'Significant' Ransomware Attack Forces Ireland's Health Service To Shut Down IT Systems

Catalin Cimpanu, reporting for Record: Ireland's national health service, the Health Service Executive (HSE), temporarily shut down its IT systems today after suffering a ransomware attack overnight. The organization, which is in the mid of its COVID-19 vaccination program, said the attack did not impact its ability to provide urgent medical care but that some routine checks and services might be delayed or canceled. The HSE described the ransomware incident as "significant" and "human-operated," a term used to describe high-end sophisticated ransomware groups which orchestrate targeted attacks against carefully big organizations. In a morning radio show with public broadcaster RTE, HSE Chief Executive Paul Reid said the agency's IT teams are currently investigating the incident to find out its breadth. In a different radio show, Reid identified the ransomware gang behind the attack as Conti, a ransomware gang that started operating in the summer of 2020.

DarkSide?

[phalse phace]

Another victim [slashdot.org] of DarkSide?

Re:

[Ostracus]

Conti, not that it really matters. They're all motivated by the same thing.

Re:

[BeerFartMoron]

And Babuk [washingtonpost.com] has stopped negotiating with the Washington DC police department after releasing some stolen data [arstechnica.com].

Re:

[GameboyRMH]

Yep, payouts only made possible through the legalized exchange of cryptocurrencies.

Re:

[jythie]

And now that institutional investors are getting their cut, probably not going to see any crackdown on that.

Re:

[GameboyRMH]

Some of them are getting out, like Tesla. A rapid squeeze rather than an instant crackdown would let the ownership class get out quickly so they won't suffer any losses.

Are these Windows monocultures?

[tanstaaf1]

Everyone in ecology knows monocultures invite extinction. Why don't large governments - who have enough money to build their own operating systems, or at least tweak existing open source - know this and take commonsense measures? is government that ignorant of common sense -- or is this what lobbying does to the commons? And what was the vector? Was it attack from internet, bad software in the firewall, or another -- too easy -- stick USB in Windows machine for 30 seconds and it will autoexecute? More

Re: Are these Windows monocultures?

[SuperDre]

It's not like using open source alternatives is more secure, if you go and create your own version of it, it's way more costly and you're just as vonerable as you have to keep up with at least all the security patches of the original. And Linux isn't as safe as you think, it's just as bugged as windows is. Also you might not have a choice as it also depends on what business software you need/are running. It's an utopia to have it all under your own control, but it's so expensive it's not feasible for about

Re:

[gweihir]

You are wrong. There really is nothing more to say here.

Re:

[SuperDre]

If there is someone who is wring, it's you.

Re:

[thomst]

tanstaaf1 inquired:

Why don't large governments - who have enough money to build their own operating systems, or at least tweak existing open source - know this and take commonsense measures?

A major reason why governments (other than the PRC) don't roll their own OSes is because they can't afford to hire the top talent necessary to do so, due to caps on civil servants' salaries. And outsourcing the task to what we in the USA refer to as "Beltway bandits" is absolutely not a valid alternative to doing it in-house, both because those are money-extraction machines, not software development organizations, and because there's zero evidence that they could produce a hack-proof OS.

I

Re:

[jythie]

and, at the end of the day, you would probably end up with something pretty similiar to other OSes. Linux, MacOS, WindowsXYZ, all represent a bit of convergent evolution based off user needs. Any government created OS that needed to meet all the same user requirements as other OSes would likely end up with all the same problems.

Re: Are these Windows monocultures?

[guruevi]

Every government that tried to roll its own OS, even if based on Linux, quickly became outdated and horribly insecure. That is the case in China, North Korea, Russia and even Germany.

The problem is not monocultures, the problem is lack of funding for security initiatives across the board, the pipeline company was looking to hire Cybersecurity personnel until extra taxes and regulation set in, they quickly cut the first cost center they could find. Then they beat their chest for a while, get the government t

Re:

[larwe]

Why don't large governments - who have enough money to build their own operating systems, or at least tweak existing open source - know this and take commonsense measures?

If you're positing that government should "protect" themselves by writing different operating systems or customizing existing ones - this is thinly disguised security through obscurity. The best use of resources (besides maintaining good opsec, which many governments and corporations do not) is to concentrate efforts on hardening existing OSes.

This sounds like ...

[boudie2]

Another reason to get drunk.

Re:

[Pascoea]

I'll drink to that.

Re:

[BeerFartMoron]

Already have you seats warmed up. You might want to find fresh seats.

Re:

[PolygamousRanchKid]

Another reason to get drunk.

Wait, I must have missed the memo.

Since when do we need a reason to get drunk?

Unintended Side Effects

[lionchild]

I suspect we could see an unintended side effect from some of these attacks. We may well see the Nationalization of key pieces of infrastructure in the name of National Security. It could come piecemeal, Hospitals here, Electricity there, Gas pipelines, etc.. Or it could come under one umbrella: IT Security.

USC only IT jobs will be nice in the USA!

[Joe_Dragon]

USC only IT jobs will be nice in the USA! With the big GOV paycheck + very hard to fire.

Re:

[whitroth]

ROTFL!

Yeah, right. I was working for a federal contractor (US), and was getting about the same pay and benefits as a fed did - I looked it up.

Oh, and let's not forget that the "BIG GOV" paychecks are unlikely to be more than a Congresscritter gets, unlike private industry. No stock options, etc.

Re:

[jythie]

I don't think people appreciate just how nerve wreaking unstable these jobs can be, esp in the US with its constant budget showdowns. Sure, they might not be able to fire you, but they also might stop paying you at any time. Departments are not allowed to have a warchest, so they are often operating month to month. Any time congress has a 'showdown', or upstream departments worry about their funds, payments can freeze up for weeks or months. They are also not required to actually abide by contracts, so

One of these days...

[TomGreenhaw]

...these people are going to pick on the wrong people and get cut into little pieces.

Re:

[Entrope]

Maybe they will wake up one day to find a decapitated top-of-rack switch in their bed. Didn't that work in The Godfather?

Re:

[TomGreenhaw]

That works too. I was actually going for the somewhat obscure Pink Floyd reference.

Re:

[boudie2]

Was that a Pink Floyd reference - One Of These Days? "One of these days, I'm going to cut you into little pieces". Love that Dave Gilmour slide guitar!

Re:

[TomGreenhaw]

Yep - me too.

Re:

[Anachronous Coward]

Careful with that axe, Eugene.

Re:

[hcs_$reboot]

...these people are going to pick on the wrong people

They did that a few times already. History shows that they have little to worry.

It happens because it works

[Baron_Yam]

So long as the perception of benefits outweighs the perception of costs, this kind of thing will happen. Amateur, professional, or state-backed.

Nations are going to have to start investing in changing the equation by legislating and funding the investigation of such attacks, and doling out serious punishments.

Re:

[hdyoung]

They cant. Too many countries welcome/support/tolerate/encourage such stuff cough cough china cough cough russia. And the hard truth is that its not worth starting a war with a major power over 10s of millions of dollars of misbehavior. The other option is to harden our computer systems. Except the even harder truth is that the cost of mitigating the problem is often more than just paying the occasional ransom. Life is complicated.

Re:

[stabiesoft]

This. Bloomberg https://finance.yahoo.com/news... [yahoo.com] is reporting the 5 mil is barely a drop in the bucket of annual dividends of 1/2B to the colonial owners. And according to the report, they are acting like traditional slumlords. Minimal maintenance, maximal returns. Probably the only thing that would get colonial's attention is a 1 billion dollar fine for lack of security, and that is not going to happen.

Re:

[bws111]

If you have a single machine that has been infected that could work. But if you have one infected machine, what makes you think everything else on your network is good? So you pretty much have to isolate every device on your network and individually restore them before they can rejoin the network. And that can take a very long time.

Re:

[GameboyRMH]

The massive wait times and storage requirements, I'd guess. These people can't be assed to put decent security and backup plans in place in the first place, so I really don't think they'd like to multiply the storage requirement on each PC and wait for a full-system backup on every boot-up/shutdown (which would just incentivize users to reboot as little as possible).

Re:

[nuckfuts]

I have a really dumb question, but why aren't we keeping "last boot" snapshots of filesystems as a matter of course? Get encrypted? Just reboot to the most recent boot snapshot. Sure you might have lost anything you worked on that morning, but that has to be better than paying ransom.

Possibly for a couple of reasons. First, not every system supports "snapshots". In the case of Windows servers, filesystem snapshots are really more of an aid to creating consistent backups than a means of backup themselves. You can't boot from a snapshot of an NTFS filesystem, for example.

In the case of virtual machines, such as VMware servers, you can create snaphots of an entire VM, including memory, but they have a terrible impact on disk performance, which may not be acceptable on database servers and

Re:

[jythie]

Building off other responses.. another issue is that these attacks can be pretty context aware, meaning they can do things like go after backups, or even stay dormant long enough that the backups are borked too and no one discovers it until you reboot and try to rebuild. There is also the issue of, well, live systems can be interconnected and depend on each other's state. Even with all the individual systems backed up and restored it can be a real headache to restart complex interdependent systems that h

Re:

[Wokan]

They'll just delay the start of the encryption process so going back to a supposedly good boot will still have the payload waiting in the background. Or they'll find a way to alter the snapshots or outright wreck them so you can't go back. Plus, it's not like you're going to keep too many snapshots around. With a long enough fuse they could be in weeks worth.

Carefully big organizations

[Spinlock_1977]

I'm not sure what a "carefully big organization" is, but all you other carefully big organizations better tighten up your security!

Technical details?

[hcs_$reboot]

Many ransomware stories, but unfortunately few technical details. What is the vector of attack?

Re:

[hcs_$reboot]

What are the targeted OSes?

Re:

[hcs_$reboot]

Some tecky clues from a comment in https://gizmodo.com/ireland-sh... [gizmodo.com]

oilchangesarecheap Matt Novak 5/14/21 8:55am Thanks Microsoft for making such shitty software that everyone is getting hacked. This doesn’t happen with Linux. Every windows PC was removed from the network and re-installed. I don’t get paid overtime. Its a large hospital chain unrelated to the one in this article. Fuck Microsoft and their shitty forced update system full of holes. Windows 7 boxes, running the information screens? Fine. Every linux box was unaffected. 1

Question

[Stan92057]

Since most attacks are done with email why cant email be opened in a VM away from the main files?

Re:

[freeze128]

You think people mail around exe files? Exploits take advantage of popular programs that are already whitelisted so a malicious DATA FILE can crash its interpreter, and execute code.

Re:

[hcs_$reboot]

why cant email be opened in a VM away from the main files?

- in a what?

a manager

Re:

[hcs_$reboot]

why cant email be opened in a VM away from the main files?

- in a what? a manager

Or worse,
the CTO

Re:

[Voyager529]

Since most attacks are done with email why cant email be opened in a VM away from the main files?

https://www.youtube.com/watch?... [youtube.com]

okay, lemme explain to you how the world works.

First off, for a whole lot of people, their mailbox is their file system. Seriously, I've got guys with inbox trees six folders deep.

Many of those e-mails have attachments, and those attachments need to get modified and sent back to the sender. Sure, it should be saved on a network folder, but I've got one client who has version hell issues because of terrible permissions settings they also insisted on implementing years ago.an

Negotiations for Ransom

[Dartz-IRL]

The HSE have apparently already initiated ransom negotiations. The Hackers have been informed that there is only a 3 year waiting list before a specialist consulting negotiatologist can see them.

They can, of course, try get the ransom immediately if they go private.

---

In non-humerous posts, I've heard the system was a bit like the Battlestar Galactica and might've been saved from worse damage because of it.