back to article Hospital servers in crosshairs of new ransomware strain

Security types are warning hospitals to stay on alert for a "widespread campaign" targeting vulnerable servers with new strains of ransomware. The SamSam ransomware variant targets vulnerable servers with criminals breaking into networks and infecting as many systems as they can access. Cisco's Talos threat man Nick Biasini …

  1. redpawn Silver badge

    Ransom

    Let's not make paying ransom illegal. Advise victims to pay double the asking price and maybe ransomware will go away for good.

    1. Keef

      Re: Ransom

      Hi redpawn, I'm stupid so would like some clarification from you please.

      Did the article suggest making paying a ransom illegal?

      How will paying double make ransomware go away?

      All the best, Keef.

      1. redpawn Silver badge

        Re: Ransom

        Do you get it? As long as it is permitted to...

        1. Pascal Monett Silver badge

          It is not "permitted" to. It is technically capable of.

          Bullying is not permitted either, but you have to catch the bully in the act before you can make it stop.

          Here, it's the catching that is extremely difficult, thus the ability of the software to get away with it.

          But it is not permitted. Not by any stretch of the imagination.

    2. Anonymous Coward
      Anonymous Coward

      Re: Ransom

      Let's not make paying ransom illegal. Advise victims to pay double the asking price and maybe ransomware will go away for good.

      I don't know when you crawled out of you egg but you clearly haven't been around long, or you ARE one of these criminals.

      You have someone here who infects a systems FOCUSED on healthcare, so they are deliberately aiming at harming ill people when they don't get paid, and you somehow have the naïve expectation that they will go away after been rewarded for this crime, even doubly so? All you would have done is give them a hint they've been pricing it too low.

      Secondly, it is naïve to assume they have control over this malware. This is spread wide to get as many hits and to prevent identifying who is behind it, so it is quite possible that an operation which with less than stellar security practices (or untrained staff) will get re-infected.

      No, ransomware is here to stay. It's too good money for very little effort, and there are enough money transfer mechanisms to launder the income and hide the perpetrators.

      1. John 104

        Re: Ransom

        @AC, et. all.

        You guys are so gullible. Or should I say Trollable?

  2. Walter Bishop Silver badge
    Linux

    New strain of ransomware targeting servers?

    Aren't we forgeting something, like the name of the Operating System required for this malware to sucessfully operate.

    1. Pascal Monett Silver badge
      Trollface

      Because you think it's some obscure version of the Amiga OS ?

      Come on, we all know what platform it gets in on.

      And if you really have a doubt, the article specifically mentions Active Directory. I don't think they have that on Linux servers.

      1. stungebag

        Pascal Monett said "Because you think it's some obscure version of the Amiga OS ?

        Come on, we all know what platform it gets in on.

        And if you really have a doubt, the article specifically mentions Active Directory. I don't think they have that on Linux servers."

        The article says it targets JBoss application servers using stolen credentials. The mention of Active Directory was in the context of there also being reports of attackers running csvde, which is a simple command-line tool on Windows that exports the AD. You already need to have got in to use csvde, and it won't tell you any passwords.

    2. Anonymous Coward
      Anonymous Coward

      Re: New strain of ransomware targeting servers?

      "Aren't we forgeting something, like the name of the Operating System required for this malware to sucessfully operate."

      It says that it's attacking JBoss application servers - which as a Red Hat product - usually runs on Red Hat Linux boxes.

      (As a rough rule of thumb - if an exploit requires user interaction - it's usually a Windows exploit - if it doesn't need user interaction - it's often Linux / OSS based.)

      "The article says it targets JBoss application servers using stolen credentials."

      Nope, it says Jboss application servers are being targeted using the JexBoss security testing tool.

      1. webhead

        Re: New strain of ransomware targeting servers?

        Jboss runs on a few different os and in this case, it is a vulnerability when the server is neglected enough (not patched). Then the attacker uses various methods to get sufficient domain admin credentials to move lateraly, and deploy the malware .

    3. ecofeco Silver badge

      Re: New strain of ransomware targeting servers?

      Good question Walter.

  3. Mark 85 Silver badge

    It seems like most of these don't infect you if have the Russian keyboard set... I wonder if a script could run the background and fool the malware? Just musing out loud... but hey, if someone can pull that off, they'll be right up there in hero worship like the GWX developer... a god amongst us mere mortals.

    1. Intractable Potsherd Silver badge

      That was going through my mind when I read it. I'm not a techie, though, so don't know the feasibility.

  4. Nigel 11

    Countermeasures needed

    It would of course be illegal, but here's a nice fantasy.

    Malware scammer wakes up in a white room. His lower body hurts. Pulling back the bedclothes he notices a pair of new surgical wounds with neat stitches. His eyes focus on the brightly coloured screen opposite. "Warning. Your kidneys have been impounded. To regain access, please use the terminal to pay us BTC 10000. Should you leave this room, it is likely that cessation of life will follow within 48 hours, and that two people awaiting transplants will be made very happy by your unwise decision."

  5. Anonymous Coward
    Anonymous Coward

    I'm not sure but I think the focus of this is sensationalism. Healthcare? Surely these scum would go after any server that they can hack rather than hack servers specifically because they are healthcare, they would class healthcare a bonus due to the high probability of payment.

    When they catch these people the fines and jail time should be proportionate to the crime which in this case could be construed as attempted murder.

    1. Nigel 11

      which in this case could be construed as attempted murder.

      Only "attempted"?

      It is virtually certain that people are dead because of these scum. Proving it would be hard, but doctors make life and death decisions every day, and being unable to access some vital piece of data about a critically ill person is almost certain to have tipped the balance away from the decision that would have given him the best chance of survival.

      Only the fallability of human justice holds me back from suggesting that ransomware scammers should be treated as organ banks when convicted. Certainly they should be ranked well below honest hit-men and only marginally above IS suicide bombers.

      Sadly, it will take some huge infrastructure failure consequential on ransomware, like a mid-air collision between jumbo jets or another Fukushima, before this is realized.

    2. Sir Sham Cad

      Re: because they are healthcare

      No, Healthcare is being *specifically* targeted precisely because of the important nature of the data.

      I wouldn't bet on the high probability of payment, either because the criminal fuckbags behind these scams don't understand the NHS. How exactly the fuck do they expect an NHS organisation to procure Bitcoin? There is no mechanism to do so. At all.

    3. Reallydo Wannaknow

      Why healthcare?

      Because there are a LOT of embedded systems in hospital equipment. A lot of it can't be reliably updated/patched, either. So, you have a large number of soft targets.

      Because it IS a healthcare system, so it is critical for vulnerable, sick humans that the system remain "healthy" (sorry, couldn't resist the pun). They can't faff around for a few days, trying this or that, seeing if they can clear things up. While those systems aren't functional, people are dying. Thus, you have a target that will be quite anxious to pay up fast.

      Because there are a LOT of hospitals, medical sites, etc.

      So, lots of soft targets. A critical need to eliminate the problem, stat. Lots of businesses in the same boat.

      1. Doctor Syntax Silver badge

        Re: Why healthcare?

        "Because there are a LOT of embedded systems in hospital equipment. A lot of it can't be reliably updated/patched, either. So, you have a large number of soft targets."

        But you can start segmenting the networks so Janice-in-accounts is 2 or 3 hops away from anything embedded that's even mildly critical.

  6. AndrewDu

    Hospital servers?

    God help us all; I have never in all my life worked in a place so badly organised and incompetently managed, from an IT perspective, as the NHS. There is no chance whatever of any sensible precautions or responses.

    Perhaps the scammers know this, and that is why they've picked on this target particularly: a much higher chance of success for them.

    1. Anonymous Coward
      Anonymous Coward

      I've also worked in the NHS as 2nd line tech (5 years different contracts). I have never seen such disorganisation. Top heavy with managers who only think in Prince2 this or Agile that. Ironically, they are never able to adapt to the environment.

      Nothing ever gets done and techs have to spend their entire time fire fighting. I promised myself when I left, I'd never return. I simply can't put myself though it again.

      It's no surprise they are being targeted though, such an easy catch. I reckon I could still get into my NHS systems even though I've not been with them for a couple of years.

      These guys are scum though, and it WILL affect patient care. A&E in particular where clinicians have to be on the ball and every second can count.

      Maybe, just maybe, It will wake up the people at the top and give the incentive to make better more robust systems. Or at least update the current ones. I doubt it though.

      I feel sorry for the poor clinical staff that will have to deal with this.

  7. Sam Haine

    US or UK phenomenon?

    Is this a UK or just a US phenomenon? The press release, sorry, story doesn't make it clear.

    1. Anonymous Coward
      Anonymous Coward

      Re: US or UK phenomenon?

      It's mostly US as in the UK we have PSN/SWAN, NHSMail etc which add in a layer (of several) of protection to begin with. The situation is different across the UK but in general the NHS anyway does get ransomware attacks but few are successful and as far as I'm aware no ransom is ever paid as backups are available anyway.

      Oddly enough there's been a few FOIs in recently about this..

    2. Sir Sham Cad

      Re: US or UK phenomenon?

      It started out really 2014/2015 in the US according to security labs wonks that I've spoken to (and pretty pictures I've seen) but spread to the UK back end of last year.

      It's now part of the everyday IT landscape where I am and looks to be the new normal.

  8. hazzamon

    Remember the three Bs...

    ...backups, backups, backups.

    1. Halfmad

      Re: Remember the three Bs...

      and not only network held backups.. tape has it's uses!

    2. Harrapino

      Re: Remember the three Bs...

      You need to test those backups!!!! :)

  9. James Wheeler

    Hospital attacks in US

    MedStar Health, a hospital chain in the Washington area, appears to be the latest victim. Washington Post story (link below) describes the situation. The writing is technically illiterate, alas, and the headline is misleading.

    https://www.washingtonpost.com/local/virus-infects-medstar-health-systems-computers-hospital-officials-say/2016/03/28/480f7d66-f515-11e5-a3ce-f06b5ba21f33_story.html

    1. Anonymous Coward
      Anonymous Coward

      Re: Hospital attacks in US

      We're not a hospital - just a company working in the healthcare world in the US. Looking at our mail server logs it seems that messages with .js crypto locker attachments have increased by about 4000% in the last three days.

  10. ma1010 Silver badge
    Flame

    Balance of Trade needed here?

    Apparently the vast majority of these ransomware attacks seem to come from Russia. I could be wrong about that, although the variant discussed in the article avoids Russian keyboards, and the author speculates, quite reasonably, that it might be to avoid local law enforcement. If Russians are the main actors here, we need to do something to balance out the flow of good and services.

    I propose that DARPA, GCHQ or some other appropriate government agency (or agencies) encourage Western hackers to write and deploy locker software that attacks ONLY computers that ARE Russian. Maybe even pass laws specifically exempting citizens who launch computer attacks against Russia. It's a bit of reciprocity, you see. After Russia complains, we can tell them "We have a proposition for you. We'll stop our people from doing this to your country if you work with us on stopping YOUR bad boys and girls doing it to our country."

    Might be a way to get some international cooperation, for the first time, in stopping the ransomware plague. Something certainly needs to be done about stopping it, and AFAIK, bugger all has been done so far. Wherever in the world these scum live, they need to be tracked down and jailed.

    1. Doctor Syntax Silver badge

      Re: Balance of Trade needed here?

      "I propose that DARPA, GCHQ or some other appropriate government agency (or agencies) encourage Western hackers to write and deploy locker software that attacks ONLY computers that ARE Russian."

      An alternative. Stop routing traffic to or from Russia one hour a day this month. Next month two hours a day. The month after one day a week...

  11. ecofeco Silver badge

    They're HIPPA to you!

    All those rules and regulations and yet they are getting owned.

    I would not want to the one answering to both the shareholders AND the Feds.

  12. Anonymous Coward
    Anonymous Coward

    I could get nurses for that

    I have to agree with the other ACs from the NHS, I got brought in specifically to look at network security, and even though i was proposing the cheapest i coud find to do what it needed to and a couple of added network boundaries, i was told, it hasnt happend so why whould we spend £x on it we coud get y nurses for that.

  13. This post has been deleted by its author

    1. webhead

      Re: Dear elRegitor commentators

      The article does say jboss vulnerability. It's not os specfic.

      If the servers are not maintained and public facing, then expect to be breached sooner than later.

  14. Walter Bishop Silver badge
    Facepalm

    Hancock Health infected by 'computer' malware

    What was the name of the ransomware and what was the method of infection?

    Ransomware-SAMAS

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019