are saying now that was indeed the case. One big eejit (OBE) clicked on a link. If the system was anyway half decent an OBE could only do a very limited amount of damage. I'd hate to be that OBE now, I'd be quietly handing in my resignation and trying to find a new job serving coffee in a cafe, hoping nobody finds out it was me.

This is fake news, the media are misinterpreting a chat log on the gangs website. We still don't know (publicly) the source for certain.

Tom Mann Centuria

We've had Linux based (Ubuntu I think, wallpaper is a Heron) computers set up today on wards in the hospital I work in. So we can check lab results again, It's the same lab system we used nearly 20 years ago and pretty clunky but considerably better than nothing. Can't do anything else yet, but it'll take a bit of pressure off the labs with us ringing down looking for results. (Lab staff deserve a nice bonus after all this because it's a pure slog for them at the moment).

Oh, and just a by the by, if anyone has an outpatient procedure or appointment coming up, well worth ringing them to confirm, because they won't have any access to your phone number or address to contact you.

Hibernicis

hmmm wrote: »

I also love the newspapers this morning shouting about how the auditors said there were control weaknesses in their last assessment. Has any audit report ever said there wasn't control weaknesses? "All is well, no need for you to hire us next year."

An audit report that states that there are no control weaknesses is a form of insurance - you'd have the making's of a good case against your auditors if anything showed up subsequntly..

This incident has thrown up some of the cringiest reporting I've seen in a long time. I understand that it is a challenge for a mainstream journo to report on something like this, but some of is downright embarrassing. Absolutely no grasp or understanding of that is being written about. I was actually thinking the other day it would be worth keeping a list of some of the real dumb clangers.

Turtwig

Hibernicis wrote: »

An audit report that states that there are no control weaknesses is a form of insurance - you'd have the making's of a good case against your auditors if anything showed up subsequntly..

This incident has thrown up some of the cringiest reporting I've seen in a long time. I understand that it is a challenge for a mainstream journo to report on something like this, but some of is downright embarrassing. Absolutely no grasp or understanding of that is being written about. I was actually thinking the other day it would be worth keeping a list of some of the real dumb clangers.

It's shocking isn't it? Just how bad the media is when they enter into a knowledge field you're familiar with.

The pressure to get words, said or published is too great for any decent level of quality control. It's just a rolling cycle of ill informed sh1t.

Sierra Oscar

Ransom demand still in play it seems, hasn’t been paid.

A message online purporting to be from the Conti ransomware gang posted this afternoon says "we are providing the decryption tool for your network for free but you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation."

Law enforcement agencies say cyber crime gangs often offer their victims a decryption key as proof of what they have done and because it is the data that is the valuable asset.

State did not pay ransom for decryption key - Donnelly

Larbre34

Every one of these bottom feeding mother ****ers should be assassinated.

Obviously Ireland doesn't have black ops intelligence agents running around the World, but we do have friends and we should be asking them to go to Russia and start collecting ****ing heads.

meep

Turtwig wrote: »

It's shocking isn't it? Just how bad the media is when they enter into a knowledge field you're familiar with.

The pressure to get words, said or published is too great for any decent level of quality control. It's just a rolling cycle of ill informed sh1t.

My favorite was RTEs science correspondent who, on the day the attack was revealed, twice referred to it as a ‘randomware’ attack.

wandererz

Larbre34 wrote: »

Every one of these bottom feeding mother ****ers should be assassinated.

Obviously Ireland doesn't have black ops intelligence agents running around the World, but we do have friends and we should be asking them to go to Russia and start collecting ****ing heads.

Ireland has the Irish Army Rangers. The "ARW".

Give them the intelligence, equip them, train them in these areas (if needed) and let them loose in conjunction with other Intelligence departments (which we don't have)

Type: Special forces
Role: Counter-terrorism; Special operations
Size: Classified
Garrison/HQ:DFTC, Curragh Camp, County Kildare
Colours: Black, Red and Gold

According to Wikipedia:
The ARW has trained with other military and law enforcement special operations forces, including;
United States – 75th Ranger Regiment, Delta Force, Navy SEALs & Marine Corps Force Reconnaissance

Me likes it all.
I need some of this.

When can we have it please.

Larbre34

I'm aware of the Rangers. This is not what they are for.

Long term immersion on foreign soil posing as civilians is not what they do. I can't imagine any of them being fluent in Russian either.

They are special operations military, not secret intelligence agents.

wandererz

Larbre34 wrote: »

I'm aware of the Rangers. This is not what they are for.

Long term immersion on foreign soil posing as civilians is not what they do. I can't imagine any of them being fluent in Russian either.

They are special operations military, not secret intelligence agents.

Larbre34 wrote: »

Every one of these bottom feeding mother ****ers should be assassinated.

i'm sure they can do this.

Larbre34 wrote: »

I can't imagine any of them being fluent in Russian either.

Was Russia mentioned? Do they really need to? If not, then why not? They are our closest threat.

Larbre34 wrote: »

They are special operations military, not secret intelligence agents.

That's why i mentioned "in conjunction with other Intelligence departments (which we don't have)".

mandrake04

saabsaab wrote: »

Might stand out a bit too much?

Had a mental picture of a guy called Rory with big red face and big head of red hair...thick Kerry accent..

kowloonkev

Maybe it's time for state sponsored ransomware attacks on Russian public services? Call them ethical hackers. Perhaps start with attacking their oil and gas pipelines in the middle of winter. Or are they immune to such attacks?

CiDeRmAn

mandrake04 wrote: »

Had a mental picture of a guy called Rory with big red face and big head of red hair...thick Kerry accent..

Howaya, are you one a'dem random wear lads?

CiDeRmAn

If the state have to do a random reallocation of pps numbers let them at it, it would mitigate some of the potential effects of the data breach.
I'm just glad we are [ill-founded hope] potentially going to have our systems up and running again, particularly in critical and time sensitive care areas [/ill-founded hope]
Having radiotherapy cancelled, state wide, as well as other essential interventions is going to make people suffer, if not cost lives, in terms of delayed treatment and palliative care.
If this key turns out to be genuine, I imagine a triage of systems, determine those that need repair the soonest and get to them.
I don't mind waiting a couple of weeks to see my device decrypted, just a comfort that three years work might not have evaporated.

nc6000

meep wrote: »

My favorite was RTEs science correspondent who, on the day the attack was revealed, twice referred to it as a ‘randomware’ attack.

Yes, on Friday's One o'clock News I think George Lee actually said it three times.

VinLieger

Someone on NT just there confirming again they didn't pay the ransom directly or via a third party as some had theorised. Heavily hinted it was political pressure via international bodies that got the encryption key.

irishgeo

VinLieger wrote: »

Someone on NT just there confirming again they didn't pay the ransom directly or via a third party as some had theorised. Heavily hinted it was political pressure via international bodies that got the encryption key.

The chat with russian ambassador must have worked.

plodder

VinLieger wrote: »

Someone on NT just there confirming again they didn't pay the ransom directly or via a third party as some had theorised. Heavily hinted it was political pressure via international bodies that got the encryption key.

Stephen Donnelly just said it on RTE radio. There is simply no way they can pay a ransom without openly changing that policy now.

Wombatman

VinLieger wrote: »

Someone on NT just there confirming again they didn't pay the ransom directly or via a third party as some had theorised. Heavily hinted it was political pressure via international bodies that got the encryption key.

Windows NT?

suicide_circus

Larbre34 wrote: »

I'm aware of the Rangers. This is not what they are for.

Long term immersion on foreign soil posing as civilians is not what they do. I can't imagine any of them being fluent in Russian either.

They are special operations military, not secret intelligence agents.

I'd honestly use the $20m they wanted in ransom to hire some people to dispose of these hackers

Fuascailteoir

Larbre34 wrote: »

I'm aware of the Rangers. This is not what they are for.

Long term immersion on foreign soil posing as civilians is not what they do. I can't imagine any of them being fluent in Russian either.

They are special operations military, not secret intelligence agents.

Liam Neeson would suffice

seamus

VinLieger wrote: »

Someone on NT just there confirming again they didn't pay the ransom directly or via a third party as some had theorised. Heavily hinted it was political pressure via international bodies that got the encryption key.

That was my suspicion. Someone in the Russian government had a quick chat with the criminals that continuing to keep a country's health service paralysed during a pandemic would likely bring "unwanted" scrutiny on their operations.

I have heard before of the key being provided for free, but the timing is odd. If that was their plan why didn't they prove they had the data and release the key on Monday?

Some people online made a lot of the statement that "no ransom was paid by the Irish State" like it was some coded hint that someone else paid it. But why would they? It was just a clunky way of saying "no ransom was paid".

Keyzer

Donald Trump wrote: »

They don't necessarily have to be directing it. It could be either being done with their tacit approval or turning a blind eye, or perhaps even their current or past agents doing it as a sideline.


You'll probably find that there aren't too many ransomware attacks from this group on Russian targets.

This is true, Russia turns a blind eye to this stuff all the time. Criminals operating out of Odessa years back were targeting banks all over the world with credit card fraud, made a fortune. They then mistakenly targeted a Russian bank and within two hours Spetsnaz raided them.

However, this is small fry for the Russian State - they are not behind this, aware yes, but not behind it.

Sierra Oscar wrote: »

No ransom has been paid. More likely pressure is being put on the group by Russian intelligence services. The Russian Government might get its planning permission for its extensive embassy development here afterall and a blind eye turned to what goes into it. There’s undoubtedly some quid pro quo involved somewhere.

Agreed - something obviously going on in the background within diplomatic channels. Surprising turn of events though, I don't remember seeing decryption keys being handed over like this.

cnocbui wrote: »

WE need to close the Russian embassy and expel all of it's diplomats and staff. It is far larger than needed for such a tiny country as it's an intelligence base for a large chunk of their espionage activities in Europe.

Go away, please, just go away...

Ash.J.Williams wrote: »

The media seen to think they took something physical that they can give back and that’s it,

THEY WILL KEEP A COPY

Exactly - like the guy who wanted his song back on Napster years back.

RogerThis wrote: »

It's not really. It's the reason the hackers do it.

The ransom is paid by the insurance company, not by the state or HSE.
That's what cyber insurance is for.

I highly doubt they have cyber insurance.

Beechwoodspark wrote: »

Folks can anyone explain why the hackers “provided” the de encryption key to the hse earlier on?

Why would they do that?

Is it likely a ransom was paid or why did the hackers suddenly give it ?

Diplomatic pressure I would assume, most likely instructed to by the Russian government after political discussion.

FileNotFound wrote: »

There was a guy on RTE a few nights back that deals with these scenarios for companies.

By his account they do not really know who they have hacked until the victim makes contact.

Say these are Russians and while not supported by the state are at least ignored. It may be a case of this one had too much diplomatic heat. Not like hitting a superpower. They have attacked a neutral nations health service and prevented cancer treatment and dialysis.

That's true, in these instances they throw it out and hope for a return. I doubt this was a targeted attack on the HSE.

Hibernicis wrote: »

It's over 15 pages since anybody mentioned "WINDOWS 7" in this thread.

Is this a record ?

Lol...

Hibernicis wrote: »

An audit report that states that there are no control weaknesses is a form of insurance - you'd have the making's of a good case against your auditors if anything showed up subsequntly..

This incident has thrown up some of the cringiest reporting I've seen in a long time. I understand that it is a challenge for a mainstream journo to report on something like this, but some of is downright embarrassing. Absolutely no grasp or understanding of that is being written about. I was actually thinking the other day it would be worth keeping a list of some of the real dumb clangers.

Not necessarily, you still have a duty of care to ensure you are protecting data adequately. Compliance does not mean secure - too many companies take an audit driven, check box approach to security. Pass audit, winner, we're secure. Doesn't work that way.

meep wrote: »

My favorite was RTEs science correspondent who, on the day the attack was revealed, twice referred to it as a ‘randomware’ attack.

Clown school...

kowloonkev wrote: »

Maybe it's time for state sponsored ransomware attacks on Russian public services? Call them ethical hackers. Perhaps start with attacking their oil and gas pipelines in the middle of winter. Or are they immune to such attacks?

Don't be ridiculous... you're actually suggesting Ireland should start a targeted cyber attack on Russia? This is delusional and laughable.

If Russia decided, they could bring this country to its knees with a barrage of cyber attacks.

Fuascailteoir wrote: »

Liam Neeson would suffice

I'd go for this option...

Turtwig

The spokespeople for the various entities would only state their organisation in the denial as they would never be 100% some other entity didn't do it without extensive communication first. In the heat of the moment they can only confidently state what the officials in their organisation have said. Nothing more.

Fiftyfilthy

Think Ireland and Russia have a good relationship so wouldn’t surprise me if the Russian government has helped in some way.

plodder

seamus wrote: »

That was my suspicion. Someone in the Russian government had a quick chat with the criminals that continuing to keep a country's health service paralysed during a pandemic would likely bring "unwanted" scrutiny on their operations.

It's possible that happened, but I guess we'll never know for sure. I wonder also (or instead) was pressure put on the Irish government by friendly governments like the UK and US. The first head of the UK NCSC was on RTE yesterday and was talking about how serious the US in particular is taking the problem. They could have sweetened the request to not pay, with offers of help maybe?

gmisk

meep wrote: »

My favorite was RTEs science correspondent who, on the day the attack was revealed, twice referred to it as a ‘randomware’ attack.

There was Senior member of the defence forces referring to "re-imagining" 90k PCs...