Kentucky Hospital Calls State of Emergency In Hack Attack

An anonymous reader quotes a report from CNBC: A Kentucky hospital is operating in an internal state of emergency following an attack by cybercriminals on its computer network, Krebs on Security reported. Methodist Hospital, based in Henderson, Kentucky, is the victim of a ransomware attack in which hackers infiltrated its computer network, encrypted files and are now holding the data hostage, Krebs reported Tuesday. The criminals reportedly used new strain of malware known as Locky to encrypt important files. The malware spread from the initial infected machine to the entire internal network and several other systems, the hospital's information systems director, Jamie Reid, told Krebs. The hospital is reportedly considering paying hackers the ransom money of four bitcoins, about $1,600 at the current exchange rate, for the key to unlock the files.

Document2

[HumanWiki]

Looks like someone opened it there....

Re:

[Z00L00K]

Maybe it's time for organizations to learn that networks need to be segmented within the organization and not put everything on centralized servers. That way it's at least possible to contain any intrusion and malware to a smaller area.

Re:Document2

[HumanWiki]

Good luck with that... As an infra-engr guy for over a decade now, I can't tell you how many times I've been told to go pound sand by the people in charge of the company when I suggest things like that that cost money upfront to stop things that may cost money later. Pretty much anyone asking for actual backup systems or real DR hits similar walls. Not saying it's right or that I agree with it.. But, it's not as simple as saying it's time they learn. They don't. They never do.

Re:

[torkus]

Oh please, hospitals are still the low hanging fruit. Doctors who can quote body parts I can't pronounce and didn't know exist can't manage to remember a moderately complex password for more than 15 seconds...much less change it on occasion. I'm trolling a bit, but the number of hospital devices still in use that are set to default logins, passwords, pins or the like is astounding.

I'll say that hardened targets are still hugely susceptible to an individual with moderate inside knowledge. Spear-phishing i

Re:Document2

[Pontiac]

Network segmentation, internal firewalls, client firewalls and admin isolation are the keys to preventing this.

Local Server and client firewalls prevent access to system shares from unauthorized sources.

Firewalls segmenting the network help isolate an outbreak.

Admin isolation: No logging onto your desktop as admin ever! management tasks are done by remote access to workstations isolated in their own hardened network segment and built for admin tasks.

Overkill? depends on your point of view. I know of places doing it this way.

Admins will fight not having their tool set local on their machines but after you get used to it it's better.

Re: Document2

[Hotawa Hawk-eye]

Would it cost more than a lawsuit filed against the hospital by the next of kin of a patient that died because the equipment needed to keep them alive was disabled by an attack like this?

Re:

[dgatwood]

That problem is easily solved. Bankrupt a dozen such companies and publish articles that make it really clear that the reason they went bankrupt is that they refused to implement the security that their techs recommended. Then, when the idiot MBAs tell you to pound sand, you can show them case files of companies that made the same decisions and lost everything. Then, their irrational fear of what is probably a relatively low risk (but high cost if they're wrong) will cause them to throw money at the pro

Re:

[dgatwood]

That's in part because most criminals foolishly believe that they won't ever get caught, and in part because a large percentage of those crimes are committed by people in situations where they don't have enough time to act rationally, e.g. crimes of passion, having a gun on them when they rob a store and getting surprised by an off-duty cop, etc. If somebody said to them, "Look, if you bring that gun with you, there's a chance you'll have to use it, and you could get the death penalty," some percentage of

Re:

[sconeu]

And most bean-counters foolishly believe "it won't happen to us".

Re:

[pla]

My question is, would improving security cost more than $1,600?

You want to trust recovering a substantial portion of your network to not only the honesty of the guy who wrote this, but also in the ability of a loser who can't make a living as a "real" programmer to implement a reversible cryptosystem as intended? And when the next attack doesn't want money, but instead comes from a 14YO who just wants to fuck things up, what then?

$1,600 doesn't even show up as an OpEx, it vanishes into petty cash; los

Re:

[pj2541]

What CIO's have gone to jail? I must have missed that. I don't recall any jail time for a corporate officer in the US since Al Capone.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: Document2

[Thor Ablestar]

Let's calculate. Once upon a time I was a sysadmin in some Russian hospital. About 100 quite old computers with about 100 GB each. The critical data are about half of them. So you need about 10 TB to hold a reserve copy of everything - about US$500 of HDD. Maybe less. Then, you take any computer that has enough HDD ports - about US$150 since you don't need a new shiny computer, it would just work. Install there some software that would copy the modified files - it's free.

But it's not the solution. The correct solution is the order of Chief Doctor that everybody who does not cooperate with Sysadmin would pay the ransom from their own pocket.

Re:

[tnk1]

Spear phishing attacks can be scarily professional these days. There are always better ways to do things with security, and many ways to mitigate those threats, but it is often less about what tools they use, and more often about what policies that they can force their users and admins to adhere to. If hacking organizations take their time, watch the organization carefully and develop a plan before executing their extortion action, they may well be so ingrained in your systems that they are watching your

Re:

[The-Ixian]

One type of attack that I witnessed over the winter holidays last year involved a malicious user harvesting e-mail signatures via auto-replies.

Then using publicly available org information to target the accounting dept.

The spear phishing e-mail looked pretty damn legit. The e-mail contained, what appeared to be, a back-and-forth exchange between the owner and the CFO with a request to transfer money.

It actually came way too close to succeeding and was only foiled by the fact that it was such a highly irregu

Re:

[afidel]

Yup, wire transfer fraud is scarily effective and lucrative. A local company lost $14.8M, they were able to recover all but ~$4.8M of it but only by hours and that's still a LOT of money to get from a few hours research and a few emails.

Re:Document2

[J053]

Or, maybe, they should learn to have good backup policies so a ransomware infection would result in, at most, loss of 1 day's data while the last pre-infection backup is restored. Data integrity 101, people.

Re:

[The-Ixian]

These are the threats that keep me up at night as a sysadmin.

It just takes one user clicking something they shouldn't

To try to combat this I do the following:

1. Use L7 firewall rules to block executables
2. Use IPS on both the firewall and the local computers
3. Use content filtering at the firewall level
4. Use locked down local (PC) firewall rules
5. Use a segmented network model with locked down firewall rules in between them
6. Do not allow anything to execute from local user writable locations (appdata, usb

Re:

[lgw]

1. Use L7 firewall rules to block executables

I saw people extracting password-protected zip files to execute malware in the 90s. They've been doing it ever since. Sure, it might help a little, but still.

6. Do not allow anything to execute from local user writable locations (appdata, usb drives, optical drives, etc)
7. Run all workstations as standard users

For kiosks, or shared machines, sure, but otherwise that's a significant imposition on users for very little gain, as a rootkit just bypasses all of that, and there's always a new privilege escalation exploit making the rounds.

9. Stay on top of all updates every month (Flash, Java, Windows, etc)

See, now that solves real problems without getting in everyone's way.

Train users

Hahaha, good one!

sign off from management to discipline users who fail the test

Hahaha, man, you should do stand-up.

15. Scan logs and reports daily

Wha

Re:

[The-Ixian]

1. Use L7 firewall rules to block executables

I saw people extracting password-protected zip files to execute malware in the 90s. They've been doing it ever since. Sure, it might help a little, but still.

We actually block password-protected zip files as well.

6. Do not allow anything to execute from local user writable locations (appdata, usb drives, optical drives, etc)
7. Run all workstations as standard users

For kiosks, or shared machines, sure, but otherwise that's a significant imposition on users for very little gain, as a rootkit just bypasses all of that, and there's always a new privilege escalation exploit making the rounds.

We whitelist exes based on meta data in the file's certificate, usually publisher name. If an executable is not signed, it has no chance of running. Turns out that this is mostly a problem for me and not users.

We use Avecto DefendPoint (formerly Privilege Guard) to set executables which are automatically elevated. We use this to allow users to install software from an approved list. This also has the benefit of allowing privilege escalation without user

If they'd had a proper backdoor...

[Type44Q]

...this clearly wouldn't have happened.

Re:

[CaptSlaq]

...this clearly wouldn't have happened.

Found the Spook.

$1.6K is like what half a day in the ER chump chan

[Joe_Dragon]

$1.6K is like what half a day in the ER chump change for them.

Re:

[DCFusor]

You're being too kind. Most of a decade ago 2 hours in ER cost me way over $4k - and that's after months of negotiation and paying some cash under the table.

Re:

[fnj]

I can see you haven't been in an ER for half a day, or know anybody who has.

Re:

[Joe_Dragon]

well that may be there profit after paying out the staff and buying the drugs.

Re:

[aaarrrgggh]

$1.6K is the cost of an aspirin in the ER.

Re:

[Dutch Gun]

Of course it's chump change, since even most individuals could actually afford that payment if they really needed to. What they're considering is either the negative publicity paying off criminals would have on their organization, or perhaps the moral implications of paying off criminals.

Re:

[Joe_Dragon]

and then you get a bill in the mail from the runner / server for there own work. (it's not part of the bill you paid at the restaurants)

Backups?

[Anonymous Coward]

Backups people, it's not hard using current technology and you get extra points for verifying those backups once you've done them. After all, a set of blank tapes in the safe are no good to man nor beast. This is a damn hospital with people's lives at stake and you'd think that they would take more care with their date!

Keep on your toes. Ransomware on huge upswing

[Anonymous Coward]

I've seen huge upswings in locky and other ransomware hitting the email gateway since the first. Literal 30x upswing.

Lots of the locky infected messages are mimicking fax gateways and network-to-email scanner/mfp devices. The others are the usual tracking, invoice, tax, payment, etc social engineering schemes.

Via email, most use executables in zip files.

I've banned zip file attachment just to cut down on the load.

I've heard reports that there are some really aggressive targeting via ad networks too.

Backup, backup, and backup some more. Then audit. Then do DR drills. Then Audit the DR drills.

Your user's endpoints aren't secure. Locky and company work inside a user's context and do not need admin privs. Backup is the only thing that will save you.

Re:

[Anonymous Coward]

I've banned zip file attachment just to cut down on the load.

What admin's job wouldn't be complete if they weren't inventing new ways to stop their company from getting things done instead of properly administering their network? There are a lot of ways that you could secure your email without the ham-fisted (and ineffective) file blocking. Instead, your users are going to be renaming their files things like application.pdf with instructions to rename it to zip, so all you've achieved is making another hurdle for employees to jump before they can do their job. Now th

Re:Keep on your toes. Ransomware on huge upswing

[OhPlz]

Just send me the file to my Yahoo email address, the corporate one is a PITA.

There might be a problem with...

[anegg]

electronic medical records.

If this turns out to be a typical outcome of medical facility IT administration, then electronic medical records might not be such a good idea, at least not without adjustments to how the records are hosted.

Just like "critical infrastructure" should not be connected to the Internet, it seems medical facility records infrastructure needs to be separate as well. Perhaps this is a general architectural strategy that should be implemented wherever organizations process sensitive information - one level of infrastructure for general purpose communications and Internet access, another (separate) level of infrastructure for the sensitive information, with an acceptance of the higher cost of maintaining the proper separation. One big mashup appears to have some significant risks.

Backups?

[rrohbeck]

Do they have any?

Re:

[fnj]

Do they have any?

Even if they do, if a whole lot of data has been lost from on-line storage, it would cost a whole lot more than $1600 in time and labor to restore it.

Disaster recovery time

[grasshoppa]

Good thing a big fancy place like a hospital, you know, with all that juicy mission critical data, has a solid and well tested disaster recovery plan, right?

Right?

hahahaahhaah

I seem to remember. . .

[smooth wombat]

people on here cackling about the incompetence of government workers in regards to the iPhone issue (no MDM software installed), the IRS hack and a few other items.

Considering the near daily reports of private industry being hacked or compromised, it looks like the government has some work to do if it wants to run its operations like private industry does as some say should be done.

When did AV became so useless ?

[herve_masson]

So, a stupid macro virus open thousand files on a PC at full speed, delete them, and create another one with .locky extension. No AV software has he capability to detect something unusual ? dangerous ? Suspect ? (I wonder how AV waste my CPU and disk IOs so badly...)

This locky shit has been around for a few month, and no AV can do anything about it ?? seriously ? They did not even bother changing the .locky file extension...

Re:When did AV became so useless ?

[SumDog]

Since the past decade. Enumerating viruses is useless. There are too many. Machine learning can be fooled and has high false positive rates. A French researcher at Kiwicon in 2014 showed that the parsers most AVs use run as the System user. He was able to use broken JPEGs and PDFs against the parser and get code execution as the System users (read: you don't even have to open the file. The virus scanner ran the executable code!)

Active virus scanners are totally worthless today and actually increase the attack vectors to machines. Passive virus scanners are about equally as useless.

Re:

[nuckfuts]

Kaspersky Endpoint Security includes a component named System Watch that can detect and stop ransomware behaviour, but that component doesn't get installed on server versions of Windows yet so it's no good for Remote Desktop servers. Not sure about other brands of AV.

Pay them off, get the key, decrypt, and THEN...

[Anonymous Coward]

Tell everyone far and wide that the scammers took your money and REFUSED to give the encryption key, and that you had to restore everything from old backups.

Ruin the assholes' business model, since no one is going to pay if they are known to take the ransom and skip out.

The one with Linda Hamilton

[Impy the Impiuos Imp]

hackers infiltrated its computer network, encrypted files and are now holding the data hostage

There's a meat slicer from the beginning of the original Children of the Corn with their name on it.

If someone dies ...

[jbeaupre]

If someone dies in the hospital and it can be traced to critical files being unavailable, the malware owners could be charged with murder.

https://en.wikipedia.org/wiki/... [wikipedia.org]

But not in Kentucky.

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[ArchieBunker]

Oh yeah real scary for the people in Russia or Latvia writing this stuff.

Considering? Drop everything and pay it.

[chispito]

For several years now, every single security analyst, including the FBI (https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/) I've come across has said the same thing about crypto-ransomware: pay them.

There is time to be idealistic later. Right now, you're being mugged: Do what you need to survive.

No one does security right

[ErichTheRed]

Even the NSA allowed Snowden, a SharePoint administrator working for a contractor, access to some pretty critical data. If they can't properly control access to information, especially given how many tools there are out there to do so, it's not a shocker that private businesses fail to do so also.

The ransomware epidemic illustrates a very good point -- companies still treat their internal networks as 100% trusted. Once a machine is plugged in, there's nothing stopping it from roaming around the interior. Th

Not a problem

[Dunbal]

Just revert to the backup. Right?

Locky requires Windows & Office to work ..

[khz6955]

Curious how you failed to mention that Locky requires Windows & Office to work ..

Re:

[alphatel]

Why such a low ransom for such a high risk? I bet the hospital has more $ in its petty cash drawer...

Perhaps this is a proof-of-concept run for the attackers...

They just don't know what they have. Once they see the publicity guaranteed this goes up to 400 BTC in a heartbeat.

Re:

[tnk1]

Not necessarily. These criminals want to provide good "service" to their "customers". If it gets out that this sort of extortion payment has no effect on getting back their data, no one will pay it and they will lose their "business".

That doesn't prevent "me too" organizations from walking in and hacking them as well, of course.

And be aware that these organizations are often extremely professional these days, using very sophisticated spear phishing attacks and other means. It is increasingly less true th

Re:only 4 bitcoin?

[bill_mcgonigle]

Why such a low ransom for such a high risk?
I bet the hospital has more $ in its petty cash drawer...

And who benefits from all this drama? They could have been back up and running before they went to the press. How does the hospital not suffer from this PR (like that they have no network isolation, perimeter security, or backups)? Something else is going on.

Re:

[tnk1]

Yes. If they're going to pay, they want to do so nice and quiet-like. Otherwise, they're going to have their shit locked up again by some other group the day after they unlock it.

For my part, I do hope they have some clever scheme behind the scenes here, because this PR is a bad idea for them in their predicament. It's not like their security has been fixed this quickly.

Re:

[khasim]

There is no real risk for the attackers.

And, if the ransom is that low, there is more incentive to just pay it rather than spend the time/money to recover everything themselves (and miss some things and have to pay it anyway).

The attackers are in this for the money. One HUGE score would mean more incentive for politicians / police / FBI / etc to try to find them.

A thousand smaller scores mean that this is just-something-that-happens and we-should-get-used-to-it. And the money keeps rolling in.

Re:

[fnj]

Yes. However ... the amount of ransom demanded should have no relation to the sentence that should be applied to the scum-suckers responsible. There should be no leeway for laughing it all off if the ransom is deemed a "minor" amount. Kidnapping is equally reprehensible whether you demand $1 million or $10.

Re:

[Okian Warrior]

There is no real risk for the attackers.

Slashdot had an earlier story about a guy being extradited to the US for doing what every millisecond trading system does.

Yet when actual people are affected, the government doesn't seem to care.

I can draw a parallel to swatting, where the government has to respond by going overboard "just in case" the report turns out to be real, but doesn't bother to investigate the false reports and turns a blind eye to the perpetrators, even when the swatting ends in tragedy.

Re:

[ArchieBunker]

The ransom is the same for everyone no matter who is infected. The emails I've seen with this attachment are coming out of Iran and Pakistan.

Re:

[Hotawa Hawk-eye]

It's in the spirit of "We are prepared to bring this to court. However, if you're willing to settle for $100 per file we are accusing you of sharing, we are willing to consider this matter resolved."

As an attacker, it makes sense that you would want to ask for a large enough amount of money that you actually make money, but not enough that it's worth it for your target to fight back. In this case, it seems like that "sweet spot" is 4 bitcoin (or about $1600 dollars) probably precisely because it's "petty

Re:

[Scragglykat]

Indeed. I mean, the last time I had a Big Mac Attack, I was shocked at the price of Big Macs... but this... a Big Hack Attack is not nearly as pricey as I would have imagined it to be.

Re:Good

[PraiseBob]

Let's use a car analogy.

Say you are "stupid enough" drive to a bad neighborhood. You leave your car parked, but accidentally left one of the doors unlocked. Should it now be perfectly legal to steal that car, or smash the windows, or commit whatever property crime you want on it?

Re:Good

[iCEBaLM]

No, but you're a fucking idiot if you don't expect it to happen.

Re:Good

[cheater512]

Because victims never contribute to their state of being a victim?

Saying victim blaming is wrong is saying that if you become a victim you instantly become infallible, could not have contributed to the problem in anyway and are a completely innocent party.

Re:

[Anonymous Coward]

I modded you troll. Its your own fault because you posted here and knew perfectly well how easy it is to get modded as a troll.

Re:Good

[Kjella]

Because victims never contribute to their state of being a victim? Saying victim blaming is wrong is saying that if you become a victim you instantly become infallible, could not have contributed to the problem in anyway and are a completely innocent party.

There's two fundamentally different but overlapping meanings of blame. One is the perp's blame - the thief, the murderer, the rapist who is obviously the ultimate cause of everything. But we also used it in the meaning "failed to protect", like if the President got shot many people would blame the Secret Service even though they didn't have any part in it. They just failed to prevent it. The first one isn't really a subject of debate. The second? Well you can implicate almost anyone and everyone if you want to, like take the terror attacks in Brussels. Some will blame the police for not being able to stop it. Some will blame the politicans, the mosques and so on. Who could have done something? Who should have done something differently?

The latter often ends up in some conflict of idealism versus reality. Nobody has any more right to steal from me because I forget to lock the door. But I obviously made it a lot easier for them. Or the mere absence, does the fact that I don't have a home alarm mean I'm more to blame if burglars loot my apartment? This is where victim blaming comes in, you shouldn't do that, be there, get that drunk, wear that skirt, walk those streets. Idealistically, the answer is of course hell no you shouldn't let that control your life. Practically, it's a mixed bag. I lock my door, I don't live in a prepper's bunker. But if bad shit happen, I'd be pretty pissed if you blamed me for not doing enough because it's still not my fault.

Poorly done

[s.petry]

What gets overlooked, and I'll argue intentionally, is that people are not being held accountable for their actions. This is the flaw I constantly see in discussions regarding "Social Justice". You just attempted to do just that, using a very odd example. Given your example, the secret service would be blamed if the President got shot. And they should be blamed. Numerous people assigned to Presidential detail failed if that was to happen. Bob gets paid to take a bullet for the President, and he hid when trouble started. Jerry neglected email about a shooter, Beth ignored the metal detector because that lady just looked nice, etc.. etc...

Sure, the person who pulled the trigger is a criminal. The other people don't get a free pass at negligence and/or bad decisions because of the crime.

One more example: Say you are in a public park and a big guy sits across from you on a different bench. You start tossing pebbles and they land close to his feet. He gives you a look that lets you know he's not happy, but you continue to toss pebbles. A dozen or so pebbles later he walks over and punches you in the face.

Was he right to punch you in the face? No, he is absolutely guilty of assault. On the other hand, you instigated the encounter and are accountability for your actions. Your broken nose in no way negates the fact that you were instigating the encounter.

You don't have to learn the lesson that you were taught, and the next big guy coming along will still be wrong to punch you in the face. You will still be an instigator deserving of a broken nose.

Re:

[hercludes]

Victim blaming? I hate this attitude when it comes to these sorts of things, it always sends the message that people don't have to worry about their own security and safety. In the end, it is partially the victim's fault because if the victim had decided to employ more security and caution, they would not have had their car stolen. Same as how it's the criminal's fault because if they had not decided to be a shitty person on that day, no car would have been stolen. There's a legitimate difference between em

Re:

[Grishnakh]

The other problem with this "never blame the victim" mentality is that it seems to assume that bad humans shouldn't exist.

For a different example than the car theft in a bad neighborhood one, how about if you park your car under a really big, old tree as a giant storm is blowing in, and the tree falls over and smashes your car? (Let's suppose that you live here and you should know full well that this tree is really old and could fall over.) No other humans were involved here, just you and your dumb parkin

Re:

[l0n3s0m3phr34k]

Might as well blame it on Jupiter and Vertumnus, Roman Gods of storms and trees respectively. Next time, when parking under a tree, you need to pour some wine on the roof of your car while reciting "Vertumne, uti te ture ommovendo bonas preces bene precatus sum, eiusdem rei ergo macte vino inferio esto."

Re:

[ADRA]

One can and certainly should blame companies for not applying best practices (and most likely their legal requirement) to keep information safe. In terms of companies, if they're unable to be effective, they deserve to go out of business. If I drive down the road without car insurance and a deer hits me, do I blame the deer or myself for not getting insurance?

Re:

[Z00L00K]

The analogy isn't exact, it's like passing by a bad neighborhood on the freeway and risk getting shot at.

Re:Good

[SecurityGuy]

Problem is, if you're a hospital you have thousands of people who can screw up. Any time you have thousands of people who can screw up, it's just a matter of time before someone does.

I also read in another article that they just said "No." and restored from backups.

Re:Good

[Rei]

That's an excuse for one computer getting infected. That's not an excuse for the whole hospital getting infested.

Re:

[sims 2]

What about the elderly?!

Re:

[SumDog]

I've seen more and more malware make it through my spam filters (amavis + spam assassin + clamav). I can tell by looking at it. Occasionally I pull the zips into a VM and look at the fake excel files filled with Javascript.

You can't protect against this kind of stuff as an IT admin, without making e-mail even more unreliable than it actually is (I wrote a post about this last year: http://penguindreams.org/blog/how-google-and-microsoft-made-email-unreliable/).

Sure, you shouldn't let workstations have write

Re:

[niftymitch]

As well they should pay it.

I have ZERO sympathy for insecure IT systems. I also have ZERO sympathy for "victims" of scams. If you're stupid enough to leave your shit wide open, or Western Union money to Albania, that's on you. It should be perfectly legal to take advantage of stupid people. Consider it a learning experience.

No bring in the FBI and have the FBI compel a solution.

While I have little sympathy for bad management there is a lesson here
that cyber crimes are a reality and each device that touches a network
will be attacked.

A hack on a hospital could cause numerous fatalities from the NICU, to
the ICU to surgery centers to failure of autoclaves, refrigeration, AC, loss or
corruption of data needed to track blood and other medications and people.

Some worry about the IoT where folk worry about the NEST thermostat
invasion o

Re:

[aaarrrgggh]

Let's get real though: How are you going to stop an ignorant person like an orderly or doctor from doing really stupid things 0.1% of the time?

In my mind, the only way to control the issue of ransomware is to limit the potential impact a user can have. Comparing $2,000 to the time required to shut systems down, grab a tape, and restore files... you really need to be in a situation where the recovery takes less than an hour rather than paying the ransom. To make that viable no user would be able to encryp

Re:

[niftymitch]

Let's get real though: How are you going to stop an ignorant person like an orderly or doctor from doing really stupid things 0.1% of the time?

...

Getting real is spot on.
An orderly or doctor will from time to time will do stupid stuff.
It takes much less than you're 0.1% stupidity rate for this to be an issue.

System need to be patched.
Systems need strong capability models such that no orderly, doctor, nurse or
patient has sufficient capability to cause harm.

Consider the national security issue of an unpatched flaw known to
one or more TLA but kept secret because it is seen as a bit of power.
The reality it is first hand knowledge of a domestic vulnerabil

Re:

[tnk1]

I see where you are coming from, but I fail to see the point of punishing someone for taking an action that might free their relative or friend from a kidnapper who the government is clearly unable to prevent from operating.

It feels very wrong that the only person who managed to save the kidnapped person from being killed might be the only one who would be going to jail.

Yes, let the cops do their job. However, if the cops fuck up, or they can't protect you, then you do what you need to do.

Re:Good

[fnj]

That said, I would support charging anybody who pays a ransom as a [sic] accomplice

Jesus H. Christ. That is a perfectly asinine view. I cannot believe anyone is that morally bankrupt. So some scum kidnaps your elderly mother, threatens you that you will neer see her again, and you pay the ransom. Do you really think you should be charged with being accomplice to kidnapping? THINK. I know it's hard, but try.

Look, I know the situation with this ransomware shit is exasperating. It's pretty much a no-brainer that you pay the ransom if it makes financial sense and you can't rescue it otherwise, but after that is done and the data is restored, and maybe after you take serious and effective steps to make sure that it can never happen again, you (and the system) go after the scum-sucking low-lifes who are responsible for the ACTUAL law-breaking, and all others like them, with a fury and resolve that knows no bounds. These ransomware attacks should be crimes of a very high order, and a first offense should be a minimum multi-decade sentence.

Making the victim a double victim (victim of the law as well as victim of micreants) is absolutely the worst idea I ever heard of.

Re:

[Grishnakh]

I think the victim should be punished severely too, or else these attacks will keep happening. The victim decided to be a victim, to make himself open to this attack, and this affects the lives of many people at this hospital.

The victim, in this case, is whatever manager or managers decided to have crappy IT security.

IT managers need to start going to prison when these things happen. (Or, if they can show that it was the CEO who prevented them from implementing proper security, the CEO should go to prison

Re:

[dgatwood]

You assert that people paying a ransom are victims, but I think there are a lot of people in the world who agree that they are literally assisting the perpetrators to benefit from their crime. Which literally makes them an accomplice under existing law in most places, even if it isn't prosecuted that way. Why is a kidnapping victim under threat in the first place? Because the last asshole's family paid them for doing it.

The word I would use is enticing. They're enticing the criminals to commit the crimes.

Re:

[Rei]

I really don't see why it isn't illegal. Get both the US and EU to pass laws banning the paying of ransomware and you've destroyed the lion's share of their income. You can't totally prevent people from paying, but you'll stop most of it.

Being infected by ransomware should basically become "bad news - your data was destroyed in a file".

Re:

[lgw]

That was never going to happen - the question was about whether to restore from backups, or pay the trivial ransom amount. They made the right call, and went to backups, despite that costing more than $1600 in people's time.

Re:Congratulations!

[gstoddart]

The sad thing is, I don't think this is limited to certain hospitals ... their core competency is health care, and the fact that IT in hospitals has been underfunded or badly done for years isn't exactly news.

We've been hearing these same stories for years now.

Yes, brilliant, let's hope hospitals go out of business so we can waste money starting from scratch, that will totally be efficient.

Re: Congratulations!

[Type44Q]

their core competency is health care

I have yet to observe a hospital that this actually applies to.

Re:

[aaarrrgggh]

Clearly; their core competency is in invoicing.

Which victim?

[s.petry]

Security people have for decades said "STOP PUTTING EVERYTHING ON THE INTERNET!". And yet we have just about everything including public infrastructure on the Internet. The lies about "why" are very consistent. "Saves money" is probably the most popular, yet who is seeing that savings? Has the cost for you improved, or are the savings are going to execs and bureaucrats? You (Consumer) are the most at risk due to these policy decisions.

A specific class of people saying "do it anyway" does not mean it should be done, it means that people should be better than lemmings. Eventually it will happen, because it will have to happen.

While I certainly feel sorry for anyone who is personally harmed by losing data housed on these systems, I also hope it serves as a wake up call. "Centralized" is not usually the best option.

Blaming the victim, if you claim the Hospital is the victim, is actually appropriate. Blaming the person who's identity may be stolen or trashed was not being done, and those are the real victims here.

Re:

[duke_cheetah2003]

Security people have for decades said "STOP PUTTING EVERYTHING ON THE INTERNET!". And yet we have just about everything including public infrastructure on the Internet. The lies about "why" are very consistent. "Saves money" is probably the most popular, yet who is seeing that savings? Has the cost for you improved, or are the savings are going to execs and bureaucrats? You (Consumer) are the most at risk due to these policy decisions.

This. Not everything needs to be connected to the internet. There should be designated terminals that have internet access which are isolated from your organizations intranet. I personally blame the IT staff for this. Mission critical systems need to be 100% isolated from the internet, period, end of discussion. It's just too big of a risk in this day and age.

Re:

[fnj]

Blaming the victim, if you claim the Hospital is the victim, is actually appropriate.

Some blame for recklessness/incompetence is due, but it is distinctly secondary to the blame for the actual CRIME. It in no way diminishes the culpability of the scum-sucker who ACTUALLY DID THE DAMAGE.

Logic and Reason, or is that Raisen?

[s.petry]

The fact that there was a crime does not negate or diminish the poor decisions that led up to the crime taking place. Everything is not pure black or pure white. In fact the overwhelming majority of the world is gray. Sure, hold the criminals accountable for their actions. That said you also must hold the actors who presented the opportunity accountable for their actions.

Re:

[l0n3s0m3phr34k]

Even worse for this "victim" is that the U.S. Department of Health & Human Services has specifically made laws about IT security for organizations like this, and supposedly enforces security. So in this example, it goes beyond "I didn't know" to "I willfully ignored the law that's been on the books for almost two decades".

Re:

[l0n3s0m3phr34k]

Many "medical devices" in hospitals actually require internet connections and run ancient OSes like Win2k. It takes years to write new code, as everything has to go through FDA approval. Of course that's really no excuse to use vlans, proxies, IDS, and other mitigation techniques for this equipment...but until hospitals are hit with $50,000 per violation per day their just going to keep ignoring it all.

Re:

[Grishnakh]

No, hackers shouldn't get any blame at all. The hackers were doing their jobs, and they did them well as you can see by their success.

It was the IT people at the hospital who failed. Their *job* was to prevent this kind of thing, and they failed miserably.

Malicious hackers are going to exist whether you like it or not, and trying to "blame" them makes as much sense as blaming a hurricane for the damage it does. There's nothing productive about that; you're not going to convince hurricanes to not happen o

Re:

[l0n3s0m3phr34k]

Not only did the hospital IT fail, there are federal policies that are made to help protect against this. A hospital should be doing a risk assessment annually, and is required to document why specific remediation weren't followed per HIPAA. 164.306 is very clear on this all; even the policies that are "addressable" still require them to "Document why it would not be reasonable and appropriate to implement the implementation specification;"

They could be hit with "civil money penalties" of "$50,000 for

Re:

[HiThere]

Sorry, but NO!!!
There exist, or used to exist, hackers who didn't deserve any blame. The "cookie monster" hack, e.g., was a warning and didn't do any harm. The implementers of that were hackers who didn't secerve any blame. I don't quite remember the context, but the Morris Worm was, IIRC, an edge case. IIRC he didn't intend any harm, but he made a programming mistake that let the worm get out of control. Sorry, blame is deserved, though not in huge amounts.

The distinction is between warnings and damag

Re:

[Sir_Eptishous]

I hope you understand that it's not always the IT Administration that causes this, right? Many, many. many times it's the non-IT business units that demand we DONT put prevention in place because it will make them have 2 more steps to log in, can't save anywhere they want w/o elevating their status, can't just plug any old USB device in to their PCs, they have to change their passwords every 30 days and can't be one of their last 6, they demand to have YouTube or Facewebs or whatnot, the execs NEED to have access to their home DVRs and Home Automation systems so we have to poke firewall holes and install some insecure version of some remote control application....

You're right on the money brother.

The thing many forget is that security and securing the network, SAN, virtual infrastructure, servers, workstations, etc, etc is actually pretty low on the priority list for "real world" admins out there. Were too busy "taking care of business", you know, keeping things running smoothly to ensure profits, etc. Unfortunately many things admins do to increase security will annoy or slow down someone or something, and many times are inevitably undone so that little jimmy

Re: the answer

[Type44Q]

The people who sent the ransomware, and their families should be rounded up and tortured , and killed

"...and their families?!" This person, and whatever sick fuck modded them up, need a major ass-kicking.

Re:

[aaarrrgggh]

The saved recovery time compared to restoring from tape would make it worthwhile for a number of organizations-- which is what becomes very scary for the long-term prospects of this type of attack. Have a low enough ransom and it can last forever.

Re:

[Etherwalk]

Duh, 4B or 1.6k$ anyway, peanuts compared to patient data, but the hackers better hope they are never caught, for that little money its an awful lot of prison time

Forget prison time, they're not going to ever be able to get particularly good medical care.

Re:

[oic0]

Lord knows they charge everyone who walks in the door that much just to breathe their air.