Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Network Security The Almighty Buck Bitcoin Communications Encryption Government Networking Privacy Software The Internet The Military Wireless Networking News IT

Kentucky Hospital Calls State of Emergency In Hack Attack (cnbc.com) 265

An anonymous reader quotes a report from CNBC: A Kentucky hospital is operating in an internal state of emergency following an attack by cybercriminals on its computer network, Krebs on Security reported. Methodist Hospital, based in Henderson, Kentucky, is the victim of a ransomware attack in which hackers infiltrated its computer network, encrypted files and are now holding the data hostage, Krebs reported Tuesday. The criminals reportedly used new strain of malware known as Locky to encrypt important files. The malware spread from the initial infected machine to the entire internal network and several other systems, the hospital's information systems director, Jamie Reid, told Krebs. The hospital is reportedly considering paying hackers the ransom money of four bitcoins, about $1,600 at the current exchange rate, for the key to unlock the files.
This discussion has been archived. No new comments can be posted.

Kentucky Hospital Calls State of Emergency In Hack Attack

Comments Filter:
  • Looks like someone opened it there....
    • by Z00L00K ( 682162 )

      Maybe it's time for organizations to learn that networks need to be segmented within the organization and not put everything on centralized servers. That way it's at least possible to contain any intrusion and malware to a smaller area.

      • Re:Document2 (Score:5, Insightful)

        by HumanWiki ( 4493803 ) on Thursday March 24, 2016 @02:19PM (#51771357)
        Good luck with that... As an infra-engr guy for over a decade now, I can't tell you how many times I've been told to go pound sand by the people in charge of the company when I suggest things like that that cost money upfront to stop things that may cost money later. Pretty much anyone asking for actual backup systems or real DR hits similar walls. Not saying it's right or that I agree with it.. But, it's not as simple as saying it's time they learn. They don't. They never do.
        • by torkus ( 1133985 )

          Oh please, hospitals are still the low hanging fruit. Doctors who can quote body parts I can't pronounce and didn't know exist can't manage to remember a moderately complex password for more than 15 seconds...much less change it on occasion. I'm trolling a bit, but the number of hospital devices still in use that are set to default logins, passwords, pins or the like is astounding.

          I'll say that hardened targets are still hugely susceptible to an individual with moderate inside knowledge. Spear-phishing i

        • Re:Document2 (Score:5, Insightful)

          by Pontiac ( 135778 ) on Thursday March 24, 2016 @05:36PM (#51772801) Homepage

          Network segmentation, internal firewalls, client firewalls and admin isolation are the keys to preventing this.

          Local Server and client firewalls prevent access to system shares from unauthorized sources.

          Firewalls segmenting the network help isolate an outbreak.

          Admin isolation: No logging onto your desktop as admin ever! management tasks are done by remote access to workstations isolated in their own hardened network segment and built for admin tasks.

          Overkill? depends on your point of view. I know of places doing it this way.

          Admins will fight not having their tool set local on their machines but after you get used to it it's better.

      • by tnk1 ( 899206 )

        Spear phishing attacks can be scarily professional these days. There are always better ways to do things with security, and many ways to mitigate those threats, but it is often less about what tools they use, and more often about what policies that they can force their users and admins to adhere to. If hacking organizations take their time, watch the organization carefully and develop a plan before executing their extortion action, they may well be so ingrained in your systems that they are watching your

        • One type of attack that I witnessed over the winter holidays last year involved a malicious user harvesting e-mail signatures via auto-replies.

          Then using publicly available org information to target the accounting dept.

          The spear phishing e-mail looked pretty damn legit. The e-mail contained, what appeared to be, a back-and-forth exchange between the owner and the CFO with a request to transfer money.

          It actually came way too close to succeeding and was only foiled by the fact that it was such a highly irregu

          • by afidel ( 530433 )

            Yup, wire transfer fraud is scarily effective and lucrative. A local company lost $14.8M, they were able to recover all but ~$4.8M of it but only by hours and that's still a LOT of money to get from a few hours research and a few emails.

      • by J053 ( 673094 ) <J053@BOYSENshangri-la.cx minus berry> on Thursday March 24, 2016 @04:11PM (#51772327) Homepage Journal

        Or, maybe, they should learn to have good backup policies so a ransomware infection would result in, at most, loss of 1 day's data while the last pre-infection backup is restored. Data integrity 101, people.

    • These are the threats that keep me up at night as a sysadmin.

      It just takes one user clicking something they shouldn't

      To try to combat this I do the following:

      1. Use L7 firewall rules to block executables
      2. Use IPS on both the firewall and the local computers
      3. Use content filtering at the firewall level
      4. Use locked down local (PC) firewall rules
      5. Use a segmented network model with locked down firewall rules in between them
      6. Do not allow anything to execute from local user writable locations (appdata, usb

      • by lgw ( 121541 )

        1. Use L7 firewall rules to block executables

        I saw people extracting password-protected zip files to execute malware in the 90s. They've been doing it ever since. Sure, it might help a little, but still.

        6. Do not allow anything to execute from local user writable locations (appdata, usb drives, optical drives, etc)
        7. Run all workstations as standard users

        For kiosks, or shared machines, sure, but otherwise that's a significant imposition on users for very little gain, as a rootkit just bypasses all of that, and there's always a new privilege escalation exploit making the rounds.

        9. Stay on top of all updates every month (Flash, Java, Windows, etc)

        See, now that solves real problems without getting in everyone's way.

        Train users

        Hahaha, good one!

        sign off from management to discipline users who fail the test

        Hahaha, man, you should do stand-up.

        15. Scan logs and reports daily

        Wha

        • 1. Use L7 firewall rules to block executables

          I saw people extracting password-protected zip files to execute malware in the 90s. They've been doing it ever since. Sure, it might help a little, but still.

          We actually block password-protected zip files as well.

          6. Do not allow anything to execute from local user writable locations (appdata, usb drives, optical drives, etc)
          7. Run all workstations as standard users

          For kiosks, or shared machines, sure, but otherwise that's a significant imposition on users for very little gain, as a rootkit just bypasses all of that, and there's always a new privilege escalation exploit making the rounds.

          We whitelist exes based on meta data in the file's certificate, usually publisher name. If an executable is not signed, it has no chance of running. Turns out that this is mostly a problem for me and not users.

          We use Avecto DefendPoint (formerly Privilege Guard) to set executables which are automatically elevated. We use this to allow users to install software from an approved list. This also has the benefit of allowing privilege escalation without user

  • ...this clearly wouldn't have happened.
  • $1.6K is like what half a day in the ER chump change for them.

    • You're being too kind. Most of a decade ago 2 hours in ER cost me way over $4k - and that's after months of negotiation and paying some cash under the table.
    • by fnj ( 64210 )

      I can see you haven't been in an ER for half a day, or know anybody who has.

    • $1.6K is the cost of an aspirin in the ER.

    • Of course it's chump change, since even most individuals could actually afford that payment if they really needed to. What they're considering is either the negative publicity paying off criminals would have on their organization, or perhaps the moral implications of paying off criminals.

  • Backups? (Score:2, Insightful)

    by Anonymous Coward

    Backups people, it's not hard using current technology and you get extra points for verifying those backups once you've done them. After all, a set of blank tapes in the safe are no good to man nor beast. This is a damn hospital with people's lives at stake and you'd think that they would take more care with their date!

  • by Anonymous Coward on Thursday March 24, 2016 @02:04PM (#51771173)

    I've seen huge upswings in locky and other ransomware hitting the email gateway since the first. Literal 30x upswing.

    Lots of the locky infected messages are mimicking fax gateways and network-to-email scanner/mfp devices. The others are the usual tracking, invoice, tax, payment, etc social engineering schemes.

    Via email, most use executables in zip files.

    I've banned zip file attachment just to cut down on the load.

    I've heard reports that there are some really aggressive targeting via ad networks too.

    Backup, backup, and backup some more. Then audit. Then do DR drills. Then Audit the DR drills.

    Your user's endpoints aren't secure. Locky and company work inside a user's context and do not need admin privs. Backup is the only thing that will save you.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      I've banned zip file attachment just to cut down on the load.

      What admin's job wouldn't be complete if they weren't inventing new ways to stop their company from getting things done instead of properly administering their network? There are a lot of ways that you could secure your email without the ham-fisted (and ineffective) file blocking. Instead, your users are going to be renaming their files things like application.pdf with instructions to rename it to zip, so all you've achieved is making another hurdle for employees to jump before they can do their job. Now th

  • by anegg ( 1390659 ) on Thursday March 24, 2016 @02:05PM (#51771181)

    electronic medical records.

    If this turns out to be a typical outcome of medical facility IT administration, then electronic medical records might not be such a good idea, at least not without adjustments to how the records are hosted.

    Just like "critical infrastructure" should not be connected to the Internet, it seems medical facility records infrastructure needs to be separate as well. Perhaps this is a general architectural strategy that should be implemented wherever organizations process sensitive information - one level of infrastructure for general purpose communications and Internet access, another (separate) level of infrastructure for the sensitive information, with an acceptance of the higher cost of maintaining the proper separation. One big mashup appears to have some significant risks.

  • Do they have any?

    • by fnj ( 64210 )

      Do they have any?

      Even if they do, if a whole lot of data has been lost from on-line storage, it would cost a whole lot more than $1600 in time and labor to restore it.

  • Good thing a big fancy place like a hospital, you know, with all that juicy mission critical data, has a solid and well tested disaster recovery plan, right?

    Right?

    hahahaahhaah

  • people on here cackling about the incompetence of government workers in regards to the iPhone issue (no MDM software installed), the IRS hack and a few other items.

    Considering the near daily reports of private industry being hacked or compromised, it looks like the government has some work to do if it wants to run its operations like private industry does as some say should be done.

  • by herve_masson ( 104332 ) on Thursday March 24, 2016 @02:17PM (#51771331)

    So, a stupid macro virus open thousand files on a PC at full speed, delete them, and create another one with .locky extension. No AV software has he capability to detect something unusual ? dangerous ? Suspect ? (I wonder how AV waste my CPU and disk IOs so badly...)

    This locky shit has been around for a few month, and no AV can do anything about it ?? seriously ? They did not even bother changing the .locky file extension...

    • by SumDog ( 466607 ) on Thursday March 24, 2016 @03:00PM (#51771763) Homepage Journal

      Since the past decade. Enumerating viruses is useless. There are too many. Machine learning can be fooled and has high false positive rates. A French researcher at Kiwicon in 2014 showed that the parsers most AVs use run as the System user. He was able to use broken JPEGs and PDFs against the parser and get code execution as the System users (read: you don't even have to open the file. The virus scanner ran the executable code!)

      Active virus scanners are totally worthless today and actually increase the attack vectors to machines. Passive virus scanners are about equally as useless.

    • Kaspersky Endpoint Security includes a component named System Watch that can detect and stop ransomware behaviour, but that component doesn't get installed on server versions of Windows yet so it's no good for Remote Desktop servers. Not sure about other brands of AV.
  • by Anonymous Coward

    Tell everyone far and wide that the scammers took your money and REFUSED to give the encryption key, and that you had to restore everything from old backups.

    Ruin the assholes' business model, since no one is going to pay if they are known to take the ransom and skip out.

  • by Impy the Impiuos Imp ( 442658 ) on Thursday March 24, 2016 @02:22PM (#51771383) Journal

    hackers infiltrated its computer network, encrypted files and are now holding the data hostage

    There's a meat slicer from the beginning of the original Children of the Corn with their name on it.

  • If someone dies ... (Score:5, Informative)

    by jbeaupre ( 752124 ) on Thursday March 24, 2016 @02:35PM (#51771529)

    If someone dies in the hospital and it can be traced to critical files being unavailable, the malware owners could be charged with murder.

    https://en.wikipedia.org/wiki/... [wikipedia.org]

    But not in Kentucky.

    https://en.wikipedia.org/wiki/... [wikipedia.org]

  • by chispito ( 1870390 ) on Thursday March 24, 2016 @02:57PM (#51771737)
    For several years now, every single security analyst, including the FBI (https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/) I've come across has said the same thing about crypto-ransomware: pay them.

    There is time to be idealistic later. Right now, you're being mugged: Do what you need to survive.
  • Even the NSA allowed Snowden, a SharePoint administrator working for a contractor, access to some pretty critical data. If they can't properly control access to information, especially given how many tools there are out there to do so, it's not a shocker that private businesses fail to do so also.

    The ransomware epidemic illustrates a very good point -- companies still treat their internal networks as 100% trusted. Once a machine is plugged in, there's nothing stopping it from roaming around the interior. Th

  • Just revert to the backup. Right?
  • by khz6955 ( 4502517 ) on Thursday March 24, 2016 @03:36PM (#51772061)
    Curious how you failed to mention that Locky requires Windows & Office to work ..

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...