Ransomware Attacks Have Entered a Heinous New Phase (arstechnica.com) 66
Cybercriminal gangs now releasing stolen photos of cancer patients, student records. From a report: In February, attackers from the Russia-based BlackCat ransomware group hit a physician practice in Lackawanna County, Pennsylvania, that's part of the Lehigh Valley Health Network (LVHN). At the time, LVHN said that the attack "involved" a patient photo system related to radiation oncology treatment. The health care group said that BlackCat had issued a ransom demand, "but LVHN refused to pay this criminal enterprise." After a couple of weeks, BlackCat threatened to publish data stolen from the system. "Our blog is followed by a lot of world media, the case will be widely publicized and will cause significant damage to your business," BlackCat wrote on their dark-web extortion site. "Your time is running out. We are ready to unleash our full power on you!" The attackers then released three screenshots of cancer patients receiving radiation treatment and seven documents that included patient information.
The medical photos are graphic and intimate, depicting patients' naked breasts in various angles and positions. And while hospitals and health care facilities have long been a favorite target of ransomware gangs, researchers say the situation at LVHN may indicate a shift in attackers' desperation and willingness to go to ruthless extremes as ransomware targets increasingly refuse to pay. "As fewer victims pay the ransom, ransomware actors are getting more aggressive in their extortion techniques," says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. "I think we'll see more of that. It follows closely patterns in kidnapping cases, where when victims' families refused to pay, the kidnappers might send an ear or other body part of the victim." Researchers say that another example of these brutal escalations came on Tuesday when the emerging ransomware gang Medusa published sample data stolen from Minneapolis Public Schools in a February attack that came with a $1 million ransom demand. The leaked screenshots include scans of handwritten notes that describe allegations of a sexual assault and the names of a male student and two female students involved in the incident.
The medical photos are graphic and intimate, depicting patients' naked breasts in various angles and positions. And while hospitals and health care facilities have long been a favorite target of ransomware gangs, researchers say the situation at LVHN may indicate a shift in attackers' desperation and willingness to go to ruthless extremes as ransomware targets increasingly refuse to pay. "As fewer victims pay the ransom, ransomware actors are getting more aggressive in their extortion techniques," says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. "I think we'll see more of that. It follows closely patterns in kidnapping cases, where when victims' families refused to pay, the kidnappers might send an ear or other body part of the victim." Researchers say that another example of these brutal escalations came on Tuesday when the emerging ransomware gang Medusa published sample data stolen from Minneapolis Public Schools in a February attack that came with a $1 million ransom demand. The leaked screenshots include scans of handwritten notes that describe allegations of a sexual assault and the names of a male student and two female students involved in the incident.
"...unleash our full power on you!" (Score:4, Funny)
Why do lots of these threats sound like they were written with an Xbox controller in one hand and a fistful of Cheetos in the other?
Re: (Score:1)
These hackers are mom's basement kind of people.
Re:"...unleash our full power on you!" (Score:5, Interesting)
Re:"...unleash our full power on you!" (Score:4, Funny)
So, holding a bottle of vodka in one hand, clutching the window sill like their life depends on it with the other?
Re: (Score:3)
They're Russian Mafia connected to Putin. The sound is the result of translating Russian threats poorly into English.
What makes you think they're connected to Putin? I strongly doubt that all Russian criminals are connected to Putin. I'm sure many are happy to take advantage of the lawless environment he's created. It's possible not all of them are even in Russia. If I were a cybercriminal, I'd definitely take pains to make it look like I'm based in Russia while attacking the west.
Re: (Score:2)
What makes you think they're connected to Putin? I strongly doubt that all Russian criminals are connected to Putin. I'm sure many are happy to take advantage of the lawless environment he's created. It's possible not all of them are even in Russia.
BlackCat ransomware group uses the same back end ransomware-as-a-service software as the "retired" DarkSide ransomware group.
They are those "ransomware affiliate services" that let other groups use their resources.
DarkSide was found to have connections to Russian datacenters.
Both are/were only reachable on the same Russian speaking tor forum.
I agree there is no direct link to Putin. There is however a very strong link to Russia.
Re: (Score:1)
They're Russian Mafia connected to Putin. The sound is the result of translating Russian threats poorly into English.
What makes you think they're connected to Putin? I strongly doubt that all Russian criminals are connected to Putin. I'm sure many are happy to take advantage of the lawless environment he's created. It's possible not all of them are even in Russia. If I were a cybercriminal, I'd definitely take pains to make it look like I'm based in Russia while attacking the west.
You're wasting your breath. Now that Trump is out of office, Putin is the Great Satan around here now. He's responsible for all your ills ("Putin's Price Hike!"). He's become this kind of weird substitute Devil for those that don't believe in things like the Devil.
Re: (Score:2)
Re: (Score:2)
and the evidence of that claim is that it is styled in bold, right. very on-topic, here's your cookie: o
don't choke on... uh, never mind!
and they publish some CP patient pic that is that (Score:2)
and if they publish some CP patient pic that is that.
Can the hackers get some hard time with an case that you do not want to go to an jury?
Re: (Score:2)
Tell that to the poor bastard who sent his son's doctor a picture of his son's inflamed region, and has been banned by Google from the internet.
Re: (Score:2)
banned by Google from the internet.
Oh nos! Google controls the entire internet! There are no other ISPs, email providers, online storage firms, or search engines! Why isn't there any competing companies or internets to chose from? /s
Re: (Score:2)
Try doing business in modern society without the use of any Google services at all. It's practically impossible.
Re: (Score:2)
and if they publish some CP patient pic that is that. Can the hackers get some hard time with an case that you do not want to go to an jury?
I'm sure the hackers are quaking in their boots in their home country which probably has no extradition treaty with the U.S. at the mere thought that they might be violating one or more U.S. laws!
Re: and they publish some CP patient pic that is t (Score:2)
That hasn't stopped them from being extradited to the US. Typically all they have to do is visit a country friendly to the US and they're liable to get nicked.
Re: (Score:3)
Why do lots of these threats sound like they were written with an Xbox controller in one hand and a fistful of Cheetos in the other?
It's rumored that English for Hacking by Zero Wing was recently procured by a suspected member...
Rambo Time, bust some butts (Score:2)
Send a message, perp walk them on national TV. If they are in another country, threaten sanctions unless they are locked up or turned over.
Re:Rambo Time, bust some butts (Score:4, Insightful)
Re: (Score:2)
Okay, granted, they're in Russia. But once you have enough intel to get an idea of where they are, there have GOT to be some Russians who would be willing to poison them... they might even be able to get the polonium at their local apothecary.
Re:Rambo Time, bust some butts (Score:4, Insightful)
Okay, granted, they're in Russia. But once you have enough intel to get an idea of where they are, there have GOT to be some Russians who would be willing to poison them... they might even be able to get the polonium at their local apothecary.
If you're a Russian willing to cross the FSB and/or GRU by poisoning people I think there's better targets than a bunch of cyber-criminals.
Re: (Score:2)
More likely Putin is handing them medals.
Re:Rambo Time, bust some butts (Score:5, Insightful)
Except these guys are in Russia. That country is already fundamentally broken.
Re: (Score:2)
Maybe the answer is to just cut Russia off from the rest of the internet (which would also cut off the Russian propaganda machine)
This is a good thing, but more needs doing... (Score:5, Insightful)
The good:
As fewer victims pay the ransom, ransomware actors are getting more aggressive in their extortion techniques
More needs to be done, though. Ransomware payments don't just need to dry up, they need to disappear. They should themselves be criminalized.
I can understand anyone being hit by ransomware. There are many vectors, and (unfortunately) there are always dunces in any organization that just loooove to click on shit. It's not their computer, after all.
What I don't understand is ANY organization being affected by ransomware. There is little difference between a ransomware attack, and a hard drive failure. Recovering from ransomware should be as simple as re-imaging the computer back to the last daily backup, or, in the worst case (an incubation period), finding the first backup prior to infection. If there was an incubation period and there are infected backups, then once you restore back past that to the last good one, you spin up the infected backup in a sandbox and pull out all the data you need at your leasure.
Using naked cancer balls or boobies is repugnant, but hardly worthy of payment. Anyone who pays out only encourages the next round, and they turn themselves from victims into accessories. They should be charged as such.
Any any system administrator who is caught flatfoot by not having a proper backup strategy should be fired and have their name published so no one else hires them in any sort of IT field ever again.
Re:This is a good thing, but more needs doing... (Score:5, Interesting)
I think the perps might be relying on those nice American lawyers who will happily sue the lifeblood out of any American heath care organization that managed to get hacked. It is a way to amplify the threat. You could go after any American lawyers who filed such cases but then you'd also be absolving poorly run organizations that leave themselves open to being hacked.
Re: (Score:2)
I think the perps might be relying on those nice American lawyers who will happily sue the lifeblood out of any American heath care organization that managed to get hacked. It is a way to amplify the threat. You could go after any American lawyers who filed such cases but then you'd also be absolving poorly run organizations that leave themselves open to being hacked.
Criminalizing ransomware payments might remove some amount of liability from hacked organizations, too. Obviously, those whose details are released could be significantly negatively affected by it, and will always have a valid claim, but right now, the hacked organization has a *choice* of paying the ransom or letting their patients' data be released. That gives the lawyers ammunition, since they can say, "well, you *could* have prevented this, but chose not to." If ransom payments were illegal, that "inten
Re:This is a good thing, but more needs doing... (Score:5, Informative)
"What I don't understand is ANY organization being affected by ransomware. There is little difference between a ransomware attack, and a hard drive failure."
Not really. Yes, there is a segment of ransomware that's just automated drive-by attack, but all the really nasty stuff is paired with additional remote access attacks after the initial penetration. And often the ransomware bit is well after the penetration.
Suppose you wake up one morning, and your live servers are encrypted with a ransom message.
You try to sign into your cloud backup provider, and discover the credentials don't work. You call, and they tell you the service was cancelled, and everything in the account is gone and unrecoverable and they can't get it back since the service was cancelled. You get to the office, and find your backup appliances are wiped. Even the offsite hard drives - apparently they got an email from you asking that the drives be sent out to be crushed last week. there were a couple in transit to them that they can turn around as soon as they arrive though.
Finally, 4 days later you've got them back and spin them up in a new environment; and ... fuck... they messed with the backup rules -- there's critical stuff missing from the backups; key database tables excluded, key files just missing.
Sure it sounds like a scene from Mr Robot or something; but a lot of its actually happening in the wild.
I read about an MSP that got hacked; they were reselling Datto services, and the hacker burned all their customers backup data, wiped their customers datto appliances, and deleted the customers backups from datto cloud storage. You can't really blame the customers at all. And while you can blame the MSP, what exactly did they do that was so utterly incompetent? They were reselling a reputable well regarded backup solution -- and they got penetrated. As it happens datto (at the time at least) had an extra tier of cloud storage available on their more expensive product that provided a redundant cloud backup that that couldn't be wiped remotely even by the MSP... and that saved some of their customers that were using it but did nothing for the rest. But fundamentally this 'extra' top end tier of protection should be considered the MINIMUM baseline for what you NEED to survive ransomware. And even as recently as last time I checked there were back up sevices that you could defeat their un-deletable tier of backups by simply cancelling your account outright. So if hackers had your backup and email compromised they could delete everything including your un-deletable backups in minutes.
I personally know another site that got hacked; they using cloudberry, same thing, the hackers deleted all the cloud backups, and encrypted all the local online backups. There were some offline backups, but they were several days stale -- in a lot of businesses, yesterdays data is the most valuable data. That's all the orders they just received, all the shipments they just sent out, all the most recent vendor and customer interactions. Even though they had recent offline backups they paid something to get back their live data.
I know of another incident where the hackers modified the backup filters, and simply excluded key database tables from their accounting system from the backups, and a few weeks later, the live copy was effectively the only remaining copy with much value. They elected not to pay, and spent piles of money and months recreating that database. Fortunately their front end system wasn't impacted, which effectively contained much of the lost data so they were able to limp along forward with customers while they rebuilt their accounting system.
"Any any system administrator who is caught flatfoot by not having a proper backup strategy should be fired and have their name published so no one else hires them in any sort of IT field ever again."
Sure friend, imagine working where you've got peers actively working against you, peers who have all the access you have. Perhaps they have more access. They might be smarter than you too. If you still think protecting against ransomware is equivalent to protecting against a failed hard then they're definitely smarter than you ;)
Re: (Score:3)
My take also. As to _why_ organizations still get hit, maybe I can shed some light. One factor is that the threshold where everybody knows somebody that had gotten hit has only been reached recently, maybe last year or so. After that, it still takes some time to look at things and get measures in place. Fortunately, more and more IT service providers to ransomware-safe backups by default now and that already helps a lot. Not all are already there though and some have not really thought about it at all. One
Re: (Score:2)
Re: (Score:3)
What I don't understand is ANY organization being affected by ransomware. There is little difference between a ransomware attack, and a hard drive failure.
The difference is that hard drive failures generally don't jump from system to system. If your hard drive fails, usually the backup software can't read the files and you have your last backup on your backup drive. With ransomware, if your backup drive is reachable from your ransomware infected computer, the ransomware attacks your backup drive. If you have cloud backups, you're safer, but only if they're incremental backups and you have sufficient quota, otherwise your cloud backups all get overwritten with
Re: (Score:3)
Re: (Score:2)
Any any system administrator who is caught flatfoot by not having a proper backup strategy should be fired and have their name published so no one else hires them in any sort of IT field ever again.
99% of the time, it's not the system admin's fault. Most of the places I've worked refused to give us the budget to build a proper backup solution. All the admins and architects can do is advise upper management of the risks, and build the best we can with the money we have.
Sometimes it's just stinginess, sometimes it's because the volume of data (and thus cost of backing it up) is out of proportion with revenue generated, and it's not economically feasible at all.
Re: (Score:2)
Modern ransomware doesnt just encrypt everything.
They get into the system via "pick your channel". Once in, they scrape for credentials, map out the network, determine what equipment is in use. In the case of SAN/NAS, they wait until they have access. They then set up an outgoing channel, copy as much data as they can. Once they have a copy of your data, they proceed to log into the SAN/NAS devices (remember folks, snapshots are NOT backups!), use API calls or simply log into replicated sites, delet
Literally kill these animals (Score:2)
Re: (Score:2)
Good idea. I propose that we volunteer you to go over to Russia to do the deed. Dress warmly, it is still cold over there.
Re: (Score:2)
Spoken like a cave-man with no understanding of the matter whatsoever but willingness to apply excessive violence. The problem is not penalties. These are by far adequate, especially when you remember that these fuckers will be liable for all damage they do. The problem is finding these assholes and the second problem is abysmally bad IT security and ransomware preparedness in still too many places. No, that is not victim-blaming. Somebody being grossly negligent is not a victim.
Re: (Score:1, Flamebait)
Re: (Score:2)
Well, you just conclusively demonstrated that you are really completely clueless and understand _nothing_. Classical Dunning-Kruger left-side moron with massively inflated ego. These people were either grossly negligent or actually asking for it by intentionally being unprepared. I guess you do not actually know what "gross negligence" means and that it is a lot different from ordinary negligence. If you cannot even identify the attackers, then being able to defend is the _only_ thing that helps. I guess li
Re: (Score:2)
Oh, I understand completely. You and twenty or so other sad sacks on here spend waaaay too much time constantly trying to show everyone that you are the experts on everything. Usually it's political, but with you, it's more of a chance to demonstrate your supposed intelligence and superiority over others. It's in everything you write, and you've even got it in your sig, pathetically enough. People like you have made Slashdot a truly lousy place to be most of the time over the last ten years or so. The
Re: (Score:2)
Nope, you still do not understand anything, including that you do not understand anything. Which also makes you unable to learn and eventually get actual insight. Classical Dunning-Kruger behavior really.
And your insults? Come on! These are utterly pathetic. At least _try_ to come up with something good. I guess you take these from your own surrogate "personality", because otherwise it would be really hard to come up with anything this bad.
Maybe it should be illegal to be hacked? (Score:1)
The ways these things are making it out there aren't that sophisticated. Perhaps we need regulation.
Re: (Score:2, Interesting)
The ways these things are making it out there aren't that sophisticated. Perhaps we need regulation.
Sure. It'll work as well as prohibition, drug laws, and gun laws.
The "good guys" will get fucked over with the onerous requirements, and the "bad guys" will completely ignore the laws.
Just talked with a CEO today who manages ~40 clinics. When told "It'll cost around $2,000/mo to add IDS/IPS to all your offices and we can have it done in a week", the reply was "I don't want to spend any more money at the moment, and honestly, we don't need to know just how horrible our security is at the moment....and i
Re: (Score:2)
We definitely need regulation. If these fuckers get in and there was no reasonable defense according to the state-of-the-art, the CEO needs to go to prison.
None of this was possible before... (Score:3)
we accepted all too many of those utopian promises of government [run|managed] health [care|insurance] which was to be enabled by the part we implemented first: universal electronic health records.
I'm certainly no luddite, and generally love technology, but the simple FACT is that very few of us EVER in a lifetime need our medical records to be instantly and electronically transported anywhere (the scenario usually proposed is: to a hospital from your doctor in an emergency). Hospital emergency rooms generally and quite competently treat you at the time you appear there, based on the symptoms they observe in that moment and the responses you exhibit in response to the care provided, rather than by some in-depth reading of years of your medical records. Before we went to electronic records, our personal health records were paper documents stored securely with our doctors - there was no way for some hacker to grab them from half way around the world, encrypt them so the doctor could not read them, and then make ransom demands. There was also no way for mega-corporations to get copies for data mining and marketing purposes, and no way for government to get copies and data mine them for rationing, or political manipulation purposes, etc. It's simply too time consuming and too expensive to make and transport mass copies of paper documents from tens of thousands of offices all across the country, but electronic documents can be copied an unlimited number of times and transported anywhere at insane speeds and nearly no cost. Documents which are important should probably not be stored electronically, and CERTAINLY should never be on internet-connected servers.
Some of us are old enough to remember the way things used to be... and plenty of those things were not only "not bad" but were actually superior in some vital ways. Hey! You kids, git offa my lawn!"
Re: (Score:3)
Paper records would probably continue to work fine for a "simple" patient who only needs to interact with a single provider, and who doesn't have a complex medical history. As soon as you start needing to bounce between multiple different providers within the health system (or heavens forbid, across health systems), that paper record effectively means that no one is operating with a complete and up-to-date copy of your record when they're providing care.
Paper records are also inherently non-discrete. It
Step one (Score:5, Insightful)
To fix this, remember step one: Ban Windows from medical offices and medical devices.
Re: (Score:3)
Indeed. That would help a lot. Or make MS liable for every time they screw up massively. At the moment, they do that time and again and nothing happens to them at all.
Re: (Score:2)
100% of semi-large or large American medical bills have "errors" in the provider's favor. Question all medical bills aggressively. Don't be afraid to call out the fraud that's staring you in the face.
"aggressive" ? (Score:2)
Sorry, but what? Aggressive?
They are criminal gangs. What did you expect happens if you don't pay after they ask nicely? They'll say "ok, sorry for troubling you" and fuck off like Jehova's Witnesses? Of course not. They were willing to deploy malware on your system. Publishing a bunch of pictures isn't exactly a step up from that, is it?
Geez. People these days don't even realize what criminals are like.
Leaking images? Isn't AI a serious ... (Score:2)
... threat to this line of "work"?
If any 10th-grader can generate images of their mates and teachers doing hardcore porn on a whim, how will "leaked images" even be a thing in a year or two?
Or am I missing something here?