UK, US hospital computers are down, early unofficial diagnosis is a suspected outbreak of Ryuk ransomware Universal Health Services, which operates over 400 hospitals and healthcare facilities in the US, Puerto Rico, and the UK, said on Monday that its IT network was offline due to an unspecified cybersecurity issue. "We implement extensive IT security protocols and are working diligently with our IT security partners to restore …
You're being generous. Usually, those of us responsible for computer security often find that the folks in charge demand that we keep things secure, and then exempt themselves from the rules.
If you work for a company that has a dedicated IT team for the management team, this is one of the reasons why.
I moved there from support about 8 years ago. I actually love it.
You need to understand early on that you are chasing something you will never find - perfect technical security and perfect staff who are 24/7 thinking about the consequences of that next click.
However as I work in the NHS I can honestly say something about the statement UHS have given out is utter nonsense - that no patient/staff information has been accessed, copied or otherwise compromised. Absolute BS as it'll be on every endpoint in some form so if a single PC has been hit by ransomware (and it sound far worse) there is a risk of some data being lost unless they are incredibly strict about where staff can save data, which most places aren't.
I run a mail server with two separate anti-virus checks on all incoming messages and attachments - normally everything works well but recently the number of emails with malware that slip through the AV software has increased dramatically. I fix the problem by quarantining all potentially suspicious attachments, naturally all Microsoft documents and every other potential risk ... how many lusers know that purchase_order.img is not a picture?
AV software is effective, it stops a lot of viruses but it's not 100% reliable, today we're getting deluged with DHL Overdue Invoice Notice - 1499320546.xls, Sales_Receipt_5782.xlsm, DHL_Paper_Works_Download _and_print_receipt.iso etc etc.
I've been receiving the odd DHL invoice over the last few months through my company's email accounts.
If my company were located in the same country as me and DHL actually existed in Norway (apparently they do, but I don't ever recall seeing any of their trucks on the roads) and my company was the sort of company that actually ordered physical stuff and and if they didn't arrive on all public email addresses at the same time and if I were less tech-savvy than I claim to be I might be slightly more inclined to open them.
That's a lot of IFs. :)
I can see how it would be easy for someone who just sees emails from one public account and who regularly expects to see emails regarding purchase orders and deliveries and who isn't particularly IT inclined to inadvertently open one of these.
You need to educate your users. They are one of your lines of defence and educate them what to do if they think something is suspicious, to err on the side of caution but its easily done when you are busy and it looks like something expected.
There has been an uptick in spam particularly with viruses attached from what I can see, I seem to remember the reg commenting that a particular botnet had fired up again recently.
I also had a website contact form suddenly having lots of spam getting through yesterday, my fault I guess as I hadn't upgraded it to captcha V3 and it was still on V2. Clearly the site had either been added to a new spam list or someone had improved their spam engine to include V2 bypass. Quickly sorted and no more since.
Luser education is definitevely in order here.
If you don't expect a DHL/Fed-Ex/Chronopost/DpD or whatever, receiving an email from any of them should be an automatic "Oh it's a phishing attempt, report it to IT" in the mind of the Lusers.
If deliveries are expected, the Lusers should know that none of the delivery companies sends attachements, just links to their websites ( with or without the shipping information ), so once more seeing such a mail with an attachment should raise all the warning bells.
I receive stuff on a regular basis ( both professionally and as an individual ) and detecting the phishing attempts are so easy that I could do it while sleeping out a drunken stupor. ( obviously after an indecent amount of pub time )
I wish I felt as confident at weeded out the spam as you. The fake delivery company & invoice ones, yes I spot those for the reasons mentioned. Recently I've got emails pretending to be MS 365 system or admin messages - you missed a teams call and that sort of thing. So far, they have had signs that raised suspicion, but we are on 365, it is plausible to get system messages, (like message undeliverable ones) and with a better quality of phishing .... there but for the the grace of God.
That's quite interesting actually. I dropped Captcha support (partly because I hate it and partly due to GDPR concerns) on my company's website in favour of rolling my own honeypots on forms.
Since doing that, I haven't seen any spam messages coming through the contact form. (Not that there was any before, but I certainly didn't experience an uptick either.)
I gave up with anti virus checking things. They miss zero day attacks, which means you rely on somebody being hit first before you get any protection.
Our place is an office with non technical users that only ought to be receiving office documents and PDF's.
My improved solution was simply to drop any .exe file coming in on my mail server, strip macros from incoming files and quarantine anything odd. For instance ISO, IMG, ETC files? How many times have you had legitimate images emailed to you?
You can generate long lasting peace and quiet quite easily with the right settings without inconveniencing the users. While admittedly stripping and quarantining things on sight does sound somewhat extreme, the results for me have been immediate and long lasting peace and quiet. Nothing harmful makes it in via email and I can't remember an instance of being asked to retrieve anything from the spam filter that has been dropped or quarantined.
On the subject of GDPR, if this does affect UK installations then unless they can conclusively prove no personal data has been compromised then they are required by law disclose fully to the ICO.
Would be interesting to know if they do actually disclose this potential breach within the allowed timeframe.
This post has been deleted by its author
We should not be tolerating this.
Anybody who perpetrates a ransomware attack against a hospital should be treated as if they had committed an act of attempted murder and in the (admittedly unlikely) event of them being arrested they should expect to face the most severe punishment allowed under the law for that.
Conversely, any hospital that leaves their IT infrastructure unprotected and doesn't introduce reasonable protections (firewalls, antivirus, prompt application of software patches, disabled USB ports, etc) should face criminal negligence charges (obviously in the case of them taking reasonable precautions and the hospital IT infrastructure being infected anyway they shouldn't face any charges).
Why the downvotes? This is the right way to go.
If the downvoters got burgled I'm sure they wouldn't say "Tut. I hope that doesn't happen again!".
In the case of healthcare establishments it's not acceptable to just claim on any cyberattack insurance they might have - peoples' lives are involved.
Face charges?
Unfortunately those that often are the root-cause of many of the problems appear untouchable. All the issues of patching and security are polices for leadership to create that techies implement.
All that will happen is some senior techies will get pushed out as scapegoats leaving those who come up with the policy safely in post.
There is a culture where management increasingly shirk any responsibility through obfuscation and endless buck passing. The problem has got worse as the number of managers has increased as they are all trying to justify their expensive positions. This takes us full circle back to the techies implementing the policy but without the resources to do so.
Many healthcare organisations outsource a proportion of their IT. The issue then arises that the IT provider is willing and capable of patching, etc, but the end users are reluctant to agree to the downtime; and in some cases the end-user organisations are either unwilling or unable to pay for the maintenance of the systems in use. There's then a game of to-and-fro as the outsourcer tries to convince the healthcare organisation that the patching is necessary and they really do need to find the resources to allow major upgrades to take place. Those resources are not only money: but also people in the healthcare organisations who understand enough IT to push things through and say, set up projects to educate end users in the new system (why do we need a new system when the old one works perfectly well?...and so on).
Sometimes, the 'responsible' IT person in the healthcare organisation can be, for example, a surgeon, who is used to people doing what they say and doesn't take kindly to IT oiks saying that the old radiology application needs to be replaced with one that works on Windows 10.
If you care about patient well-being, healthcare IT will give you stress-related disorders in no time flat.
Sometimes, the 'responsible' IT person in the healthcare organisation can be, for example, a surgeon, who is used to people doing what they say and doesn't take kindly to IT oiks saying that the old radiology application needs to be replaced with one that works on Windows 10.
Which is perfectly reasonable when the software comes with the hardware and the replacement bit of hardware cost tens of millions of pounds, don't you think?
Solution; secure it with a hardware firewall so that the embedded application can still email it's results out to doctors by sending traffic out to one particular internal IP and block every other port and destination. The WindowsXP based device can then soldier on and complete the remaining part of it's expected 30 year life with minimal risk of being compromised.
You can even make friends with the doctors by sticking it on a UPS so the controller still works when the facilities people do their weekly tests of the generator by pulling the breakers on the mains coming in, resulting in a 2 second break before the on site diesel generator fires up, causing about 5 minutes of downtime. And another 5 minutes when they then pull the plug on the generator again an hour later.
A couple of hundred quids worth of UPS gave the doctors an extra 2 hours of use of the equipment as their procedure had been to just turn the entire thing off for the scheduled test and avoid scheduling anybody during a point that they knew the power would go out to avoid wasting their time and damaging the equipment.
Been there, done that at county level. It's nowhere near as complex or stressful as people make out IMO if you can balance "what we want" with "what they need".
And how would an offline backup help you? Ransomware does not manifest itself right away. Usually it takes days, weeks, even months to spread. Most probably one would end up with multiple backups of already infected systems. The only difference is that your online backup system may end up borked while the offline one will happily provide you with an infected copy from couple of days ago. You would not want to restore a copy from an year ago, right? The data will be irrelevant.
I wish I knew a better way, but I do not. The only thing I know is the way we do things in IT does not work anymore, but we keep on doing the same old thing hoping for a better outcome.
What was that definition for insanity :)
OneDrive has an interesting method of trying to detect it - https://support.microsoft.com/en-us/office/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f
Basically they monitor all of the changes to your files, so they can detect if something has come along and changed _everything_ and then allow you to roll them back as and when needed.
Disclosure, I work for one of the IT big vendors.
We're seeing a 37% increase in attacks since the mobilisation of call centre staff due to covid as that's opened up a lot more attack vectors. This is driving a lot of interest in last resort defence solutions required to recover following a successful breach. Solutions that use air gaps, data diodes, retention locked copies of backups and analytics to check file entropy (back to the earlier point of the file named as purchase_order.img)
The levels of sophistication we starting to witness is staggering and the lengths these low lives will go to questions the evils of the human race, in the short term there is no end to this. To get around the immutable file recommendation, we’ve even seen code that winds back the internal NTC clock on the storage devices.
Regardless of whether it’s nation state, lone wolf or rouge insiders, I find it really upsetting they’re now shifting the focus to the target the health care industry, they know human life could be at stake and the ransom is likely to be paid.
What a horrible world we live in.
>> What a horrible world we live in.
That's a bit cynical.. There are 8bn people - you're going to get all sorts and then some. Every extreme, good and bad. There is no perfect.
It's a very western concept philosophically, isn't it? A disappointment at something not being there, but which could actually never really exist.
I believe it is nation-states.. And judging by the way nation-states around the world (including the UK) are behaving right now, I am predicting WWIII in the next year or three.
There are not enough resources to go around. The human population has to shrink. What happens when the human population is shrinking? We kill eachother so that we might survive.
> the lengths these low lives will go to questions the evils of the human race.
s/questions/extols/
Mine's the one with the sandwich board saying 'THE END IS NIGH'. (If I were religious, it might also say "REPENT, ALL YE SINNERS" but i'm not. An empty void is all we can look forward to, as far as I'm concerned. Sorry.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
