Ransomware & HSE

saabsaab

DrumSteve wrote: »

Personally I think we went to our American friends and asked who would have the capability to push this, which resulted in someone in Russia getting a clip around the ear for bringing attention to themselves. Which is how we got the decryption key.

Could be.

skimpydoo

The RTE One Six One News mentioned the decryption code that was supplied to the HSE. Why is the correct terminology not being used?

Seth Brundle

skimpydoo wrote: »

The RTE One Six One News mentioned the decryption code that was supplied to the HSE. Why is the correct terminology not being used?

Because their reporters and audience are mainly non-techies who don't care about the details, they just want to know it will work

skimpydoo

Seth Brundle wrote: »

Because their reporters and audience are mainly non-techies who don't care about the details, they just want to know it will work

They are confusing things.

frozenfrozen

Those words make it sound like the bomb has been defused case closed back to normal

plodder

DublinWriter wrote: »

With respect, I think you need to do a little more research on what 'salting' a key means. There's no such thing as a 'master' over-riding key.

So what do you think a Key Derivation Function is used for, if not to generate/derive keys

TLS uses that exact algorithm to generate session keys from a master secret.

Keyzer

DessieJames wrote: »

stop ffs, your embarrassing yourself, jesus wept :D:D

You think you know what you're talking about when, in reality, you don't have a clue what you're talking about.

I'd put good money on the decryption keys being provided due to intense international political pressure - the Russian state told them to provide them.

All of this would have gone on behind the scenes, we the public will never be privy to this information.

CiDeRmAn

Keyzer wrote: »

You think you know what you're talking about when, in reality, you don't have a clue what you're talking about.

I'd put good money on the decryption keys being provided due to intense international political pressure - the Russian state told them to provide them.

All of this would have gone on behind the scenes, we the public will never be privy to this information.

Ireland having a reputation as an honest broker in international affairs and currently on the UN Security Council might have swung it with the Russians to lean on the group for the released decryption key.
The money is in selling the data, which they'll do and make a fortune.
While a nation gets it's health system back

AndrewJRenko

kippy wrote: »

No Ransom has been paid.
Anyone with a quarter of a brain will know that.

It would be impossible to make a payment of any significance without details leaking.

souter

From what I've read on conti so far it uses a non-standard encryption to make it fast https://www.zdnet.com/article/conti-ransomware-uses-32-simultaneous-cpu-threads-for-blazing-fast-encryption/
i.e. using well established maths, but not just a passphrase to be fed into off the shelf s/w.
So the HSE et al will be re-implementing it, which is why it's not a magic key.
(and not forgetting every system has to be flushed, sterilised and secured, irregardless of how much we may want to believe the hackers bona fides).

So, why did this become available?
1) HSE/Irish government paid the ransom secretly. Honestly don't think this is likely.
2) Hackers had a fit of conscience. Yeah. right
3) Specific hackers got leant on by other hackers for pissing on the doorstep, or were double dealt. Possible.
4) Putin not liking the publicity, FSB abseil into a few basements waving underpants and perfume bottles. Very likely
5) Copious plain texts with ciphers means several well resourced state bodies have technology to reverse engineer the cipher, but may not want to publicise this. I think this is a possibilty- you look to history and being able to break encrytion is a double edged sword, use it and you lose the advantage.

fryup

is this the same gang that targeted the NHS a few years back?

ineedeuro

fryup wrote: »

is this the same gang that targeted the NHS a few years back?

No, NHS was wannacry which went after everything. The only reason wannacry was stopped was because an ethical hacker found a killswitch

The experience of NHS should have warned the HSE what can happen. Wannacry was also an actual zeroday knocking out companies of all sorts all over the World.

fryup

zeroday?

kippy

fryup wrote: »

zeroday?

A zeroday at some point (around the initialisation of the RAT most likely) has been mentioned but so has a lot of other "noise". At the moment theres nothing in any publicly available report with this detail although one or two on this thread have said there might be something in it.
I would say myself it is unlikely a Zeroday is involved in any portion of this event.

Infini

fryup wrote: »

zeroday?

Zero Day Attack's are viruses or exploits that are essentially undiscovered or unknown to the IT industry, the likes of hackers or even intelligence agencies love these as they allow someone to mount a successful attack on a high value network which would be otherwise secured as the exploit isn't being anticipated so can't be defended against. Microsoft/Intel/Amd etc hate these flaws because some agencies hide them instead of telling them about it so they can fix the code.

arctictree

Would the HSE not be just better off turning on all their systems from a backup even if the virus or backdoor is present? What's worse, data being exposed or people dying from lack of treatment? It's not like it's a commercial body.

fryup

^^damned if they do damned if they don't, i suppose

ineedeuro

fryup wrote: »

zeroday?

https://en.wikipedia.org/wiki/Zero-day_(computing)

The HSE lied to the public saying the current issue they have is a zeroday, which it isn't. A zeroday is nearly impossible to defend against as it has never been seen before and you have no "fix".
The HSE attack was not a zeroday, the NHS and wannacry was.

deandean

From a small amount of insider information and from the reported circumstances, here is what happened:
- The attack was reckognised as coming from within Russia.
- The Russian Ambassador was called in for a meeting at top-level in Dublin. The displeasure of the state was clearly laid out to him.
- Top-level diplomats in Russia were informed of the situation, right up to Mr Putin.
- The hackers, who of course are known by high-level Russian intelligence, were told to cease & desist or face a SWAT team and being wiped out.
- The hackers complied, and sent the decrypt key to the HSE.

ineedeuro

deandean wrote: »

From a small amount of insider information and from the reported circumstances, here is what happened:
- The attack was reckognised as coming from within Russia.
- The Russian Ambassador was called in for a meeting at top-level in Dublin. The displeasure of the state was clearly laid out to him.
- Top-level diplomats in Russia were informed of the situation, right up to Mr Putin.
- The hackers, who of course are known by high-level Russian intelligence, were told to cease & desist or face a SWAT team and being wiped out.
- The hackers complied, and sent the decrypt key to the HSE.

Source for this information?

deandean

Go Fish

ineedeuro

deandean wrote: »

Go Fish

The SWAT team into Russia was the big problem you had.
Then saying they would need to compile the decrypt key, would you not think before they released the ransomware they would already have the ability to turn it off ready?

Was more along, Government & HSE knew they are f**ked
Needed to resolve the solve the issue
Lied to public and paid the money. Will just hide it in the "response budget"

You might say our government never lies, then again you have Leo leading the lot and he slips the odd contract to his mates to grease the wheels :P

kippy

ineedeuro wrote: »

The SWAT team into Russia was the big problem you had.
Then saying they would need to compile the decrypt key, would you not think before they released the ransomware they would already have the ability to turn it off ready?

Was more along, Government & HSE knew they are f**ked
Needed to resolve the solve the issue
Lied to public and paid the money. Will just hide it in the "response budget"

You might say our government never lies, then again you have Leo leading the lot and he slips the odd contract to his mates to grease the wheels :P

You think there wouldn't be a leak from within the civil service/government/opposition/hackergroup/etc about the payment of a ransom if that was paid?
Seriously?
No one is saying that the government never "lies" but on this occassion there is NOTHING to suggest that they have.

J Mysterio

The government absolutely would not be able to keep it a secret had they paid a ransom. The provision of the decryption key is almost certainly due to diplomatic efforts.

J Mysterio

J Mysterio wrote: »

The government absolutely would not be able to keep it a secret had they paid a ransom. The provision of the decryption key is almost certainly due to diplomatic efforts.

I can't help wondering if perhaps the attack on Irelands HSE was a demo. A bit of marketing as it were. Providing the key, and (hopefully) demonstrating it can decrypt the files shows that they mean business, so if they target a larger or richer country, that pay up and you'll get a valid key that will work.

AndrewJRenko

fryup wrote: »

is this the same gang that targeted the NHS a few years back?

Nope, that was the North Korean government.

AndrewJRenko

ineedeuro wrote: »

https://en.wikipedia.org/wiki/Zero-day_(computing)

The HSE lied to the public saying the current issue they have is a zeroday, which it isn't. A zeroday is nearly impossible to defend against as it has never been seen before and you have no "fix".
The HSE attack was not a zeroday, the NHS and wannacry was.

What's your source for this please?

AndrewJRenko

ineedeuro wrote: »

Lied to public and paid the money. Will just hide it in the "response budget"

You might say our government never lies, then again you have Leo leading the lot and he slips the odd contract to his mates to grease the wheels :P

Do you think Leo has the password to the online banking accounts to do the purchase and transfer of bitcoin? How many would be involved in actually paying the ransom?

SouthWesterly

AndrewJRenko wrote: »

Do you think Leo has the password to the online banking accounts to do the purchase and transfer of bitcoin? How many would be involved in actually paying the ransom?

Good job bertie wasn't in charge. He never even had a bank account

ineedeuro

ineedeuro wrote: »

https://en.wikipedia.org/wiki/Zero-day_(computing)

The HSE lied to the public saying the current issue they have is a zeroday, which it isn't. A zeroday is nearly impossible to defend against as it has never been seen before and you have no "fix".
The HSE attack was not a zeroday, the NHS and wannacry was.

The HSE brought in FireEye to investigate, and FireEye said it was a zero day.



Whats your source that it wasn't a zero day?