back to article Axa insurance offshoots pwned as Ireland reveals second ransomware hit

The murky world of ransomware criminals is all aflutter after it was revealed that Ireland's health services were hit by a second attack hot on the heels of one that took out its hospitals, while ransomware insurance refusenik Axa was itself hit with ransomware after its French branch vowed to stop buying off criminals on behalf …

  1. Anonymous Coward
    Anonymous Coward

    Curious....

    With ransomware attacks hitting the news headlines pretty much everyday these days, I'm genuinely curious to know whether self-hosted or cloud-hosted infrastructure is more prone or more secure, or whether it makes sweet FA difference... ?

    If cloud infrastructure was more secure or better protected I would expect cloud providers to be making a big song and dance about it, but they don't. Indeed, there is very scant mention in any of these headlines about the infrastructure that is affected.

    Assuming one PC in one office gets infected, then (apart from bad asset and network management) how does that bring down an entire national/international business network? . Is one machine infected and doing all the encryption, or do they effectively download the data somewhere, encrypt it, then upload it back to the companies servers?

    And where do these messages saying that the network has been encrypted appear? On the original infected PC, on every PC, on the CIO's i-phone ?

    It's not an area I have had more than a passing interest in previously, but it does seem to have become a significant issue this past 12 months or so, with some significant (and one would hope, well protected) organisations being affected.

    Can any fellow commentards enlighten me, or point to to some useful websites?

    1. Ken G

      Re: Curious....

      Public cloud usually better, for several reasons including need to architect to build it, vendor guidance and patterns and evergreen software. Health Services are always balancing IT costs with more clinical hours and add to their estates over time, lots of medical devices don't get patched etc. The HSE attack was human directed and was probably installed and spreading for days before locking files, so if it got past the perimeter and anti-spyware it had time. Ransomware messages can pop up when end user tries to open a file, when admin runs certain commands or just spam everyone using internal email.

    2. Ken Moorhouse Silver badge

      Re: where do these messages saying that the network has been encrypted appear?

      This is a quick one to answer.

      The attacks I've been called out to deal with have had files placed in every folder that has been encrypted. Files are in IIRC generally two formats, TXT and HTML, outlining what has happened and how to pay. The HTML version is the version that is often used as a headline image in news stories.

    3. Tomato Krill

      Re: Curious....

      At the very least sophisticated level, that one PC has access to multitudinous servers and file stores - else what’s the point of the PC.

      But often it’s used as a stepping off point and either something worm like or even an actual human will go from

      boxen to boxen, installing the utility of nastiness and then pulling the trigger when ready and encrypting everything

  2. Ken G

    Some comfort

    That government departments networking is at least better protected than the lowest bidder string and generic brand chewing gum holding together HSE hospitals.

    I guess the next step is for the Irish government to requisition unused capacity at various local cloud data centres for the worlds largest botnet to DDOS the Eastern hemisphere?

  3. Anonymous Coward
    Anonymous Coward

    encrypts everything it touches except for .exe, .dll, .sys, .lnk, .msi

    I just add the .exe file extension to all my important documents.

    Super_Important.doc.exe

    /s

    1. Ken Moorhouse Silver badge

      Re: I just add the .exe file extension to all my important documents.

      Good idea.

      Bulk encryption speed is of the essence. To give a bit more protection, should the baddies check it, prepend MX to the contents of each such file. It will need to be stripped out before opening the document. Doesn't protect against a full analysis of the file though.

    2. Anonymous Coward
      Anonymous Coward

      Re: encrypts everything it touches except for .exe, .dll, .sys, .lnk, .msi

      How do you think they got a victim to click on the malware ;)

  4. cantankerous swineherd Silver badge
    Mushroom

    come friendly ransomware and deliver us from robotic customer unservice.

  5. 2+2=5 Silver badge
    Joke

    So not a u-turn but a TITSUP?

    > A fortnight ago Axa HQ in Paris had vowed to stop selling new policies to French customers that allowed for ransomware operators to be given handsome payoffs in return for decryption utilities, or promises that victims' stolen data was deleted.

    Not a u-turn but a deliberate TITSUP - Totally Intended To Stop Unencryption Payouts

  6. tonyyaman

    look at it this way if they was going to get shot for doing it they would not do it but cos them get a slap hand they carry on just shhoot them it would stop

  7. EnviableOne Silver badge

    Not a way to handle the french

    you bloody their nose, and they will dig in twice as deep and you aren't getting your way...

    there is no way on earth AXA will back down, and now they will be putting pressure on the rest of the industry to join them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021