Re: Can somebody explain these ransomwear attacks?

[Don Gould <don () bowenvale co nz>]

NEW ZEALAND HEALTH EXPERIENCE AND DISCUSSION

Some of you may be aware that one of our major hospitals was taken off 
line with 680 compromised servers.

Discussion on one local list is that the systems have been open for some 
time and the rnasom hackers didn't open the systems, they have just 
caused them to be cleaned up and locked.

I was in one of our other hospitals this week.  I was presented with 
Windows 2000 systems.  These people don't seem to understand the 
concepts of a dated DLL stack, combined with inter system networking.  
They don't leave me with the impression that we've been presenting 
object level compromise data for decades now.  They don't seem to 
understand that we've made that public facing for, what I would have 
thought, fairly obvious reasons.  By 'we', I don't mean any special, 
crazy, conspiracy theory, tin foil hat wearing groups, I mean just plain 
old every day computer geeks who write software.

In the NZ hospital case, it looks to me, and I don't know, this is just 
pure speculation, like someone is going around global hospitals and 
making them clean up stuff that they should have been upgrading.

I personally accept that there are groups around the world with vested 
interests to have access to our hospital systems, if for no other reason 
that just to see who's coming and going... you never know when that 
might make a cool media story ea?....

I keep reading how this is a training issue of staff in hospitals who 
shouldn't be clicking on email attachments.  It's a comment that just 
strikes me as bonkers.  It's not a training issue at all, other than 
training management that systems have to be patched, updated, and 
upgraded.

Call me crazy, but you can't go around telling kids that IT has great 
jobs, ask them (make them) pay for education, and then not actually give 
them jobs to do the work that clearly has to be done.

Yes, you can call this a conspiracy theory, but I venture that when old 
people cry out for young people to learn IT so they can make better 
health systems, and then 'investors' don't actually upgrade to those 
'new systems' and just leave the doors wide open to personal 
information, at some point some folk are going to get their noses out of 
joint.... a fairly obvious theory that to many in management are just 
discounting as conspiracy until things get broken.... then they blame 
the user for using email.

Going back a number of years our whole social services system was found 
to be wide open because a vendor couldn't make their software work 
without giving it a 'few more permissions'.  Couple that kind of 
thinking with decades old, compromised, DLL stacks...  interests who 
like to just quietly watch... and a lack of good, reasonably paid IT 
work... and I have one question....


" Can somebody explain these ransomwear attacks?"  ...I don't know... 
can I?

HTH

D

On 2021-06-25 22:39, Jean St-Laurent via NANOG wrote:
> Here are some facts that it’s important to not pay them.
>
> 80% OF RANSOMWARE VICTIMS SUFFER REPEAT ATTACKS, ACCORDING TO NEW
> REPORT
>
> https://www.cbsnews.com/news/ransomware-victims-suffer-repeat-attacks-new-report/
>
> published June 17th 2021
>
> Don’t pay them. Just clean your mess. 😊
>
> Jean
>
> FROM: NANOG <nanog-bounces+jean=ddostest.me () nanog org> ON BEHALF OF
> Michael Thomas
> SENT: June 24, 2021 5:59 PM
> TO: JoeSox <joesox () gmail com>
> CC: nanog () nanog org
> SUBJECT: Re: Can somebody explain these ransomwear attacks?
>
> On 6/24/21 2:55 PM, JoeSox wrote:
>
> > It gets tricky when 'your' company will lose money $$$ while you
> > wait a month to restore from your cloud backups.
> >
> > So Executives roll the dice to see if service can be restored
> > quickly as possible keeping shareholders and customers happy as
> > possible.
>
> But if you pay without finding how they got in, they could turn around
> and do it again, or sell it on the dark web, right?
>
> Mike
>
> > On Thu, Jun 24, 2021 at 2:44 PM Michael Thomas <mike () mtcc com>
> > wrote:
> >
> > > Not exactly network but maybe, but certainly operational.
> > > Shouldn't this
> > > just be handled like disaster recovery? I haven't looked into this
> > > much,
> > > but it sounds like the only way to stop it is to stop paying the
> > > crooks.
> > > There is also the obvious problem that if they got in, something
> > > (or
> > > someone) is compromised that needs to be cleaned which sounds sort
> > > of
> > > like DR again to me.
> > >
> > > Mike

--
Don Gould
5 Cargill Place
Richmond 8013
Christchurch, New Zealand
Mobile/Telegram: + 64 21 114 0699
www.bowenvale.co.nz