Hospital servers in crosshairs of new ransomware strain Security types are warning hospitals to stay on alert for a "widespread campaign" targeting vulnerable servers with new strains of ransomware. The SamSam ransomware variant targets vulnerable servers with criminals breaking into networks and infecting as many systems as they can access. Cisco's Talos threat man Nick Biasini …
It is not "permitted" to. It is technically capable of.
Bullying is not permitted either, but you have to catch the bully in the act before you can make it stop.
Here, it's the catching that is extremely difficult, thus the ability of the software to get away with it.
But it is not permitted. Not by any stretch of the imagination.
Let's not make paying ransom illegal. Advise victims to pay double the asking price and maybe ransomware will go away for good.
I don't know when you crawled out of you egg but you clearly haven't been around long, or you ARE one of these criminals.
You have someone here who infects a systems FOCUSED on healthcare, so they are deliberately aiming at harming ill people when they don't get paid, and you somehow have the naïve expectation that they will go away after been rewarded for this crime, even doubly so? All you would have done is give them a hint they've been pricing it too low.
Secondly, it is naïve to assume they have control over this malware. This is spread wide to get as many hits and to prevent identifying who is behind it, so it is quite possible that an operation which with less than stellar security practices (or untrained staff) will get re-infected.
No, ransomware is here to stay. It's too good money for very little effort, and there are enough money transfer mechanisms to launder the income and hide the perpetrators.
Pascal Monett said "Because you think it's some obscure version of the Amiga OS ?
Come on, we all know what platform it gets in on.
And if you really have a doubt, the article specifically mentions Active Directory. I don't think they have that on Linux servers."
The article says it targets JBoss application servers using stolen credentials. The mention of Active Directory was in the context of there also being reports of attackers running csvde, which is a simple command-line tool on Windows that exports the AD. You already need to have got in to use csvde, and it won't tell you any passwords.
"Aren't we forgeting something, like the name of the Operating System required for this malware to sucessfully operate."
It says that it's attacking JBoss application servers - which as a Red Hat product - usually runs on Red Hat Linux boxes.
(As a rough rule of thumb - if an exploit requires user interaction - it's usually a Windows exploit - if it doesn't need user interaction - it's often Linux / OSS based.)
"The article says it targets JBoss application servers using stolen credentials."
Nope, it says Jboss application servers are being targeted using the JexBoss security testing tool.
Jboss runs on a few different os and in this case, it is a vulnerability when the server is neglected enough (not patched). Then the attacker uses various methods to get sufficient domain admin credentials to move lateraly, and deploy the malware .
It seems like most of these don't infect you if have the Russian keyboard set... I wonder if a script could run the background and fool the malware? Just musing out loud... but hey, if someone can pull that off, they'll be right up there in hero worship like the GWX developer... a god amongst us mere mortals.
It would of course be illegal, but here's a nice fantasy.
Malware scammer wakes up in a white room. His lower body hurts. Pulling back the bedclothes he notices a pair of new surgical wounds with neat stitches. His eyes focus on the brightly coloured screen opposite. "Warning. Your kidneys have been impounded. To regain access, please use the terminal to pay us BTC 10000. Should you leave this room, it is likely that cessation of life will follow within 48 hours, and that two people awaiting transplants will be made very happy by your unwise decision."
I'm not sure but I think the focus of this is sensationalism. Healthcare? Surely these scum would go after any server that they can hack rather than hack servers specifically because they are healthcare, they would class healthcare a bonus due to the high probability of payment.
When they catch these people the fines and jail time should be proportionate to the crime which in this case could be construed as attempted murder.
which in this case could be construed as attempted murder.
Only "attempted"?
It is virtually certain that people are dead because of these scum. Proving it would be hard, but doctors make life and death decisions every day, and being unable to access some vital piece of data about a critically ill person is almost certain to have tipped the balance away from the decision that would have given him the best chance of survival.
Only the fallability of human justice holds me back from suggesting that ransomware scammers should be treated as organ banks when convicted. Certainly they should be ranked well below honest hit-men and only marginally above IS suicide bombers.
Sadly, it will take some huge infrastructure failure consequential on ransomware, like a mid-air collision between jumbo jets or another Fukushima, before this is realized.
No, Healthcare is being *specifically* targeted precisely because of the important nature of the data.
I wouldn't bet on the high probability of payment, either because the criminal fuckbags behind these scams don't understand the NHS. How exactly the fuck do they expect an NHS organisation to procure Bitcoin? There is no mechanism to do so. At all.
Because there are a LOT of embedded systems in hospital equipment. A lot of it can't be reliably updated/patched, either. So, you have a large number of soft targets.
Because it IS a healthcare system, so it is critical for vulnerable, sick humans that the system remain "healthy" (sorry, couldn't resist the pun). They can't faff around for a few days, trying this or that, seeing if they can clear things up. While those systems aren't functional, people are dying. Thus, you have a target that will be quite anxious to pay up fast.
Because there are a LOT of hospitals, medical sites, etc.
So, lots of soft targets. A critical need to eliminate the problem, stat. Lots of businesses in the same boat.
"Because there are a LOT of embedded systems in hospital equipment. A lot of it can't be reliably updated/patched, either. So, you have a large number of soft targets."
But you can start segmenting the networks so Janice-in-accounts is 2 or 3 hops away from anything embedded that's even mildly critical.
Hospital servers?
God help us all; I have never in all my life worked in a place so badly organised and incompetently managed, from an IT perspective, as the NHS. There is no chance whatever of any sensible precautions or responses.
Perhaps the scammers know this, and that is why they've picked on this target particularly: a much higher chance of success for them.
I've also worked in the NHS as 2nd line tech (5 years different contracts). I have never seen such disorganisation. Top heavy with managers who only think in Prince2 this or Agile that. Ironically, they are never able to adapt to the environment.
Nothing ever gets done and techs have to spend their entire time fire fighting. I promised myself when I left, I'd never return. I simply can't put myself though it again.
It's no surprise they are being targeted though, such an easy catch. I reckon I could still get into my NHS systems even though I've not been with them for a couple of years.
These guys are scum though, and it WILL affect patient care. A&E in particular where clinicians have to be on the ball and every second can count.
Maybe, just maybe, It will wake up the people at the top and give the incentive to make better more robust systems. Or at least update the current ones. I doubt it though.
I feel sorry for the poor clinical staff that will have to deal with this.
It's mostly US as in the UK we have PSN/SWAN, NHSMail etc which add in a layer (of several) of protection to begin with. The situation is different across the UK but in general the NHS anyway does get ransomware attacks but few are successful and as far as I'm aware no ransom is ever paid as backups are available anyway.
Oddly enough there's been a few FOIs in recently about this..
MedStar Health, a hospital chain in the Washington area, appears to be the latest victim. Washington Post story (link below) describes the situation. The writing is technically illiterate, alas, and the headline is misleading.
https://www.washingtonpost.com/local/virus-infects-medstar-health-systems-computers-hospital-officials-say/2016/03/28/480f7d66-f515-11e5-a3ce-f06b5ba21f33_story.html
Apparently the vast majority of these ransomware attacks seem to come from Russia. I could be wrong about that, although the variant discussed in the article avoids Russian keyboards, and the author speculates, quite reasonably, that it might be to avoid local law enforcement. If Russians are the main actors here, we need to do something to balance out the flow of good and services.
I propose that DARPA, GCHQ or some other appropriate government agency (or agencies) encourage Western hackers to write and deploy locker software that attacks ONLY computers that ARE Russian. Maybe even pass laws specifically exempting citizens who launch computer attacks against Russia. It's a bit of reciprocity, you see. After Russia complains, we can tell them "We have a proposition for you. We'll stop our people from doing this to your country if you work with us on stopping YOUR bad boys and girls doing it to our country."
Might be a way to get some international cooperation, for the first time, in stopping the ransomware plague. Something certainly needs to be done about stopping it, and AFAIK, bugger all has been done so far. Wherever in the world these scum live, they need to be tracked down and jailed.
"I propose that DARPA, GCHQ or some other appropriate government agency (or agencies) encourage Western hackers to write and deploy locker software that attacks ONLY computers that ARE Russian."
An alternative. Stop routing traffic to or from Russia one hour a day this month. Next month two hours a day. The month after one day a week...
I have to agree with the other ACs from the NHS, I got brought in specifically to look at network security, and even though i was proposing the cheapest i coud find to do what it needed to and a couple of added network boundaries, i was told, it hasnt happend so why whould we spend £x on it we coud get y nurses for that.
This post has been deleted by its author
What was the name of the ransomware and what was the method of infection?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
