Ransomware & HSE

MrMusician18

Deleted User wrote: »

Head of IT Ops from the HSE on the radio now saying they believe it was a zero day exploit.

That would point to a state actor although the minister is saying it's not.

Why would someone attack the HSE of all international organizations with a zero day attack.

Pandiculation

Usually they’re often not an obvious email. They’ll be something that looks very believable.

Unfortunately, some of this stuff isn’t preventable at the human factors level.

In this case this is very much a targeted attack. It’s not likely to be a simply phishing expedition.

MrMusician18

MrMusician18 wrote: »

That would point to a state actor although the minister is saying it's not.

Why would someone attack the HSE of all international organizations with a zero day attack.

Because theres a decent chance they will pay up?

seamus

MrMusician18 wrote: »

That would point to a state actor although the minister is saying it's not.

Why would someone attack the HSE of all international organizations with a zero day attack.

Suggestions that it could be Israeli after Coveney's criticism of Israel.

Sounds outlandish, but the online arm of the IDF is semi-autonomous and incredibly petty and thin-skinned.

BailMeOut

I think it is very impressive that they were able to make the decision to shut down everything so quickly which was a very big and brave call.

Prisoner6409

BailMeOut wrote: »

When they figure out what happened it will on all likelihood come down to an individual with higher-level access being tricked into doing something stupid to allow access. We all think these hacks are very sophisticated but usually are very low tech and the weak link is a human who clicks something, installs software, or gives out information over the phone to the bad folks which then allowed access. From what I am reading this hack is about data loss/theft so the hackers are simply copying data from the HSE to their systems and probably just using the permission of the user or admin who had access.

It's very tough to prevent humans from doing stupid things and the HSE will have layers of systems, processes, and training in place to stop people from doing stupid things but the bad folks will always find a way around this.

These attacks are well planned. They do not just rely on some idiot clicking a link. Over time they gain access to different parts of a system building up a profile until then are ready to Attack. These guys earn millions from this, it is not just haphazard, it is a well planned organised attack and the HSE like others are chasing their tails when they could have been ahead of the curve with a better plan. Having no offsite backup is just bad planning.

Pandiculation

seamus wrote: »

Suggestions that it could be Israeli after Coveney's criticism of Israel.

Sounds outlandish, but the online arm of the IDF is semi-autonomous and incredibly petty and thin-skinned.

Seems a bit far fetched, given the attack on the US pipeline it looks more likely that that or similar groups are more likely.

There were also regular attacks on other public health systems networks in Europe and beyond.

whippet

BailMeOut wrote: »

I think it is very impressive that they were able to make the decision to shut down everything so quickly which was a very big and brave call.

that is standard practice !

magicbastarder

Deleted User wrote: »

Head of IT Ops from the HSE on the radio now saying they believe it was a zero day exploit.

if i was him, i'd be saying that too...

Pandiculation

Pandiculation wrote: »

Usually they’re often not an obvious email. They’ll be something that looks very believable.

Unfortunately, some of this stuff isn’t preventable at the human factors level.

In a former role my job was to analyze possible phishing emails. We got sent one by the CEOs PA asking us to review it. It was an email from him to her saying his wallet and passport had been stolen, he was on business in Berlin at the time, and was asking her to wire him 5 grand.

Just for context, this guy was CEO of a major financial organisation so would have had a suite at a top hotel.

She said she was seconds from sending the money when she thought:

"Hang on, if that was the case, he would ring the hotel and they would give him a room no questions asked. They'd probably even front him cash if he needed some. He could then ring me and the bank, and he'd be sorted very quickly".

It turns out, the CEO's phone had been stolen, and the Western Union link that had been included in the email would send the money to a Western Union in Russia.

Deliverance XXV

Deleted User wrote: »

Head of IT Ops from the HSE on the radio now saying they believe it was a zero day exploit.

What station was this on? Would love to listen back to it.

A zero day is a pretty bold claim to make this early in the investigation. Did they reference if point of entry was an external service or through a user's actions (browser, email, etc)?

magicbastarder

magicbastarder wrote: »

if i was him, i'd be saying that too...

Her.

Rep from the National Cyber Security Centre also said the same.

seamus

Prisoner6409 wrote: »

Having no offsite backup is just bad planning.

You don't know that they don't have one. DR failover is generally not equipped to deal with this kind of incident. You have a separate process for this kind of restore that you typically measure in hours to days.

whippet wrote: »

that is standard practice !

Yes, but sticking to it is still often an issue. A lot companies have landed themselves in trouble by not shutting everything down and trying to limp along instead, fix as you go.

Given the gravity of the current health emergency, this was not an easy decision to make.

Deliverance XXV

Deliverance XXV wrote: »

What station was this on? Would love to listen back to it.

A zero day is a pretty bold claim to make this early in the investigation. Did they reference if point of entry was an external service or through a user's actions (browser, email, etc)?

RTE Radio One

They don't know or aren't willing to say point of entry yet. To be fair, this incident is less than twelve hours old.

iamwhoiam

I am really naive about such crimes but how do they make money from the cyber attacks ?

frozenfrozen

iamwhoiam wrote: »

I am really naive about such crimes but how do they make money from the cyber attacks ?

they lock your files and then ask for money before giving you the tools to get your files back

joseywhales

My personal rules for avoiding malicious malware is that I never read emails that I did not initiate or that are not specific work related questions that contain information that only about a dozen people could possibly write. It also helps with avoiding pointless wastes of time at work! I've missed countless large meetings with 50+ attendees, it's a wonderful protocol that also helps protect my time.

iamwhoiam

frozenfrozen wrote: »

they lock your files and then ask for money before giving you the tools to get your files back

Ah thank you .

VinLieger

iamwhoiam wrote: »

I am really naive about such crimes but how do they make money from the cyber attacks ?

So they either steal or encrypt the data and ransom the threat of publicly releasing the data in exchange for a payment, as others discussed previously in the thread these days its always a form of cryptocurrency they ask for as its impossible to trace.

seamus

iamwhoiam wrote: »

I am really naive about such crimes but how do they make money from the cyber attacks ?

It's been made a whole lot easier with cryptocurrencies.

These types of attacks have been going around for a while, but they were pretty small scale. Some of them would have you ring up a number, give them a code, they take a credit card payment from you and give you the decryption key to unlock your files.

There are are obvious limitations here; a credit card won't cover a €50k ransom, and the phone number and card payments make you traceable if any police force gives enough of a sh1t to do so.
Others would try to use money wires (Western Union) to achieve the same thing; you can get bigger ransoms, but you're still open to detection.

Cryptocurrency removes these limitations, meaning you can demand much larger ransoms and it's impossible to trace who the money was sent to.

Hurrache

topdecko wrote: »

This is a huge issue. Healthlink down for us in GP land and we don't seem to have a back up in place. We cannot refer for COVID tests now and there will be backlog with other referrals, hope they get sorted soon however the haphazard nature of irish Health IT infrastructure is very concerning. Absolutely no plan in place to respond to this - these attacks are part of modern life, must have contingency ready to go - not merely cancelling appointments etc.

You're making a lot of assumptions there with very little knowledge in fairness.

heroics

iamwhoiam wrote: »

Ah thank you .

Ransomware is massive business.


The average ransom paid for organizations increased from US$115,123 in 2019 to $312,493 in 2020, a 171% year-over-year increase. Additionally, the highest ransom paid by an organization doubled from 2019 to 2020, from $5 million to $10 million. Meanwhile, cybercriminals are getting greedy. From 2015 to 2019, the highest ransomware demand was $15 million. In 2020, the highest ransomware demand grew to $30 million.

https://unit42.paloaltonetworks.com/ransomware-threat-report-highlights/

AndrewJRenko

Prisoner6409 wrote: »

These attacks are well planned. They do not just rely on some idiot clicking a link. Over time they gain access to different parts of a system building up a profile until then are ready to Attack. These guys earn millions from this, it is not just haphazard, it is a well planned organised attack and the HSE like others are chasing their tails when they could have been ahead of the curve with a better plan. Having no offsite backup is just bad planning.

Offsite backups don't help you when you have an unknown number of infected clients on the network. They can't switch over to backup site until they clear the infection.

Why do you assume that they don't have backups?

Lots of assumptions on your part.

Furze99

joseywhales wrote: »

My personal rules for avoiding malicious malware is that I never read emails that I did not initiate or that are not specific work related questions that contain information that only about a dozen people could possibly write. It also helps with avoiding pointless wastes of time at work! I've missed countless large meetings with 50+ attendees, it's a wonderful protocol that also helps protect my time.

Well if you can manage your working life and get paid along those lines, then good luck to you.

If on the other hand, you need to deal with the public - you'd go out of business queer quick with that approach!

StupidLikeAFox

BrianD3 wrote: »

Absurd if all of this is because somebody clicked on a link or attachment in an unsolicited email. Any consequence for them?

IME these emails are very easy to spot even if they are more clever than the "click here to win money!!" type emailed links that we used to see.

If someone uses a computer as part of their job, it's also part of their job not to make these errors. Just as if someone works in a warehouse full of valuable stock, it's part of their job not to leave the door open and alarm off.

Some are very subtle though Our company put in a "fake phishing" system a while ago which randomly sends phishing type emails to employees. If you click the link you have to complete an online security course. They have got more sophisticated over time and having been caught twice (even though I would consider myself diligent enough), I'm now sceptical of coming in that isnt from a person I know.

Its a great system and really trains people over time. They sent out digital one4all vouchers as a bonus to some teams last summer and had to send a follow up email to say "these are genuine, stop reporting them as spam"

gctest50

With crypto, it could easiy be an inside job




Nice to be sitting there in the middle of all the chaos going " it's terrible"

Furze99

Do many of these ransomware scams target state agencies and take on governments? They'd want to be knowing their stuff to avoid being tracked down as the heat will be on bigtime. They're not just taking on Ireland Inc but multiple states and agencies that will be focused on them.

gctest50

Furze99 wrote: »

............

. They're not just taking on Ireland Inc .

lol

TheValeyard

seamus wrote: »

Suggestions that it could be Israeli after Coveney's criticism of Israel.

Sounds outlandish, but the online arm of the IDF is semi-autonomous and incredibly petty and thin-skinned.

Sounds outlandish, but I've heard this from fair few people and one very high up in the HSE today. Who knows.I'd like to think the Israelis are not that petty and wouldnt go after hospitals.

AndrewJRenko

Furze99 wrote: »

Do many of these ransomware scams target state agencies and take on governments? They'd want to be knowing their stuff to avoid being tracked down as the heat will be on bigtime. They're not just taking on Ireland Inc but multiple states and agencies that will be focused on them.

Check out the Guardian link posted earlier about the US police force currently under threat of having confidential information leaked.