Ransomware hackers steal a hospital. Again


#21

I was more expressing disbelief that people are targeting hospitals. Then again logically it makes sense. If you have no morals or care about the lives you are ruining and care you are interrupting to people that need, then it makes a logical target.

It’s just heartless to do so.


#22

Shockwave Rider


Do you want to reference _The Shockwave Rider_?
#23

More reasons to use Linux. The company that I work for uses Linux on manufacturing equipment. On two occasions, I have stood by and watched a virus take the facility down while our equipment was unaffected. Of course Linux isn’t a magic fix for everything, but combined with reasonable security practices it is a lot more secure than Windows.


#24

And not even adobe / pdf stuff does this.

A few years ago there was a server that was a bit of a pain for us as it was a vendor supplied OS image to run the hardware monitoring app. It was off in a lab somewhere as it needed direct connect to the hardware. Anyway it sorta kinda got patched but not by our tools because not a corporate image on it. Eventually the drive controller failed and took out the mirroring with it. It was beyond toast. For further fun the vendor no longer existed and the company that bought out the vendor was no longer supporting that application. I did a little silent happy dance when that box was pronounced dead because it was a pain for us to support.
Looking back on it now I am quite surprised security let them have it running on the general enterprise network.


#25

late stage capitalism


#26

I’ve dealt with two ransomware situations so far.

One of them started with a zero-day; during a routine virus scanner signature update about a day later we caught it, but it had already encrypted hundreds of files. The encryptor was heavily resource-throttled so that it didn’t make the infected PC unusable, which is why we didn’t get hit harder.

The other one was a spear-phish of the email of a research scientist, and it hammered a small non-profit that I do occasional pro-bono work for. They ended up losing a lot of files, sadly.

As in every case when I’ve contacted the FBI about a computer crime, they basically said two things:

    1. don’t pay the ransom.
    1. sucks to be you, because we don’t have time for this petty nonsense, goodbye.

This is in stark contrast to the two times the FBI has come to me - in those cases they said:

    1. you really want to co-operate with us instead of being part of a conspiracy
    1. give us the computers on this list and say nothing to anyone

My personal philosophy is that extortionists should never be paid no matter how much damage they do. So far I’ve managed to convince the victims to see my point of view.


#27

I agree in principle about not paying extortionists. I think the cost benefit analysis can skew sharply the other direction with an institution like a hospital. Depending on how bad their infrastructure was and what recovery time might be, it could very well be more sane to say: “pay this now and then let’s talk about how we can prevent it from happening again”.


#28

So remarkably common and infuriating. FFS, throw something in there other than your username and “created by MS Word”, metadata in such files can be quite useful.


#29

I’m pretty sure that the entire concept of metadata exists to confuse the ignorant and drive the organized to madness and frustration(that and all the weird stuff Team Spook likes to do with it).


#30

Well, in my own opinion, if you screw up you should take the harm, instead of providing resources to known bad actors who will most likely use them to expand the harm they can do to you and to others. The ransomware guys are supposedly raking in over $12 million a year, although I imagine it’s hard to get that kind of cash converted back out of bitcoins.

But if you are not interested in that particular ethical construct, consider that “should once you pay the danegeld, the Dane is ever at your door.”


#31

I understand the ethical construct, and agree with it. It’s not simply black and white like that when you have to deal with the ethics of keeping a hospital running.


#32

what hospital procedures cost $1,600?


#33

Tons of them! Usually the fee schedules are coded via HCSPCS (one row per claim detail) or DRG (grouped pricing)

If you’re curious, here’s a couple of public sources. :slight_smile:

(healthcare’s super-complicated!)

http://www.dhcs.ca.gov/provgovpart/Pages/PricingResources2015.aspx

https://www.cms.gov/medicare/medicare-fee-for-service-payment/DMEPOSFeeSched/DMEPOS-Fee-Schedule.html


#34

that doesn’t really narrow the field, then.


#35

Hardly even a little!

That’s actually a hilariously puny amount of money considering how much flows through a facility like that. They can make it up in a day just by having an analyst do some manual coding. None of the big payers (Medicaid, Medicare, the big insurance providers) will notice unless it’s really egregious.

The problem is that hospital equipment tech is badly integrated and generally really substandard compared even to what we have as consumers from a security standpoint.


#36

That’s why I dragged in Kipling :wink:


#37

Not that hard


#38

I would estimate, just from pop culture’s beliefs, something like complaining of an upset stomach, and being given half a surplus Bismuth Subsalicylate tablet that was originally manufactured for horses, which the hospital got for free.


#39

There are ways around problems like this, they’re just difficult and expensive (see Subgraph, QubesOS - basically, OS level hardened sandboxing). But there’s plenty of easier targets for hardening security practices that most businesses don’t bother with due to expense, IT staff skill/knowledge etc.


#40

Hospital IS departments aren’t always brilliant. But you aren’t hearing about all the occasions when they just give notice that there will be an interruption in service while they roll back to last night’s virus free backup; sorry for the temporary inconvenience; please stop downloading dubious files from spam emails and dodgy sites on the internet.

And an hour or two later it’s all back to normal. Albeit still a tad crap because we’re stuck using an out of date system that really isn’t fit for the 21st century. But hey, they kept it running … :relieved:

That’s a trivial amount for a surgical procedure. If one operating theatre stops working for a morning and leaves the staff idle, the losses can run into 10s of thousands of $.