back to article Lanarkshire NHS infection named as Bitpaymer variant

The ransomware that infected computers at the UK National Health Service's Lanarkshire outpost, causing an outage that lasted most of last weekend, has been tagged as a ransomware that demanded 53 Bitcoin for files to be decrypted. There's no evidence that the NHS district paid up, which isn't surprising because at current …

  1. Anonymous Coward
    Anonymous Coward

    I'm curious

    ,,,,what phone system?

    The only one I could think that could be badly affected by this is 3CX. Unless they are using soft-phones on Windows PC's.

    1. Phil W

      Re: I'm curious

      Lync/Skype for Business perhaps?

      There are also a variety of Windows SIP servers that could probably be used with generic SIP handsets.

      It could also be that this was a Hyper-V or other Windows based virtualisation host that was hit, and the phone system that was hit was in a VM which opens up a whole host of other possibilities as well.

    2. big_D Silver badge

      Re: I'm curious

      Swyx, Innovaphone Unify and many others.

      Many new VOIP exchanges are software based and run on Windows or Linux servers, so you could cripple them.

      Likewise softclients could also be disabled, if their configuration files, for example, were affected.

      1. Captain Scarlet Silver badge

        Re: I'm curious

        Really really old versions of Cisco Unified Messaging (Like 4.0 which ran on Windows 2000 for Call Manager, Unity, etc...)

  2. Anonymous Coward
    Anonymous Coward

    Limited impact?

    As a user of NHS Lanarkshire, it sure didn't feel like the limited impact that's being reported. Many local GP surgeries hard down from Friday until Tuesday. Lost results, cancelled appointments, confusion and delays.

    1. Anonymous Coward
      Anonymous Coward

      Re: Limited impact?

      "Lost results, cancelled appointments, confusion and delays."

      Business as usual, in other words?

  3. Anonymous Coward
    Anonymous Coward

    Brute force RDP access?

    Bad enough that malware was injected, but have the black hats had network access too? That's scary.

    1. David Roberts
      Paris Hilton

      Re: Brute force RDP access?

      Speaking from a position of ignorance, isn't the whole point of RDP that you are remote?

      I assume that Citrix clients have a similar distributed architecture so Citrix endpoints would also be visible.

      Does this mean that RDP should only be used from within a VPN?

      Oh, and by Microsoft Helpdesk scammers, of course.

      1. big_D Silver badge

        Re: Brute force RDP access?

        Yes, you should use a VPN or similar service to tunnel the connection.

        Opening RDP, Citrix etc. directly is a bad idea in general. The RDP is certainly only really designed for internal access (remote administration or terminal services), it isn't very robust, when it comes to being put on the Internet - plus your security is only username and password, adding a security layer around it is always a sensible idea.

    2. Halfmad Silver badge

      Re: Brute force RDP access?

      Unlikely, they are behind PSN/N3 unless they have an external address for some reason.

  4. Doctor Syntax Silver badge

    RDP

    Remote Desktop Disaster Protocol.

  5. DaveMcK

    Maybe RDP maybe not

    After translation of the page it doesn't say that this attack was performed via RDP more that this is a common vector (And from experience I've seen more than a few of these attacks via RDP). The article does mention other vectors - such as email attacks etc.

    Saying that if RDP is open directly to the internet it is simply a matter of time.

    Either VPN or at least setting up terminal services gateway services so the connection is over https and far harder to brute force.

    RDP open to the internet is simply a disaster waiting to happen, you may as well stick the server out on the street with a sign saying "free" on it.

  6. John Smith 19 Gold badge
    Unhappy

    I'd always thought RDP was for internal network access use only.

    Apparently not.

    Also apparently not very secure when used without going through a VPN link.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019