back to article Ransomware scum infect Tinseltown hospital, demand $3.6m

Ransomware scum have crippled a Hollywood hospital, bringing critical machines to a crashing halt and demanding US$3.6 million ransom. Hollywood Presbyterian Medical Center declared an emergency as machines critical to CT scans, laboratory, and pharmacy work went offline over the last week, pushing staff back to pen and paper …

  1. ashdav
    Flame

    Bastards

    Title says it all.

    (Although why critical equipment is accessible from the internet God only knows)

    1. Roq D. Kasba

      Re: Bastards

      Title does say it all

      Although I suspect the affected systems are the infrastructure surrounding the facilities rather than the facilities themselves

    2. lansalot

      Re: Bastards

      Targetted attack, spear phishing. Equipment doesn't need to be available from the internet for that. Also, if cryptowall, then it's files and network shares. Which would pretty much be guaranteed to be internal, behind any firewall. These things don't go out looking for open file shares on the internet to infect.

    3. RogerT

      Re: Bastards

      It means that if someone attends A&E away from their local hospitals essential records can be easily transferred.

    4. WatAWorld

      Re: Bastards

      (Although why critical equipment is accessible from the internet God only knows)

      That is a little like saying, "It is the banks fault for being robbed, they have a front door onto main street."

      Or perhaps, "It is your own fault your car got keyed, you parked it in a parking lot."

      However, yeah, our industry is so morally bankrupt you do have a point. Even personal injury lawyers, the world's second lowest life forms, don't shove innocent victims under buses the way some in our industry do.

  2. cantankerous swineherd

    slow death of the internet proceeds.

  3. Steven Roper

    And when they find them

    I hope they do it in a country that permits public executions, because that's what these maggots deserve. If a case could ever be made for extraordinary rendition, this is a prime example.

    Then we start doing it every time we catch one of these sociopathic fuckwads. Anyone with the kind of mentality to do this has nothing of value to contribute to civilisation. They are parasitic vermin, and they should be exterminated, like vermin.

    1. Anonymous Coward
      Anonymous Coward

      Re: And when they find them

      I disagree with these,

      Public executions are used in states to control the people, i.e. Sharia law.

      Rendition is used by states to obtain targets without any due process of law.

      I do agree that they have no contribution to society.

      I disagree they should be exterminated like vermin as that sounds a bit like genocide and last time I checked we were above animals in our thinking.

      Which would you fear more? A life in prison with no chance of release, 23 hour lockup with no privileges, or a quick painless death? Which would others fear after?

      Lock a few up and see what happens over time.

      Final point, you are assuming that when caught that we live in a world where there are zero miscarriages of justice, this is not the case so if you give someone the death penalty and they are later found innocent you have committed murder.

      1. Anonymous Coward
        Anonymous Coward

        Re: And when they find them

        I strongly disagree.

        A prison sentence is a punishment for committing a violation against a society's laws, the idea being the perpetrator being duly punished will gain insight into his/her malversations. It is a way of society saying 'we can not accept this kind of behaviour because it will destabilize our society'. It is why some societies call them 'correctional' punishments, and the places of incarceration 'correctional facilities'. The fact that they don't exactly work is neither here nor there.

        An execution is a way for a society to remove elements it deemes unable to be rehabilitated into said society, in other words where the perpetrator is going to be a continued, unrepairable danger to society.

        Neither sentence is supposed to be used for a society to 'take revenge' upon a 'criminal element'. The law is never about revenge. It is about rules that can make a society finction.

        I find it very hard to believe that people wo have obviously access to global information technology - they seem to be quite effective at spreading malware - do not know or suspect the moral and material implications of sabotaging hospitals or, indeed, any service (think water, electricity) on which a modern society depends to function. I would put it to you they are fully aware of the criticality of the service, as demonstrated by the amount of money they are trying to extort.

        I therefor submit it to you that these individuals and organizations, being fully aware of the havoc they are wreaking and their reasons for doing so, are to be considered such a danger to society upon re-entry after a custodial sentence, and are as such are indeed candidates for execution if the laws of the country in which they are deemed culpable of these actions allows for this kind of sentence.

        I rest my case.

        A sentence - capital or otherwise - is never about a society taking revenge upon a perpetrator.

        1. annodomini2

          Re: And when they find them

          Peter R. 1, the major flaw in your argument is who and what determines "danger to society".

          Law's are easily changed, whereas polarising punishments are not so easily introduced or re-introduced.

          There's a very fine line between protecting "society" and protecting the authority of those in power.

          Removing the death penalty is a very effective means for a democratic society to have measures and checks on those in authority.

          I'm not saying there aren't political prisoners in any system, but removing the death penalty prevents them from being removed completely.

        2. Steven Roper

          Re: And when they find them

          Peter R. 1 is spot on.

          Normally I am adamantly opposed to the death penalty. In many cases people do make mistakes and they shuld be able to learn from those mistakes, make restitution, and resume their place as part of the human race.

          This, however, is not a mistake. It is a calculated, deliberate act of malice conducted purely for personal gain, without regard to the lives of other human beings, by sociopaths with no concern for anyone other than themselves. Were you to ask those ransomware vermin how they felt about the little girl who died of cancer so they could be rich, they'd shrug and say, "C'est la vie."

          That's not a creature I am prepared to share this planet with. I don't just say that out of outrage. Anyone who seeks to sacrifice others' lives purely to increase their personal wealth is a threat not only to those whose lives they destroy, but to all of us. You cannot appeal to someone who behaves like this. Doing so only gives them a further sense of empowerment at your suffering.

          Killing them publicly sends a message to like-minded sociopaths that their own precious skins are at stake if they are willing to sacrifice ours. It sends the message that we are as prepared to kill to defend ourselves as they are to kill for wealth. And by making the deaths public, we rip away the shroud of secrecy that surrounds the death penalty and robs it of its impact, and confront these sociopaths head-on with the stark reality of the consequences of their choices.

          1. Anonymous Coward
            Anonymous Coward

            Re: And when they find them

            While I agree with your opinion of these people, the point still stands that if someone else were caught, framed, tried and executed, the real perpetrators are hardly likely to hand themselves in to stop someone innocent being executed.

            The best justice system in the world isn't going to stop miscarriages of justice from happening. While the chances of this happening are potentially slim, think how you would feel if you were the one standing with a rope round your neck, knowing you were entirely innocent.

      2. Patrician

        Re: And when they find them

        Re: And when they find them

        I count interfering with hospital equipment as attempted murder and should be punishable by the death penalty if it exists in that country, or 99 years in prison with no chance of parole if not.

    2. Richard Jones 1
      Flame

      Re: And when they find them

      Sadly they are very likely in Russia where Poo-tin would protect them anyway because they are Russians. Given he is now bombing hospitals and considering it not to be a war crime I doubt that extortion from hospitals would even raise a smile from him.

      In short the chances of meaningful revenge are very slight, though I do agree with the concept of long, no make that very long slow painful incarceration for the scum bags.

  4. Anonymous Coward
    Anonymous Coward

    Three words, Air F**king Gap. It's hospital systems ffs, this doesn't bode well for power/nuclear/traffic or anything else that can and will be messed about with.

    We need to stop this if it can be connected to the internet then lets connect it, we need to change the mentality so that the data, if it needs to go to the internet, goes through a separate network just hosting the data. It's lazy cheap development that allows this to happen. The internet is no longer a way of connecting stuff together unless you have rock solid security. (which is not possible because no matter what there will always be new vulns)

    Thought these people are the lowest of the low the only saving grace is that they didn't use their hack to directly (yes I know they did indirectly) put peoples lives in danger which with said access would be trivial. What if the next ones to gain access are sociopathic script kiddies or a group pissed off with someone?

    1. a_yank_lurker

      @AC - Sloppy security is only part of the problem. Other factors are the computer illiteracy of the ferals in general and the FDA in particular combine with the FDA fondness for overly complex regulations. Software and hardware must be approved and the approval process veers over to the inane resulting in many devices having to use XP or older because the FDA has not certified a software update/upgrade with costing the GDP of a midsize European country.

      1. Tom 13

        Air gaps didn't help the Iranians protect their nuclear facilities from Stuxnet.

        Sadly that pox is now out of the box and the malware miscreants will use it.

    2. Phil Kingston

      Air-gapping kit is great for protection. Of that kit. But in a hospital environment where, for example, lab test results may need to be quickly gotten from the lab to medical staff, it's not going to fly.

      What's probably more of an issue is that, understandably, decent IT always comes second in a care environment. However, I expect they'll be a rejigging of budget priorities at this hospital and perhaps some better network segregation.

      1. BebopWeBop

        Umm - it's not called an Intranet for nothing.

      2. Robert Helpmann??
        Childcatcher

        Air F**king Gap

        ...decent IT always comes second in a care environment.

        Not even second. It takes a back seat to more than one effort (basic care, patient confidentiality, et cetera) even though it should be an integral part of the process. The biggest issue I would imagine hospital administrators see is that of liability (sad but true in my opinion). With any luck, this will be the wake-up call that encourages changes in many similar environments. If not this, then we will eventually see a story involving patient's implants and life support systems being hacked resulting in loss of life.

        1. Tom 13

          Re: Air F**king Gap

          Seems to me a smart IT manager would make the case that strong IT security is PART of ensuring patient confidentiality. You sure as hell aren't keeping your patient records confidential is somebody you don't know in Scamiganistovia pwns your network.

  5. ecofeco Silver badge

    Raspberries all around

    The randonware assholes and the hospital both deserve it.

    1. Gene Cash Silver badge

      Re: Raspberries all around

      No kidding. I've found doctors to be exceedingly critical of any sort of security, even as simple as a 4 digit unlock code, and they demand it be removed.

      Maybe this'll teach them a lesson, but I doubt it. They're pretty hardheaded and convinced they're perfect.

  6. steamnut

    Whare are the NSA / GCHQ whe you need them?

    If NSA/GCHQ and others really want to do us, the people, a good service; then how about intercepting these attacks for us? Maybe they cannot handle as much data as we think?

    As for the hospital, shame on the IT department for not protecting the critical PC's well enough. Even if air-gapping is not possible then at least lock down the email and browser ports to stop these infections.

    I bet it was an innocent user who was tempted to click on a link without thinking of the consequences. It's also a fair bet that the initial source PC was Windoze based....

    1. thames

      Re: Whare are the NSA / GCHQ whe you need them?

      From what is said in the story, it sounds like the PCs are used to schedule tests and send out results. Air gapping them would have the same effect all the time as the problem they are experiencing now temporarily. Talk about an own goal.

    2. Mark 85

      Re: Whare are the NSA / GCHQ whe you need them?

      Hospitals are like almost everywhere else... everything is connected to the LAN and because email, web research, etc.. the LAN is connected to the internet. For example, the MRI machine needs to store the images on a server. Those images need to be accessible to physicians within and outside of the hospital. Physicians, don't seem to care about security and having files moved from an air-gapped system to the LAN/WAN/Internet so they can view the files from their office or home.

      Yeah... they should have separate systems which would require separate PC's/terminals to get into, but there's a large hassle there with extra equipment on the desk, extra cost, etc. So most don't do it. The few that still run separate systems are considered "backwards".

      And let's not even think about IoT in hospitals at this point. Security on that stuff is a fiction.

    3. Gray
      Boffin

      Re: Whare are the NSA / GCHQ whe you need them?

      Please to remember, it's only a hospital hack. In the U.S., that ranks as a regrettable incident. Nothing at all like a critical assault on a multi-national corporation and the fortunes of America's One Percent; or an Insurgent and Subversive Attack against national security such as the hack of a Three-Letter Agency which would require Congressional Inquiry, Administrative Executive Action, and Enhanced Investigatory Powers.

      'tis only a hospital hack. We've got lots of hospitals and far too many sick people draining the system. So let's keep a sense of proportion here, folks. Move along, nothing to see. It's just another hack. Not like we haven't had lots of 'em. Keep moving along now ...

      1. PeteA

        Re: Whare are the NSA / GCHQ whe you need them?

        I think the downvoter missed the implied </sarcasm> tag...

    4. Peter Prof Fox

      Where are GCHQ when you need it?

      [Posted from Great Britain Land] So what bloody good does Snowdonia and Blanket Surveillance do? SFA. Theresa May's policy of getting low-grade 'CCTV of the Internet' monitoring ("We're all on camera and it reduces crime") is a total waste of time in this scenario. Tracking the crims may be 'hard' but perhaps there are some specialists, let's call them the Internet Bomb Disposal Squad, who could be called in. Not in the UK. The 'drizzle of intelligence' beats the 'blue flashing light of expertise' every time. (Why? Follow the $$$.)

      1. Anonymous Coward
        Anonymous Coward

        Re: Where are GCHQ when you need it?

        Can't they just restore from the NSA's backups?

    5. Tom 13

      Re: Whare are the NSA / GCHQ whe you need them?

      My money would be on an HR person.

      They're expected to expect unsolicited resumes, which is the perfect vector for this kind of crap.

  7. Palpy

    Ah the humanity.

    In particular, humanity's apparent penchant for saying "oh shiny!" and "it's always been fine before" instead of thinking "this could go very very wrong."

    We know -- we know -- that the IoT is insecure as a bamboo bridge over a pit of lava. But people will go "oh shiny!" and buy IoT devices anyway. Even industries that should know better do it. On the other side, we know -- know -- that XP systems used to run legacy-but-crucial systems are insecure as, um, an ice tower in the Sahara. But "it's always been fine before" keeps those legacy systems running and connected.

    I think most of us have heard that, OK, an accounting firm got hit with ransomware. What if it happened to public safety -- a police precinct? Could be bad. Then it did happen. Boy, it would be bad if it happened to a hospital! Now that's happened. Gee, what if it happened to a nuke plant?

    So the news story to hand seems, to my jaundiced and weary eye, much more like a confirmation of human frailty than a story of unexpected evil. It seems to me this is how humans behave: the majority are slow to take precautions against a diffuse and probabilistic danger, because the precautions are inconvenient and sometimes difficult; and a few clever ones then take advantage of that inertial behavior.

    But I'm drinking, so incoherence is the order of the hour.

    1. ShadowJockeyHNZ

      Re: Ah the humanity.

      You sir, are a comedic poet.

  8. frank ly

    How about ....

    "Interpol has formed an international ransomware task force in a bid to identify the attackers."

    ... an international task force to educate so called intelligent people how to implement secure procedures and practices for use of computer systems?

  9. Ammendiable to persuasion..

    Could it be... "Satan"?

    Oh sorry. I meant "Microsoft".

    I find it very significant that I cannot find any information regarding the type of machines attacked, except it seems to involve the patient records and that it was not a directed attack.

    Not a directed attack.

    So.. regular Windows malware demanding bitcoins and spreading through networks via the usual routes. And the large figures being demanded because of the large number of computers involved. Yes?

    No info on whether the MRI, cat scanners, and x-ray machines are affected. These typically use Windows interfaces and cannot be upgraded as the software and hardware are a unit. They are linked to networks so they can store and recall their imaging data, but you will not find Internet Explorer and Outlook nor anything Facebook or Google on these devices. But still a little worrisome. Because the OS on these things really *CANT* be updated (nor do you want them to be based on Microsoft's track record.)

    Linux has some of the same updating problems. More than once I've had a video driver update naff an entire system to the point were a re-install is the simpler option. Thankfully that's fairly fast usually.. Just keep your home directory on a separate partition.

    This is very very ominous development.

    What could someone do if they were so motivated?

    Our civilization is in a very fragile state. One solar flare and we could be back at the beginning of the industrial revolution. Except without the 6 to 12 times a day mail delivery they had in cities like London back in the day. And none of our shipping would work as all the GPS and communications are all offline.

    I think I heard that ships don't even know how to use an sextant nor use Morse code anymore.

    https://medium.com/message/everything-is-broken-81e5f33a24e1#.hmr2yzlys

    Now. Let's just add the phrase "Internet of Things" and go on from there shall we?

    Happy faces everyone!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Could it be... "Satan"?

      I don't know why they're downvoting you. Hyperbole aside, you seem to know what you're talking about re: medical imaging gear. Given that the simple x-ray hardware/software I've dealt with is proprietary garbage, I can't imagine that CATs, PETs, or MRIs are somehow powered by competently coded, secure, open-standards software.

      With said x-ray software, and insurance claims software etc, it's standard practice for medical staff (not IT) to "remote in" support techs for everyday troubleshooting, updates, license activations... who piss and moan about their crappy jobs installing crappy overpriced crap that's destroying civilization.... typically home-based, using their personal Windows PCs. Let that sink in....

      1. Ammendiable to persuasion..

        Re: Could it be... "Satan"?

        "remote in"?!?!?

        Eeeeeeeeeeek!!!!

        Would putting a bag over my head help any?

  10. All names Taken
    Devil

    Regarding

    "It was not a [targeted] malicious attack, it was a random attack," Stefanek says.

    Ah - that is so good to know ... or is it?

    The last thing we need is public acceptance that random attacks is good?

  11. CAPS LOCK

    Healthcare...

    ... again. "We're too busy Caring to be bothered with this cyber-security nonsense"

  12. billium

    Get the facts

    Total cost of ownership includes removal of malware and restoring from backups, or paying ransoms.

    Free and fair competition is always better than a monopolist.

    Hiding known extensions by default must be a great idea.

    Why do people send invoices and text in malware infested xls and doc format, if editing is not required? Can a virus be contained in a pdf?

  13. Neil Barnes Silver badge

    Um, I don't think this is an OS story

    It's a storage philosophy story.

    At the PC, running the OS of your choice, a program with sufficient permission acquired either legitimately or otherwise can trash pretty much any file on the system. The issue is less with the local computer and more with remote shared storage.

    It should be *impossible* for any remote access to do anything more than reading a file on demand, and writing a new file. You should never be able to overwrite an existing file. Storage is *cheap*. The question of access to it and internet connection and such is something else entirely; what is important of the security of the data as written.

    A remote store on something like a medical data store that allows read-modify-write is broken.

    1. Ammendiable to persuasion..

      Re: Um, I don't think this is an OS story

      THAT is a VERY good point!

      You just reminded me about ZFS. A write always forks off a new block from the pool.. So even deleting a file in the file system (not to mention overwriting a file) leaves the original data intact and you can regress the file system back in time to any earlier point.

      That is until someone goes into the management console and frees up all the "wasted" dereferenced blocks and puts them back in the free pool..

      But the spread of this malware *is* definitely an OS issue. That is, until we start designing operating systems where the idea of "root user" doesn't even exist, but I'm not smart enough to envision such a beast..

      Perhaps Qubes is a good start?

  14. Agent Tick

    Why....

    .. has Microsoft still not fixed this big security hole? Remote encryption of an computer without requiring permission (confirmation) from the in-house system admin? How comes such an attack can be executed without anyone knowing? Apparently, we're still in the stone age of IT security, yes!?

  15. Major_Variola

    Accidental DoS on hospital vs. Deliverate DoS on roadways

    The "Black lives matter" protesters blocked public freeways in the US. As a result, ambulances had to be redirected.

    What should happen to these intentional protesters?

    Why is that not worse than some poor eastern european releasing some generic ransomwear that happens to nail a hospital?

  16. WatAWorld

    It was a random attack? Random attacks don't ask for $3.6 million ransom.

    1. Anonymous Coward
      Anonymous Coward

      Probably was $360 per machine and 10K machines

      knowing the standard random crypto locker attack normaly about 1 bitcoin

      Speaking from my organisation, hospitals aren't intrested in security untill something happens, I am struggling even to get VM space to run Open Source tools.

      1. Anonymous Coward
        Anonymous Coward

        I am struggling even to get VM space to run Open Source tools

        Do I know you? Do your higherups also believe a Juniper firewall keeps their intranet safe? And that PHP sites on cloud servers are riskier than hosting in-house?

  17. Medixstiff

    Manufacturers are also partly to blame.

    When mum's practice moved to a new building, we requested quotes to take some of the specialist machines from Windows XP to 7.

    These are essential for the treatment and care of babies BTW, we were quoted $30,000 per machine for 6 machines.

    That's absolutely disgusting in my book, $5,000 I could understand but still would think is a bit much.

    That's nothing but pure greed, I hope a few of their machines become affected and it affects their image, bunch of w*nkers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like