Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security Medicine

Some Coronavirus Vaccine Trials Resort To Pen and Paper After Ransomware Hits Software (nytimes.com) 81

Posted by EditorDavid from the trials-and-error dept.
A software company supporting hundreds of clinical trials — including coronavirus vaccine trials — has been hit by a ransomware attack that "has slowed some of those trials over the past two weeks," reports the New York Times.

Employees "discovered that they were locked out of their data by ransomware..." eResearchTechnology (ERT) said clinical trial patients were never at risk, but customers said the attack forced trial researchers to track their patients with pen and paper. Among those hit were IQVIA, the contract research organization helping manage AstraZeneca's Covid vaccine trial, and Bristol Myers Squibb, the drugmaker leading a consortium of companies to develop a quick test for the virus. ERT has not said how many clinical trials were affected, but its software is used in drug trials across Europe, Asia and North America. It was used in three-quarters of trials that led to drug approvals by the Food and Drug Administration last year, according to its website.

On Friday, Drew Bustos, ERT's vice president of marketing, confirmed that ransomware had seized its systems on September 20. As a precaution, Mr. Bustos said, the company took its systems offline that day, called in outside cybersecurity experts and notified the Federal Bureau of Investigation. "Nobody feels great about these experiences, but this has been contained," Mr. Bustos said. He added that ERT was starting to bring its systems back online on Friday and planned to bring remaining systems online over the coming days...

One of ERT's clients, IQVIA, said it had been able to limit problems because it had backed up its data. Bristol Myers Squibb also said the impact of the attack had been limited, but other ERT customers had to move their clinical trials to move to pen and paper.
The Times notes it's just one of "more than a thousand ransomware attacks on American cities, counties and hospitals over the past 18 months." Other interesting details from the article:
  • Two companies working on a coronavirus vaccine — Pfizer and Johnson & Johnson — emphasized to the Times that they weren't affected by ERT's issues, with a Pfizer spokesperson stressing they're not even using ERT's software.

This discussion has been archived. No new comments can be posted.

Some Coronavirus Vaccine Trials Resort To Pen and Paper After Ransomware Hits Software More

Some Coronavirus Vaccine Trials Resort To Pen and Paper After Ransomware Hits Software

Comments Filter:

  • Suicide by stepping in front of a train probably wasn't flashy enough for this particular 'hacker', they wanted to be torn to shreds publicly by an angry mob, apparently.

    • We, as an industry, are so incompetent at security we'll never find who did it unless they go around bragging online about it.

      • Re: (Score:2)

        by gweihir ( 88907 )

        We, as an industry, are so incompetent at security we'll never find who did it unless they go around bragging online about it.

        Unfortunately, that is the plain simple truth.

    • Re: (Score:2)

      by Tablizer ( 95088 )

      to be torn to shreds publicly by an angry mob

      Indeed. Jamming cat videos will just make us chuckle then yawn. But, mess with Covid vaccines and you get the Bin Laden Treatment! Fuck You, pirates!

    • There are some people that really enjoy being evil toads. This is a prevalent theme in drama and films. Bwahahaha!

  • I really can't imagine why you need specialized software to track these trials. It's simply compiling, organizing, and reporting on data. There are a thousand different ways to do that without resorting to special software.
    • There are a thousand different ways to do that without resorting to special software.

      And none of them involve Excel spreadsheets.

      Seriously, if your data is valuable, why the hell are you using Windows? It should be obvious from this story, and hundreds more like it, that the back of an envelope is a safer place for data than on Windows.

      • Seriously, if your data is valuable, why the hell are you using Windows? It should be obvious from this story, and hundreds more like it, that the back of an envelope is a safer place for data than on Windows.

        Really?

        Victim-blaming?

        Platform-Trolling?

        Really?!?

        Iâ(TM)m certainly no Windows fan; but they are research-scientists; not security-professionals, FFS! They used the tools they normally use for this sort of thing!

        Seriously, you should be ashamed of yourself!

        Put the fucking blame where it belongs: The CRIMINALS that had the capital-offense-level GALL to attack a COVID-RESEARCH Project!!!

        Anything else is patently ridiculous!

        • Proper ISSEC security procedures could have also most likely prevented this. But when dealing with equipment running ancient operating systems [zdnet.com], that can't even be patched without FDA approval...all this equipment should be vlaned off on it's own, no access to the internet. Teach your users to not click on email links, take away all local admin access from users, stop using any unpatched software. Of course, not knowing HOW these companies got infected all of this is just speculation.

    • Re: (Score:2)

      by Tablizer ( 95088 )

      It's perhaps the scale and urgency (speed) of the needs that are different this time.

      There are a thousand different ways to do that without resorting to special software.

      Off-the-shelf stuff is rarely optimized for the organization that needs it. There are often ways to tweak it, but that tweaking takes almost as long as custom software, AND you are still left with a lot of the original architecture that gets in the way or adds unnecessary steps. I'm not saying off-the-shelf is always the wrong choice, only

  • This data ransoming behavior stopped being cute a long time ago. It's time for whatever country is harboring these terrorists to clean up their house before other countries run out of patience and hit them with trade sanctions, cruise missiles, or worse.

    • If we start jailing people who pay them, as accomplices, then the problem would stop almost instantly.

      They're not being physically threatened, there is no "force" that "makes" them pay. They're merely agreeing to enrich the perpetrator of a criminal act, in return for some consideration.

      • If we start jailing people who pay them, as accomplices, then the problem would stop almost instantly.

        We should also jail store owners who have their wares behind glass windows. They're just begging to be robbed by displaying their goods.

        A better solution would be, where possible, to track down the criminals and execute them. Every single one, no matter how small a hack they've done. Deface a web site? Execute. Break into someone's Twitter account? Execute. Get into someone's iPhone account and display

        • If we start jailing people who pay them, as accomplices, then the problem would stop almost instantly.

          We should also jail store owners who have their wares behind glass windows. They're just begging to be robbed by displaying their goods.

          You missed the part where I said

          They're not being physically threatened, there is no "force" that "makes" them pay. They're merely agreeing to enrich the perpetrator of a criminal act, in return for some consideration.

          Learn yous sum werds

    • Or, as an alternative to cruise missiles, the potential victims could fix their security holes and do routine backups.

  • Punishment. (Score:4, Interesting)

    by I'mjusthere ( 6916492 ) on Sunday October 04, 2020 @12:47PM (#60571382)
    This hacker should have COVID infected people cough on him and spit in his mouth and up his nose.

    And when he gets sick, a cup of bleach will be given to him for treatment.

    • Re:Punishment. (Score:5, Insightful)

      by Camel Pilot ( 78781 ) on Sunday October 04, 2020 @01:04PM (#60571416) Homepage Journal

      I am of the opinion that Ransomware should be Capital punishment level offence. It significantly impacts society and threatens loss of life as in this case. It is an par with a release of a dirty bomb or a chemical attack in the sense that once released the level of damage is not containable by the perpetrators.

      • Capital punishment (aka the death penalty) is barbaric. Harsher sentencing is not known to deter crime. Ransomware exists because people pay ransoms. Stop doing that and ransomware will go away.

        • Ransomware exists because people pay ransoms. Stop doing that and ransomware will go away.

          There are two ways to stop.
          1. Refuse to pay. Treat the event as catastrophic data loss. Hopefully you're insured.
          2. Adopt security and backup practices so you're never in a situation where someone could hold your data hostage or steal and sell your data online.

          As for punishment, Community service to compensate the harm done to society will give a person plenty of time to reflect on how they choose to live. Exploiting other people tears down society. And it's behavior we shouldn't tolerate in any form, not j

          • Re: (Score:2)

            by sjames ( 1099 )

            Trace the bitcoin address back to the crooks and go get them.

            • Have fun getting warrants on the accounts of exchanges. Wallets are created easily, and sometimes stolen wallets are used to muddy any investigative accounting. Also the bitcoins can be spent on things that you might not want traced, like hosting and certificates. Which can be used to run schemes to collect even more money. And finally, money, even bitcoin, gets laundered in organized crime. Purchase some good or service and use that to exchange for cash. Sure you take a haircut when you do that, but once t

        • Ransomware exists because it's an easy way to make money.

          And in every goddam case, it's because the gatekeepers are asleep at the wheel.

          Capital punishment for the gatekeepers?

        • The question if Capital Punishment deters crime is still controversial. The past few decades economist have gotten into the analysis and they have concluded it does. For example, Naci Mocan, (Economist at Louisiana State University) published a study that looked at all 3,054 U.S. counties over death penalty and found that that each public execution prevented five homicides. In order for it to be effective the execution has to be public and a short time between crime and execution.

          Also now that we can go loo

          • Have they also looked at the statistics between countries with and without death penalty? How comes the USA, a country which kills people, has so much more crime of exactly the sort that is punishable by death than countries without capital punishment? Also, it's barbaric because wrongly convicted people have no recourse.

            • How comes the USA, a country which kills people, has so much more crime of exactly the sort that is punishable by death than countries without capital punishment?

              It doesn't.

              There aren't many capital crimes in the US (premeditated or felony murder, kidnapping, treason, ...). The main one that actually sends people to death row is high-level murder.

              The US has populations from many national origins and doesn't require them to assimilate and drop their ancestrial culture, just that they obey the law. They can

            • That doesn't make it barbaric, that makes it risky. There's a world of difference.

      • Re: (Score:3, Insightful)

        by account_deleted ( 4530225 )
        Comment removed based on user account deletion

        • Never going to happen as most of the hackers are international. What are you going to do, drone strike them?

          We do that to terrorists. If someone messes with critical functions of society, they are arguably terrorists.

      • Re: (Score:2)

        by gweihir ( 88907 )

        a) No preventative value. Capital punishment may provide people like you with a great feeling of having gotten revenge, but it does not reduce the problem.
        b) You have to identify them first. They know they are screwed if they get identified, so they are pretty careful.

      • I don't know if I'd go as far as capital punishment, but ransomware (or any other cyber) attacks against healthcare should be counted as 2nd degree murder. It represents a depraved indifference towards human life that may count as murder even if nobody dies.

  • Outlaw cryptocurrency globally and Ransomware will all-but-disappear overnight.

    You all know Iâ(TM)m right.

    The downsides way outweigh any alleged "advantages" of allowing its continued existence. This just underscores my point.

    • Re: (Score:2)

      by gweihir ( 88907 )

      Hahaha, no.

      There are plenty of other ways to launder money.

      • Hahaha, no.
        There are plenty of other ways to launder money.

        True.

        But no other monetary transaction other than dead-drops of briefcases full of gold dust that is specifically designed to facilitate it at every conceivable level.

    • Well, next they'll go to gift cards or something. Cryptocurrencies didn't make ransomware possible, just a little more convenient.

      • Well, next they'll go to gift cards or something. Cryptocurrencies didn't make ransomware possible, just a little more convenient.

        Wrong.

        Even Gift-Card transactions are infinitely more traceable than Cryptocurrency.

        Put your money where your mouth is; find me cases of actual Ransomware before Cryptocurrency.

        I'll wait...

        • Okay. The first ransomware attack was in 1989. Then in the mid 2000's, there was a ton of it in Eastern Europe. All before Bitcoin was introduced in 2009.

          https://blog.radware.com/secur... [radware.com].

          https://www.makeuseof.com/tag/... [makeuseof.com]

          • Okay. The first ransomware attack was in 1989. Then in the mid 2000's, there was a ton of it in Eastern Europe. All before Bitcoin was introduced in 2009.

            https://blog.radware.com/secur... [radware.com].

            https://www.makeuseof.com/tag/... [makeuseof.com]

            Nice try, and I am actually somewhat impressed; however, you still lose.

            From the second link:

            "For the victim to recover their files, they would have to transfer $300 to an E-Gold account.

            E-Gold can be described as a spiritual predecessor to BitCoin. An anonymous, gold-based digital currency that was managed by a company based in Florida, but registered in Saint Kitts and Nevis, it offered relative anonymity, but quickly became favored by organized criminals as a method to launder dirty money. This lead the

            • Did you miss the use of prepaid debit cards, purchases at online pharmacies, or any of the other methods that had been used for collecting ransoms? And let's not overlook the fact that "can be described" does not mean, "accurately described", or, "should be described as". Slashdot could be described as a predecessor to Reddit or Facebook, both of which it preceded, but would that be a reasonable portrayal?

              • Did you miss the use of prepaid debit cards, purchases at online pharmacies, or any of the other methods that had been used for collecting ransoms? And let's not overlook the fact that "can be described" does not mean, "accurately described", or, "should be described as". Slashdot could be described as a predecessor to Reddit or Facebook, both of which it preceded, but would that be a reasonable portrayal?

                No, I didn't miss them; but they were never widespread, and, because the payment methods were so clumsy, the "Ransom" amounts were a very small fraction of the asinine sums being demanded today. And if someone walks into a Walmart and tries to buy $300k of stuff on a pallet-full of iTunes Gift Cards or something, someone is going to call the police. It's just not really practical.

                And you know it; but like the typical Slashdot naysayer, you're just going to "yeahbut" me to death.

  • Paying a ransom should be a crime. Remove the incentive.

    • Paying a ransom should be a crime. Remove the incentive.

      Breaking into computer systems is already a crime, likely worldwide.

      Now what?

      • Paying a ransom should be a crime. Remove the incentive.

        Breaking into computer systems is already a crime, likely worldwide.

        Now what?

        The people who do the breaking-in are hard to catch. The people who pay them are easier to catch. If the penalty for paying the ransome is large enough, people will stop paying, which will decrease the frequency of computers being broken into, a net good for society.

        • In other words: Fuck justice. Just go for the easy target.

          • You don't prosecute them because they are an easier target. You are more likely to be able to prosecute them, but the reason for prosecuting them is that they incentivize crime.
        • People want their loved ones or data returned safely, making them a criminal as well just plays into the kidnappers (keep it a secret) request. People go to jail for loved ones all the time, not gonna deter hearts over minds. Executions might work but its risky.
          • You do more for their loved ones by making people not pay ransoms. Very few people survive even after a ransom is paid, but if would-be kidnapppers know they have practically no chance of profiting from their crime, they have no incentive to do it in the first place.

        • How will you actually know:
          a) that I was a victim of a ransome ware attack?
          b) that I paid the ransom?

          • How will you actually know: a) that I was a victim of a ransome ware attack? b) that I paid the ransom?

            Ransomeware is like kidnapping. When it happens to unimportant people, on a small scale, it can be kept quiet and therefore profitable. However, the kidnappers sometimes get greedy and go for a high-value target. When that happens there is no way to conceal it. For example, when a large hospital chain stops accepting patients and reverts to pen and paper, everybody knows about it. When a public company pays out a lot of money after a computer incident, the shareholders notice and ask why.

            • When a public company pays out a lot of money after a computer incident, the shareholders notice and ask why.
              No, they don't.
              How should that be even be remotely possible? Shareholders have no access at all to bank transactions a company does, unless they also work in that company and are actually involved in accounting/money transfers.

              • When a public company pays out a lot of money after a computer incident, the shareholders notice and ask why. No, they don't. How should that be even be remotely possible? Shareholders have no access at all to bank transactions a company does, unless they also work in that company and are actually involved in accounting/money transfers.

                Shareholders (and the Securities and Exchange Commission) see the company's financial records on a regular basis. An unusally large expenditure shows on the bottom line, and raises questions.

                • They see the financial report, but not the single transactions ...

                  An unusally large expenditure shows on the bottom line, and raises questions.
                  Something like this does not show up.

                  • They see the financial report, but not the single transactions ...

                    An unusally large expenditure shows on the bottom line, and raises questions. Something like this does not show up.

                    The financial report shows how much was spent for each category of expenditures. If this quarter's report shows an extra million dollars in IT expenses people will ask what the company bought with that money. If top management gives evasive answers, stockholders will hire a private investigator who will interview everyone involved to find the truth. A public company cannot hide a large payout.

                    • If this quarter's report shows an extra million dollars in IT expenses people will ask what the company bought with that money.
                      Yes, that one could notice. Nevertheless, that is unlikely.

                      stockholders will hire a private investigator who will interview everyone involved to find the truth. A public company cannot hide a large payout.
                      They do not need to hide it. And if the company is public, it is so bug that million wont show up anywhere as odd.

                    • If this quarter's report shows an extra million dollars in IT expenses people will ask what the company bought with that money. Yes, that one could notice. Nevertheless, that is unlikely.

                      stockholders will hire a private investigator who will interview everyone involved to find the truth. A public company cannot hide a large payout. They do not need to hide it. And if the company is public, it is so bug that million wont show up anywhere as odd.

                      Let me explain using an example: IBM. I picked IBM because they are a large company that has been using computers since the 1950s, and they have a well-written annual report, which you can read here: https://www.ibm.com/annualrepo... [ibm.com] . The same logic applies, on a smaller scale, to smaller companies.

                      Let’s pretend we want to bring down IBM’s internal data processing systems, holding the data until a ransom is paid. In order to do that we would have to introduce malware into all of IBM’s

                    • We talked about a million, not 10billion.

                      And my point is pretty simple. I doubt anyone in a shareholders meeting would care.

                      I for my part owned shares of probably close to a hundred companies. I never even looked at such papers, why would I?

                      You want to prohibit paying ransom? Good luck. A company like IBM would cease to exist if they would not pay in such a case ...

                    • We talked about a million, not 10billion.

                      And my point is pretty simple. I doubt anyone in a shareholders meeting would care.

                      I for my part owned shares of probably close to a hundred companies. I never even looked at such papers, why would I?

                      You want to prohibit paying ransom? Good luck. A company like IBM would cease to exist if they would not pay in such a case ...

                      Perhaps nobody who attends a shareholder's meeting would care, but professional investors would, and the SEC definitely would. I agree that in such a case IBM would cease to exist if they did not pay the ransom, but having paid it, what is their next move? I don't think concealing it is an option, so they would have to disclose it, and pay the fine. If the fine is so large that they are stripped of all assets and cease to exist, then they should not have paid the ransom and just gone quitely into the gra

                    • The problem basically is that:
                      a) OSes - notable Windows - are to easy to penetrate
                      b) companies do not grasp that they are IT companies and treat IT stuff/staff like shit
                      c) IT is incompetent

                      And on top of that, back up solutions are to simple. Can't be so hard to flag: oh, over night 2000 files in your "Documents" Folder have changed.

                      I'm actually considering to write my own back up solution - with all those idiotic no brainer problems we are annoyed all the time.

                    • The problem basically is that: a) OSes - notable Windows - are to easy to penetrate b) companies do not grasp that they are IT companies and treat IT stuff/staff like shit c) IT is incompetent

                      And on top of that, back up solutions are to simple. Can't be so hard to flag: oh, over night 2000 files in your "Documents" Folder have changed.

                      I'm actually considering to write my own back up solution - with all those idiotic no brainer problems we are annoyed all the time.

                      Writing your own backup solution is a good idea, if the existing solutions either don't meet your needs or are too expensive. I wrote myself a backup script in Python that checksums file data to prevent bit-rot. This was before btrfs, with its data checksumming, was reliable enough. My backup media is bare hard drives, placed in an inexpensive 8-drive tower. Each drive tray has a hardware off-line switch. I power on a drive only when using it.

                      If you are infected with malware that encrypts writes to dis

                    • A scary idea, isn't it?

    • The idea of holding someone or something for ransom is a very old practice, and you're hardly the first to think making their payment illegal is a solution. It doesn't work. All it does it make the victims accomplices to their own extortion. It works to reduce the number of crimes that get reported, but that just plays into the hands of the extortionists.

  • They are lower than shit, because you can spread shit on the soil and use it to help things grow.

    My definition of humanity is a being who treats others in a humane manner. These parasites do not qualify so they do not deserve any sort of human rights whatsoever.

    I would be perfectly happy to see whoever did this locked inside a small, cold, windowless cell and given assurance that the only way they will ever leave is nailed inside a box. I would also be very happy to know that the cell was provided with a st

  • As it looks now (Score:3)

    by nospam007 ( 722110 ) * on Sunday October 04, 2020 @01:36PM (#60571486)

    ...they should have used pen and paper from the get-go, since they're unable to secure a network.

  • Mechanical typewriters do not contain a processor; how could they possibly get a computer virus? Or does this affect word processors...
  • Isn't it time the business world got off of Microsoft tech, especially file/print services, with in my opinion essentially an unlimited number of ever occurring 0-day exploits? Come on! This has more holes in it than Swiss cheese! I mean really!
  • There is a significant amount of biomedical research capacity being directed towards a vaccine for COVID-19 right now, and at what cost to society in the long run? I bet few on the left see this, but this situation is an unfortunate side effect of capitalism in health care. The primary driver for vaccine development is not an altruistic one anymore... they're doing it because a working vaccine against COVID-19 will line their pockets with untold billions from governments the world over. If this was anythi
    • This is retarded. How much has COVID-19 pandemic already cost to the world in money and lives? On the order or 10 trillion dollars and one million lives, something like that. And your proposal is to what.. just let it continue even though we can stop it, because boo hoo maybe couple drugmakers get a few billion in profit out of it?

    • First of all - against popular believe - a billion is not a lot of money.

      Secondly, it won't be "countless billions"! With close to 8 billion ppl on the planet, assuming the shot at a doctor costing about $20, assuming every person gets two shots, that is $40 * 8 = 32 billion dollars. That is *costs* for the public, not earnings of anyone involved. Considering that about 25% of that goes to the producers of the vaccine (the rest is distribution, storage and admistering the drug), this would be $4 billion. So

  • Are all these attacks against Active Directory servers ?
  • * Our society’s infrastructure can no longer function without computers and networks.

    * The sum of the world’s networked computers is a rapidly increasing force multiplier.

    * A monoculture of networked computers is a convenient and susceptible reservoir of platforms from which to launch attacks; these attacks can and do cascade.

    * This susceptibility cannot be mitigated without addressing the issue of that monoculture.

    * Risk diversification is a primary defense against aggregated risk w

  • I was invited to take part in an extensive Covid-19 survey in the UK, run by IQVIA. For medical reasons, I can't use the phone, so I contacted the email address they gave out. I never got anything except an automated response. If their computer systems were out of action, then that would explain the problem.

    I consider the survey to be quite important, because it is some kind of general screening survey for coronavirus, not limited to those admitted to hospital, or showing symptoms. The current statistics fo

  • ...Pencil and paper after chinese-made pen runs out of ink. ...Tatoos after chinese-made pencils break, and covid causes paper shortage.

  • Why have the customers resorted to pen an paper if the vendor of the software was attacked? Could it be that the software stores the customer's data on the vendor's servers? Is this an acceptable practice?

    I bet the customers were told the data would be safer that way. But such a critical service should have a separate server in its network storing database update log entries up to the second, using a write-once solution.

Slashdot Top Deals

Life's the same, except for the shoes. - The Cars

Close