Ransomware & HSE

ineedeuro

Flinty997 wrote: »

Answer this simple question then. if they'd let the systems run until full encrypted as you suggest, but then didn't get the key. What then.

Im not answering for the other poster but in my opinion, they would be doing the same as they are doing right now, rebuild them.

kippy

Wombatman wrote: »

It is possible to invest in IT and Cybersecurity in a sensible way by following well established best practices. Many organisations do. Your point is fatalistic and defeatist, feeding into your incessant mantra "Ah sure, you can't blame the HSE. There is noting you can do to combat these nasty men".



So you are saying the best way to stop these attacks, and inevitable costly fallout, it to somehow put a stop to crime?

I am not absolving the HSE of blame.

Yes, the best way to stop the costly fallout from these attacks is to stop those behind them, as opposed to every organisation, have to invest in costly IT and process solutions that aren't always practical and/or feasible.
Surely it's as fatalistic and defeatest to say that you'll never stop crime or deter those behind it?

Flinty997

kippy wrote: »

I am not absolving the HSE of blame.

Yes, the best way to stop the costly fallout from these attacks is to stop those behind them, as opposed to every organisation, have to invest in costly IT and process solutions that aren't always practical and/or feasible.
Surely it's as fatalistic and defeatest to say that you'll never stop crime or deter those behind it?

You have to be pragmatic and maintain your systems and security and skill sets just like you put fuel in a car and service it. If you don't you're taking a risk that can come back on you.

In parallel you have to deter criminals. But that's up to the authorities and will never remove the obligation to maintain your own systems.

I wonder how any people reading this thread have an air gapped copy of their personal data, that they test to see it still good now and then.

Ash.J.Williams

Anybody getting bombarded with anonymous calls lately?

ineedeuro

Ash.J.Williams wrote: »

Anybody getting bombarded with anonymous calls lately?

It's happening for weeks now, it could be from HSE or it could be just people chancing their arm at the moment and putting a focus on health....

riclad

The cost of restoring all the data and setting up new pcs is estimated to be 500 million euro
I presume this includes paying security experts to setup new security on the network
The problem is hacker gangs live in Russia or other country's where its very difficult to track them or press charges against them they usually avoid travelling to the USA or Europe to avoid being arrested
Security could be improved maybe by using cloud based apps but this is a complex process to setup millions of records
The Russian government doesn't care about EU company's
getting hacked and there' are also state sponsored hacks to get acess to data
There used to be alot of bank robberys in the 70s
until security was improved and more people were arrested
It seems cybercrime is easier now with little chance of being caught and the chance of easy money to be made

ineedeuro

riclad wrote: »

The cost of restoring all the data and setting up new pcs is estimated to be 500 million euro
I presume this includes paying security experts to setup new security on the network
The problem is hacker gangs live in Russia or other country's where its very difficult to track them or press charges against them they usually avoid travelling to the USA or Europe to avoid being arrested
Security could be improved maybe by using cloud based apps but this is a complex process to setup millions of records
The Russian government doesn't care about EU company's
getting hacked and there' are also state sponsored hacks to get acess to data
There used to be alot of bank robberys in the 70s
until security was improved and more people were arrested
It seems cybercrime is easier now with little chance of being caught and the chance of easy money to be made

The HSE are making a lot of sales people’s targets, they went rushing to a load of companies in a panic because of the attack. So they could name their price, in others words they are getting zero discount and most of these companies are probably putting a higher profit onto the consultants. They are probably paying circa 3-4K per day for the security people

All could and should have been avoided if they had an incident response plan with a contract in place

Hibernicis

ineedeuro wrote: »

The HSE are making a lot of sales people’s targets, they went rushing to a load of companies in a panic because of the attack. So they could name their price, in others words they are getting zero discount and most of these companies are probably putting a higher profit onto the consultants. They are probably paying circa 3-4K per day for the security people

All could and should have been avoided if they had an incident response plan with a contract in place

Have you an attributable source for any of this or is it all stuff you made up ?

DublinWriter

Flinty997 wrote: »

Another reason to leave it running is if you can run forensics on it as it runs.

That goes against every good practise of Digital Forensics there is. The rule is to image the effected volumes while the system is offline and run your analysis on the image.

Flinty997

DublinWriter wrote: »

That goes against every good practise of Digital Forensics there is. The rule is to image the effected volumes while the system is offline and run your analysis on the image.

True. But that's not the whole picture. Sometimes you can learn things from an active attack that you can't afterwards.

DublinWriter

Flinty997 wrote: »

True. But that's not the whole picture. Sometimes you can learn things from an active attack that you can't afterwards.

Yes, things like "ohhh this ransomware is really quick at encrypting my live data!"

Rule is knock it off-line, image volumes, run any live-analysis in a sandboxed tin/virtual environment based on the imaged volumes if you need to observe the attack operating in real-time.

Flinty997

DublinWriter wrote: »

Yes, things like "ohhh this ransomware is really quick at encrypting my live data!"

Rule is knock it off-line, image volumes, run any live-analysis in a sandboxed tin/virtual environment based on the imaged volumes if you need to observe the attack operating in real-time.

You could ask 10 experts and get 10 different answers.

https://www.cisa.gov/publication/ransomware-guide

After an initial compromise, malicious actors may monitor your organization’s activity or communications
to understand if their actions have been detected. Be sure to isolate systems in a coordinated manner and
use out-of-band communication methods like phone calls or other means to avoid tipping off actors that
they have been discovered and that mitigation actions are being undertaken. Not doing so could cause
actors to move laterally to preserve their access—already a common tactic—or deploy ransomware widely
prior to networks being taken offline.

Hibernicis

Hibernicis wrote: »

Have you an attributable source for any of this or is it all stuff you made up ?

As we're still waiting for a source for their claim that any new laptops being purchased will be outside the normal tender process and cost multiples of the normal price, I've an idea that it's perhaps the latter.

Hotblack Desiato

pioneerpro wrote: »

In any case, this sort of non-targeted ransomware attack

where are you getting that nugget from?

pioneerpro wrote: »

I wouldn't mind, but the hackers themselves bent over backwards almost immediately after the fact to prevent loss of life - they kept the demands strictly tied to personal information.

Now that's complete and utter bullshít.

Radiotherapy went down. Chemotherapy went down.

ineedeuro wrote: »

they would be doing the same as they are doing right now, rebuild them.

How do you know what is being rebuilt? Wasn't it reported that they were decrypting at least some servers?

Hotblack Desiato

pioneerpro wrote: »

If you don't have the privileges and the ability to encrypt files on the file system, then the attack simply can't happen.

Those file systems are useless without working endpoints.

Tens of thousands of fcuked-up endpoints massively increases the time to restoration of service levels, and that's with the key.

Imagine how píssed off you'd be if you were a paying customer

riclad

I wonder if other government departments have a plan in place,do the have 24/7 secure backups.do they plan for hacking attacks.
do they use old os pcs, eg windows 7.do they have a contract with security companys,
pen testing, eg test the security of networks by independent security experts
i,d imagine if you have complete data backups every day it will enable a faster
and cheaper restoration process in the event of a hack.

corkie

Data stolen in HSE cyber attack downloaded 23 times before being removed, High Court told


"OVER 20 PEOPLE either uploaded or downloaded confidential information stolen in last month’s cyberattack on the HSE onto a web service provided by a Google-owned internet security firm, the High Court has heard.

Justice Tony O’Connor heard today that late last month approximately 27 files stolen from the HSE were downloaded onto a malware analysis service ‘VirusTotal’ which is owned and run by Chronicle Security Ireland Ltd and its US-based parent Chronicle LLC."

Didn't know that ‘VirusTotal’ was owned by google.

I got a smile from the colours used in your post while I'm using the dark theme in my browser. Reminded me of my mIRC days

riclad

riclad wrote: »

I wonder if other government departments have a plan in place,do the have 24/7 secure backups.do they plan for hacking attacks.
do they use old os pcs, eg windows 7.do they have a contract with security companys,
pen testing, eg test the security of networks by independent security experts
i,d imagine if you have complete data backups every day it will enable a faster
and cheaper restoration process in the event of a hack.

.
Given that the security teams in a lot of departments are staffed by private company contractors already, any vulnerability assessments would be carried out by another external company. Pen tests, tend to be done on a application per application basis, but can be done on the network every two to five years in most organisations.
Deloitte do a lot of these for cs departments.

Organisations with large amounts of data don't do full backups daily, it would render systems unmanageable due to the time they take to complete (e.g. try moving a ebd when a backup is happening and see the failure error).
It's also more efficient to do incremental backups to allow for point in time restoration, with full backups on a weekend.

Hotblack Desiato

And there we go yet again with the Windows 7 shyte talk :rolleyes:

HSE paid for extended Windows 7 support

Now whether all sites were applying patches in a timely manner would be a good question. We do know that some sites were hit much worse than others.

And of course that's just the endpoints, not the servers, but it clearly demonstrates the "I know computers, I use Windows" mindset of so many contributors on this thread :rolleyes:

Flinty997

Hotblack Desiato wrote: »

..... demonstrates the "I know computers, I use Windows" mindset of so many contributors on this thread :rolleyes:

In fairness it's more a gossip site for entertainment.

Wombatman

Hotblack Desiato wrote: »

And there we go yet again with the Windows 7 shyte talk :rolleyes:

HSE paid for extended Windows 7 support

Now whether all sites were applying patches in a timely manner would be a good question. We do know that some sites were hit much worse than others.

And of course that's just the endpoints, not the servers, but it clearly demonstrates the "I know computers, I use Windows" mindset of so many contributors on this thread :rolleyes:

The key and valid point about their widespread used of Windows 7 is that it is indicative of increased risk due to obsolete product usage. I'd be pretty confident that Windows 7 use is the tip of the iceberg.

DublinWriter

Flinty997 wrote: »

You could ask 10 experts and get 10 different answers.

And none of them would be to leave a known virus/malware attack run amok in a live operational environment. Best practise is to offline, image and analyse in a sandboxed environment.

Flinty997

DublinWriter wrote: »

And none of them would be to leave a known virus/malware attack run amok in a live operational environment. Best practise is to offline, image and analyse in a sandboxed environment.

Even in this thread there isn't agreement with the "experts" on best practice.

Hotblack Desiato

Wombatman wrote: »

The key and valid point about their widespread used of Windows 7 is that it is indicative of increased risk due to obsolete product usage.

It's not an obsolete product if you can still buy support for it.

riclad

https://www.techradar.com/news/ransomware-is-not-out-of-control-security-teams-are

good article above, it explains good security procedures are important,
backups need to be tested and secure and not just part of the network.
each company has to have a whole process ready to respond to being hacked .
we dont know how they got hacked,
it could be someone clicked on a phishing email,
it could be malware implanted in a signed microsoft windows 10 driver
,a supply side attack
https://www.news18.com/news/tech/microsoft-certified-a-driver-that-carried-rootkit-malware-connecting-to-servers-in-china-3899213.html

you could have great security software but windows will presume all drivers are safe and legit if they are signed by microsoft.
i would presume most hse pcs are running windows

kippy

riclad wrote: »

https://www.techradar.com/news/ransomware-is-not-out-of-control-security-teams-are

good article above, it explains good security procedures are important,
backups need to be tested and secure and not just part of the network.
each company has to have a whole process ready to respond to being hacked .
we dont know how they got hacked,
it could be someone clicked on a phishing email,
it could be malware implanted in a signed microsoft windows 10 driver
,a supply side attacked.
https://www.news18.com/news/tech/microsoft-certified-a-driver-that-carried-rootkit-malware-connecting-to-servers-in-china-3899213.html

you could have great security software but windows will presume all drivers are safe and legit if they are signed by microsoft.
i would presume most hse pcs are running windows

Most client PC's globally are running Windows.

riclad

Linkedin has been hacked exposing millions of user accounts
Linked in is owned by Microsoft
It does not inspire faith in Microsofts Windows security standards

plodder

riclad wrote: »

https://www.news18.com/news/tech/microsoft-certified-a-driver-that-carried-rootkit-malware-connecting-to-servers-in-china-3899213.html

you could have great security software but windows will presume all drivers are safe and legit if they are signed by microsoft.

Well, there's no mitigation possible for that.

I think Microsoft could/should be held liable to some extent for any damage resulting from that kind of screw-up.

Tow

plodder wrote: »

I think Microsoft could/should be held liable to some extent for any damage resulting from that kind of screw-up.

They will wash their hands of it, just as they did for the FTDI driver which deliberately bricked devices a few years ago.

https://hackaday.com/2014/10/24/ftdi-screws-up-backs-down/