back to article Scores of US credit unions offline after ransomware infects backend cloud outfit

A ransomware infection at a cloud IT provider has disrupted services for 60 or so credit unions across the US, all of which were relying on the attacked vendor.  This is according to the National Credit Union Administration, which on Friday told The Register it is fire-fighting the situation with the credit unions downed this …

  1. sanmigueelbeer
    Coat

    "Go to the cloud", they said.

    What could possibly go wrong?

    1. Yorick Hunt Silver badge
      Trollface

      By the sounds of it, this setup wasn't particularly cloudy - more like a low-lying fog.

      1. Mayday
        Facepalm

        Fog Computing

        Is actually a thing. Don't ask - I certainly didn't make it up nor have I ever mentioned it in a wank-filled meeting with people who don't know what they're talking about. Not about to start either.

    2. Version 1.0 Silver badge
      Joke

      Go to the cloud ... what could possibly go wrong? A thunderstorm, a tornado, a hurricane with only 38 inches of rain ... ransomware is actually worse these days. So I'll update a Brendan Behan quote from years ago into today's world ....

      "The Internet is a lovely consolation to a fellow alone in the cell these days. The lovely cloud access with a bit of ransomware stuffing in it, if you could get a few million pounds it is as good a smoke as I ever tasted."

    3. John 61
      Alert

      Every cloud...

      It pees down data.

  2. sitta_europea Silver badge

    "Ongoing Operations ... provides things from disaster recovery solutions to..."

    Forgive me this wry smile.

    1. Doctor Syntax Silver badge

      It's called "getting rid of the difficult bit in the title".

  3. An_Old_Dog Silver badge

    Execs Still Don't Get It

    The cloud is great for some applications, but not most applications, and certainly not all applications. The cloud is great for things which have large demand-swings, and have no uptime requirements, and also host public, non-confidential, non-PHI, non-proprietary, non-secret data: VirusTotal (.com) is such an example.

    One reason the cloud sucks for anything a company ought to keep private is because of the business model the cloud companies use: it's just like the business model used by many service-hosting companies (email, web sites, etc.) -- the hosting companies use as few, and as minimally-trained staff as they think they can get away with, and provide as little support as they think they can get away with, because (some of) their profit is the difference between their personnel costs and the rates they charge their customers.

    Another reason the cloud sucks for anything a company ought keep private is because the cloud-hosting companies are so big, and a staffer's brain-fart or keyboard fat-fingering can affect swathes of virtual systems.

    1. DS999 Silver badge

      Re: Execs Still Don't Get It

      On the other hand, if smaller credit unions were running their own internal IT operation the level of competence will vary widely. Some might have all the latest patches and technology, and others see it as a cost center and there are running antiquated technology that's updated only as required by outside regulation, and you have no way of knowing which side your credit union is on until it is too late.

      The service providers are hopefully more likely to be on the 'well run' side of things since providing that service is their company's main business. That's no guarantee they are, and even when you do things "perfectly" if you're hit with a zero day flaw there's nothing you can do about it.

    2. Dostoevsky Bronze badge

      Re: Execs Still Don't Get It

      I worked at a bank, and our confidential data still runs off an AS400 mainframe in Kansas. Say what you like, but at least it's not gonna get hacked... No one knows how to use AS400 anymore! :)

      1. Anonymous Coward
        Anonymous Coward

        Re: Execs Still Don't Get It

        Including IBM....

      2. An_Old_Dog Silver badge

        Who Still Knows AS/400? | Security Through Obscurity

        "Security through obscurity" has historically proven to be a flawed method. There's always at least one knowledgeable, skilled techie willing to pimp his/her/their services out to criminals. (There are also less-knowledgeable, less-skilled techies willing to pimp their services out to criminals, but those people tend to end up in the headlines, either as nicked by the coppers, or killed by their dissatisfied employers.)

  4. Doctor Syntax Silver badge

    "a sophisticated ransomware attack"

    Translation: One that was too clever for us. How clever should we have been?

  5. raving angry loony

    Ah yes, "the cloud"

    "The Cloud", this magical thing that is getting sold all over.

    When all it really does is make security that much harder because you're never sure who really has access to that stuff, and if your internet craps out you can't get to it anyway.

    Don't get me wrong, it's a great solution for some stuff, but too many people are putting all their eggs into that one basket, and it's going to bite them hard.

    Oh, wait, it already did. Meh, they won't learn their lesson, since the folks who get yelled at to fix it aren't the ones who made the decision to purchase the crap in the first place.

    (yes, I'm still bitter)

  6. Kevin McMurtrie Silver badge

    Do the CUs get a refund?

    One advantage of "the cloud" is that you should be able to delete the main hosting account and bring up a clean replica in a day. Most serious companies practice bringing up a replica annually. It's part of a process called disaster recovery.

    If I was buying cloud services from a disaster recovery business that can't do this, I'd want a retroactive refund.

  7. Tron Silver badge

    Physical is more resilient than digital.

    For anything important, digital should be treated as an unreliable luxury layer on top of a core physical service.

    Keep as much stuff offline as you can, train your staff and pay your techs well, maintaining good security and encryption for online services.

    1. W.S.Gosset Silver badge
      Thumb Up

      Re: Physical is more resilient than digital.

      >digital should be treated as an unreliable luxury layer on top of a core physical service

      Well put.

      Very well put.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like