Can somebody explain these ransomwear attacks?
Don Gould
don at bowenvale.co.nz
Fri Jun 25 12:00:49 UTC 2021
NEW ZEALAND HEALTH EXPERIENCE AND DISCUSSION
Some of you may be aware that one of our major hospitals was taken off
line with 680 compromised servers.
Discussion on one local list is that the systems have been open for some
time and the rnasom hackers didn't open the systems, they have just
caused them to be cleaned up and locked.
I was in one of our other hospitals this week. I was presented with
Windows 2000 systems. These people don't seem to understand the
concepts of a dated DLL stack, combined with inter system networking.
They don't leave me with the impression that we've been presenting
object level compromise data for decades now. They don't seem to
understand that we've made that public facing for, what I would have
thought, fairly obvious reasons. By 'we', I don't mean any special,
crazy, conspiracy theory, tin foil hat wearing groups, I mean just plain
old every day computer geeks who write software.
In the NZ hospital case, it looks to me, and I don't know, this is just
pure speculation, like someone is going around global hospitals and
making them clean up stuff that they should have been upgrading.
I personally accept that there are groups around the world with vested
interests to have access to our hospital systems, if for no other reason
that just to see who's coming and going... you never know when that
might make a cool media story ea?....
I keep reading how this is a training issue of staff in hospitals who
shouldn't be clicking on email attachments. It's a comment that just
strikes me as bonkers. It's not a training issue at all, other than
training management that systems have to be patched, updated, and
upgraded.
Call me crazy, but you can't go around telling kids that IT has great
jobs, ask them (make them) pay for education, and then not actually give
them jobs to do the work that clearly has to be done.
Yes, you can call this a conspiracy theory, but I venture that when old
people cry out for young people to learn IT so they can make better
health systems, and then 'investors' don't actually upgrade to those
'new systems' and just leave the doors wide open to personal
information, at some point some folk are going to get their noses out of
joint.... a fairly obvious theory that to many in management are just
discounting as conspiracy until things get broken.... then they blame
the user for using email.
Going back a number of years our whole social services system was found
to be wide open because a vendor couldn't make their software work
without giving it a 'few more permissions'. Couple that kind of
thinking with decades old, compromised, DLL stacks... interests who
like to just quietly watch... and a lack of good, reasonably paid IT
work... and I have one question....
" Can somebody explain these ransomwear attacks?" ...I don't know...
can I?
HTH
D
On 2021-06-25 22:39, Jean St-Laurent via NANOG wrote:
> Here are some facts that it’s important to not pay them.
>
> 80% OF RANSOMWARE VICTIMS SUFFER REPEAT ATTACKS, ACCORDING TO NEW
> REPORT
>
> https://www.cbsnews.com/news/ransomware-victims-suffer-repeat-attacks-new-report/
>
> published June 17th 2021
>
> Don’t pay them. Just clean your mess. 😊
>
> Jean
>
> FROM: NANOG <nanog-bounces+jean=ddostest.me at nanog.org> ON BEHALF OF
> Michael Thomas
> SENT: June 24, 2021 5:59 PM
> TO: JoeSox <joesox at gmail.com>
> CC: nanog at nanog.org
> SUBJECT: Re: Can somebody explain these ransomwear attacks?
>
> On 6/24/21 2:55 PM, JoeSox wrote:
>
>> It gets tricky when 'your' company will lose money $$$ while you
>> wait a month to restore from your cloud backups.
>>
>> So Executives roll the dice to see if service can be restored
>> quickly as possible keeping shareholders and customers happy as
>> possible.
>
> But if you pay without finding how they got in, they could turn around
> and do it again, or sell it on the dark web, right?
>
> Mike
>
>> On Thu, Jun 24, 2021 at 2:44 PM Michael Thomas <mike at mtcc.com>
>> wrote:
>>
>>> Not exactly network but maybe, but certainly operational.
>>> Shouldn't this
>>> just be handled like disaster recovery? I haven't looked into this
>>> much,
>>> but it sounds like the only way to stop it is to stop paying the
>>> crooks.
>>> There is also the obvious problem that if they got in, something
>>> (or
>>> someone) is compromised that needs to be cleaned which sounds sort
>>> of
>>> like DR again to me.
>>>
>>> Mike
--
Don Gould
5 Cargill Place
Richmond 8013
Christchurch, New Zealand
Mobile/Telegram: + 64 21 114 0699
www.bowenvale.co.nz
More information about the NANOG
mailing list