back to article Irish Health Service ransomware attack happened after one staffer opened malware-ridden email

Ireland's Health Service Executive (HSE) was almost paralysed by ransomware after a single user opened a malicious file attached to a phishing email, a consultancy's damning report has revealed. Issued today, the report from PWC (formerly known as PriceWaterhouseCoopers) said that the hugely harmful Conti ransomware infection …

  1. Anonymous Coward
    Anonymous Coward

    Patient Zero?

    Patient fucking Zero? Is that shorthand for "clown who opened an attachment?" Or maybe shorthand for "person who the clowns that pass for opsec didn't tell said "patient" not to open attachments and absolutely not click on links in email

    But the excuse gets better...

    Quote " This report highlights the speed with which the sophistication of cyber-criminals has grown, and there are important lessons in this report for public and private sector organisations in Ireland and beyond.” unquote.

    I have to ask, has the sophistication and growth of your security not matched theirs? Indeed, Has it grown at all?

    And please lose the shite about "lessons". You obviously learn't no lessons from other companies breaches. So, what is so important about your utter failure, that other companies should learn? Could it be security needs beefing up, but as it will cost money, we'll just go with the solution as in "fuck it, we'll just hope for the best"?

    And whilst you are at it, lose the word "cyber". When used in this commonly used excuse for a fuck up, it just makes the user sound like a clueless twat. Oh wait....

    1. macjules

      Re: Patient Zero?

      And don’t forget the multiple uses of ‘probably’ by PWC, who ‘probably’ charged HSE a lot more than the $20m ransom.

      One of the beauties of cyber security consultancy: you can state obvious facts (“you’ve been hacked” or “what? No backup?”) with no responsibility and can charge whatever you like.

      1. Yet Another Anonymous coward Silver badge

        Re: Patient Zero?

        Or the IT clowns who have a system where a random minion has write access to the entire health services file systems ?

        We get lots of training in not opening attachments (we also get daily emails saying we should click on the link to allow new security update with a new company name from the last one)

        Wouldn't it be safer to ensure that not everyone of the 4000 employees, fi they did click on a link, can then rewrite every file in the company ?

    2. martyn.hare
      Meh

      100% free things which would have saved them

      * Blocking commonly abused filetypes on email (xlsm in this case, easy peasy)

      * Group Policy to disable macros, embedded ActiveX, remote references/links and frames in Office

      * Only allowing Microsoft products to communicate with Microsoft IP ranges and necessary SMB servers

      * Blocking unknown software by default on Windows Firewall (easy peasy to implement)

      * AppLocker or WDAC to prevent any and all unknown executables and such from executing

      * Built-in Windows Defender with Zero Tolerance Extended Cloud Protection configured

      * File Server Resource Manager could have blocked the encryption attempts (using honeypot files)

      I'm willing to bet that just one of those things alone would have stopped the attack dead in its tracks.

      On the Windows networks I configure, I try to get as close as possible to implementing all of the above.

    3. CuChulainn Silver badge

      Re: Patient Zero?

      "the clowns that pass for opsec didn't tell said "patient" not to open attachments and absolutely not click on links in email"

      In the early 00s, when the 'I Love You' virus/worm did its thing, the company I worked for was hit.

      Multiple users opened it, and the entire network was taken offline. It was down for many days, since we didn't have a very good IT department.

      The disruption was of such significance (you'd have thought) that every single user would have been aware of the cause and the gravity of the situation.

      After several days, once systems started coming back online, IT sent out messages that further emails were backed up which contained the worm, so not to open them when they came through. Departmental meetings were held which broadcast the same directive. I mean, they were pretty obvious with their subject lines (i.e. 'I Love You'), and the complete lack of relevant context within a closed office and restricted network environment.

      But guess what...?

  2. Terry 6 Silver badge

    need major transformation.

    This is usually code for "find (or replace the) outsource company"..

    Possibly justified in this instance.

    Except where the alternative meaning "We'll use the same staff but need more money" is intended.

  3. cantankerous swineherd

    root cause

    email.

    get rid of it.

    1. Anonymous Coward
      Anonymous Coward

      Re: root cause

      How about just no attachments?

      Or opening attachments in a sandbox?

      It's strange that Windows doesn't have such a default builtin sandbox system for opening emails.

      1. Version 1.0 Silver badge

        Re: root cause

        I see infected attachments arriving all the time but we quarantine all potential risky attachments, that means that all emails with them needs to be evaluated by the admin before releasing them - but at last 90% of the quarantines are just deleted. We see occasional attachments that are not flagged by VirusTotal as infected, maybe once a month and every now and then an attachment is quarantined (so the mail-server AV software didn't think it was infected) and then flagged as infected a few hours later when the AV software is updated.

        But getting emails with links to infectious sites or downloads is also a risk - I think that the malware senders are using AI to create the emails because many of the malware emails target specific people with emails that appear to have an idea what they do for us ... accounting get "invoices and payments" and the sales folk get requests for "quotes" all the time.

    2. Alan Bourke

      Re: root cause

      Oh is it 'email is dead' time again? Can't be five years since the last round surely. Where does the time go ...

    3. Ken G Bronze badge

      Re: root cause

      Medical secretaries throughout Irish hospitals have been trying since it was first introduced. They prefer faxes.

  4. werdsmith Silver badge

    In our organisation an email went round requiring everyone to go through an online training course on avoiding email malware and phishing.

    It was rejected en masse because it looked very much like a malware payload email.

    1. Craig 2

      So the ones who clicked the link and did the course are the ones that need a talking to?

      Sounds like the email (inadvertently) did exactly what was needed!

    2. captain veg Silver badge

      My employer insists on regularly sending* deeply annoying mock phishing emails. Not only are they obvious from the content, but the presence of "threatsim" headers is a total give away. Having been reprimanded by HR for suggesting that this is a waste of everyone's time, I now ignore them. So they complain that I didn't report them to IT and have to take "remedial" training, for doing nothing.

      Faceless parasites, all of them.

      -A.

      *Of course, it's not actually my employer sending them, but a third party that they pay to inflict this nonsense. Is this GDPR compliant?

      1. Bill 21

        If its anything like my employers, the idiot emails are sent to everyone at more or less the same time. Anyway, the whole point is that they get almost 100% the 'proper' response from these things (cos they're obvious), which means everyone must be fully trained. Tick.

      2. ravenviz Silver badge

        It is GDPR compliant if you can request (and be told about) the information your company keeps on you, and how it is used. Available from an HR department near you (or Compliance team, if you’re lucky).

  5. Boris the Cockroach Silver badge
    Devil

    Further training needed

    I suggest el-reg's own BOFH does it

    I can imagine the invoice

    3 duracell 'D' cells

    1 roll of carpet

    1 bag of quick lime

    Hire of a van for 6 hrs

    Hire of a woodchipper

    2 hrs traveling expenses

    Oh and

    Printing out a sign saying "DONT OPEN ATTATCHMENTS ON EMAILS UNLESS YOU WANT THIS TO HAPPEN TO YOU"

    1. Yet Another Anonymous coward Silver badge

      Re: Further training needed

      Then block all attachments.

      Allowing attachments, some of which are vital to getting any work done, and some of which are malicious and relying on the users to decide.

      It's like having Boeing say to the production line, 90% of these parts are fake and will destroy the aircraft, it's upto you when selecting a bolt to make sure it's correct before looking at it

      1. Anonymous Coward
        Anonymous Coward

        Re: Further training needed

        If you are a Microsoft shop, the minimum prudent step is to block attachments from outside the company. It's probably a good idea if your shop has Mac or GNOME users, too. And if your company, as IHS apparently does, has a policy of allowing the rank and file clerical help privileged access to read/write/delete all files on the file server... well, that ought to obviate the need to use email for internal file transfers too, now shouldn't it?

      2. ravenviz Silver badge

        Re: Further training needed

        People seem obsessed with attachments to get their work done when there are perfectly capable intra/internet document collaboration tools available. The risk to business of malicious attachments is far greater than any perceived productivity loss of ‘being arsed’!

  6. To Mars in Man Bras!
    Devil

    Too Little Information

    I think, in the interests of fairness giving us all a laugh, the employee should be named and also the title of the attachment.

    1. Eclectic Man Silver badge

      Re: Too Little Information

      Only if Regomised, so that we can enjoy the 'Who Me?' column later.

  7. W.S.Gosset Silver badge

    "detonation of the ransomware"

    I quite like that. "Detonation".

    That antivirus provider is impressive. They have truly grasped the essence of govt outsourcing. Close, rigorous, and vigorous weaselling of the Contract process, secure the endless revenue, then just get Sam from Marketing to make vaguely technical noises down the phone if anyone rings.

  8. DS999 Silver badge

    This is why securing a large business is so difficult

    The attackers only need to fool ONE person into clicking on a link or attachment. It is hopeless to think you can prevent that if you have thousands of employees, especially if attackers think the target is worth tailoring the attack at a single person or small number of people, which avoids triggering the defenses that can identify a lot of same/similar emails coming for multiple people and quarantine the emails for review.

    You can't even fix that if you patch the day patches are released either, all the mainstream desktop/mobile OSes have enough zero days discovered regularly that some will be left unfixed to exploit.

    That's why the only defense against ransomware is to make payment of ransom illegal. So long as people are paying the ransom, the attacks will continue.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is why securing a large business is so difficult

      It's true that the criminals need only one stupid or poorly educated/trained user to open their malware. But this incident report does an excellent job of turning that on its head: had any of several dozen people done even one thing right, the criminals would have failed. They could have blocked attachments from outside IHS. They could have assigned least privilege. They could have recognised that the presence of Cobalt Strike means their entire network was compromised and all systems not essential to patient life needed to be powered down and examined offline in thorough detail (or scrapped and rebuilt starting with firmware). They could have employed a more competent antivirus contractor. They could have had a GPO in place preventing Excel from being used, or preventing it from executing macros. They could have patched their software in a timely manner, or at least in accordance with a defined change control process. And, of course, Patient Zero could have done what countless training seminars and policy booklets undoubtedly demanded and not accessed the poisonous attachment.

      It's fashionable to talk about how heavily the deck is stacked in favour of the criminals. That's not entirely wrong, but it's not right, either. Any one of a great many rudimentary security measures can prevent an attack of this kind from succeeding. All of them together will likely thwart even a genuinely sophisticated attack (which this was not). The canned statement pretty well says it all: no one is willing to take responsibility for doing the simple things that work; it's easier to throw up your hands and bemoan those dreadfully sophisticated criminals whilst doing nothing but collecting a fat pay packet.

      I'm for making it illegal to pay ransom. I'd also support making it illegal for banks to handle known or suspected ransom payments or cryptocurrency purchases ("Know Your Customer" and similar existing regulations in the UK and elsewhere will cover this very well), and why not throw in a special triple-sentence kicker with mandatory individual criminal liability for using cryptocurrency to make an end run around the banking system for criminal purposes too while we're here. But like the problem as a whole, the real solution is defense in depth. It's not enough to do any one of these things; we need to do ALL of them, because you can never tell when everyone responsible for all the other things on the list will be asleep on the job. If you do ALL of these things, the criminals will struggle mightily to make a profit and many will exit the business or move on to other easier targets. Incentives do work and the essential task in security is to provide criminals with every cost-effective incentive to do something other than attack the target being protected.

    2. ravenviz Silver badge

      Re: This is why securing a large business is so difficult

      And make introduction of malware an act of gross misconduct (notwithstanding training records).

  9. yetanotheraoc Silver badge

    Two months is a long time

    Poor Patient Zero -- actually the name of the workstation, but it's a catchy name.

    They clicked when they shouldn't, and now have to live with the shame and the finger-pointing. But that happened on 16 March, and Patient Zero was in no way responsible for the two months of security non-response in the face of alerts. "They were advised by Hospital C’s cybersecurity solutions provider that since the threat had been remediated by their antivirus software, their risk was low." Low? LOW??? Get your butt out of your chair and go verify whether or not it is ZERO! That's your whole job, and you failed utterly.

  10. Anonymous Coward
    Anonymous Coward

    You can only advise

    Snr manager asked me about an attachment they had received and whether they should open it.

    I asked the usual questions like were you expecting it? They said no. It was claiming to be from China.

    I said no, alert IT and have them deal with it, etc.

    She opened it anyway.

    No obvious payload, it was unsolicited spam, or possibly a spear fishing attempt.

    !

  11. Uncle Ron

    How About This?

    It seems to me that a very simple solution to the stupidity of users of ALL organizational email systems is to simply disallow ALL attachments. None. Nada, Zero, Zilch. Strip them out before they ever get to a numbskull user. "Don't EVER send attachments. Don't EVER click on attachments." Sure, it would cause some pain and lost productivity. But not NEARLY as much as an attack. Simply include in a legitimate email something like an unassailable pointer to the "Excel" file or whatever, along with a regular, maybe daily, warning to NEVER click on an attachment. NEVER. No matter who it's coming from, or how TEMPTING the damn thing looks. DON'T CLICK. EVER.

  12. Potemkine! Silver badge

    Bad, very bad, worse.

    Accepting mails with macros in excel file: bad

    Activating macros from outside sources: bad

    Not patching vulnerabilities: very bad

    Not educating users again and again to not opening attachments: worse.

    This suggestion of failures show a big problem of governance at the highest level. Not taking care of cybersecurity today becomes more than negligence, it's a fault.

    1. W.S.Gosset Silver badge
      Stop

      Re: Not educating users again and again to not opening attachments

      Nope, don't wanna do that -- puts your own job at risk. That impinges on their safe-space, does not show respect. You will be punished if you do that. Recent example:

      https://onditmagazine.medium.com/psych-uni-staff-receive-bizarre-fake-covid-vaccine-email-b85924dade9f

      https://www.theaustralian.com.au/higher-education/university-of-adelaide-tech-team-taken-to-task-over-bogus-vaccine-email/news-story/f363d078b5a205ff2b82020974f07397

  13. Ken G Bronze badge
    Coat

    Easier said

    The HSE co-ordinates between hospitals, it doesn't directly control them and when it comes to hospitals, IT comes way behind a) paying consulting doctors b) paying for nurses c)paying for cleaning staff d)paying for new medical toys/life saving equipment. They are more easily able to measure what happens to patients if they need to wait on a trolley for 12 hours due to staff shortages than the risk of what might happen to that patients data from a breach.

    PwC didn't perform rocket science here but someone external had to write down what happened and charge enough that ministers and senior hospital management would have to read it. The medical jargon is grating but it's trying to force an analogy that medical administrators might accept. I'm sure dozens of hospital IT staff told their managements of the risks in advance but either were ignored or misunderstood and the message didn't sink in.

  14. NotMondayAgain

    Who advises these public agencies? It only requires a few simple policies to reduce risk by 99% but instead they pay PWC probably more than the ransom for 157 pages of generalities and management speak.

    A few practical steps, none of which in are in that useless tome.

    Block Powershell from running through GPs, no standard user needs it. We did it 3 years ago and nobody even noticed yet.

    Stop all emails containing pre 2007 Office formats. If suppliers and customers have not updated since Office 2003 we don't want their emails.

    Sack anyone who ever types in an elevated credential into a user endpoint.

    Segment your networks

    Tapes in a safe are a lot harder to get at than disk to disk backups.

    Separate your hypervisor infrastructure and backups from the user network and don't bind hypervisor management to user side NICs.

    Use 2 macro execution policies. Users with brains can enable a macro (<5%) and the ones who can't find their rear with both hands simply cannot execute macros.

    Apply updates. If the vendor can't supply them get out of their bed and find a new one, not tomorrow or next year. NOW.

    Use LAPS because users are idiots.

    VLANS are as secure as your switches are.

    No user is a local admin. If their software won't run without LA rights then get rid mercilessly. Not that we have found many software items out of 5000 users around the globe that had a problem. A real problem that is as opposed to the user or supplier telling us it won't work.

    If your backup is spinning on disks that aren't air spaced from the network you should assume you will have no backups.

    All of the above is based on bitter experience. Weirdly I found it a lot easier to persuade the board to spend the money after all the data was gone ( including the virtual tapes). They were totally disinterested until that day arrived. 6 months of downtime recovering data from tapes for 100 offices around the world finally convinced them I was not exaggerating the risks.Of course this excludes the tapes which were left in autoloaders as it was too much trouble to keep taking them out each day. They were all formatted for us by the nice guy in Russia who demanded £xxm.

  15. DrXym Silver badge

    Doesn't surprise me

    Public systems are always going to be decrepit, underfunded, lashed together by kludges and hacks. On top of that I bet the users of a health system are going to be very opinionated and entitled about what they should and shouldn't be allowed to do on their network - send around massive attachments, share files, have admin access to this or that system, be able to use any printer in the building, able to use *their* conferencing apps etc.

    Fixing this will be an interesting one and very expensive (not least from IT consultancy vultures circling around this carcass), but basically every hospital and department within it needs to almost be a silo, with traffic / threat analysis, 2FA, backup procedures, training for staff and measures in place for monitoring security and for breaches. Even with all that it *will* happen again so it's about mitigating for the threat without pissing off the people who have to use the rebuilt system for their work with onerous conditions and checks.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022