Friday, October 15, 2021

REPORTS SAY HACKERS DEMANDING $10 MILLION IN RANSOM

Hospital has ‘no idea’ of scale of cyberattack havoc; recovery could take months

Day after major ransom attack identified at Hadera center, doctors report minimal progress on solving problem; experts unsurprised, predicting normality is at least 3 months away

Today, 6:41 am

Illustrative image: a computer hacker (iStock via Getty Images)


A day after falling victim to the biggest cyberattack in history on the Israeli health system, Hillel Yaffe Medical Center still has no idea of the amount of damage caused and does not know when they will be able to return to normal operations, according to a senior official.


Dr. Amnon Ben Moshe, administrative director of the Hadera institution, said that staff still have no access to the main systems used for viewing and updating hospital medical records, and for administration.

On Wednesday, the hospital was hit by a still-unresolved ransomware attack, forcing it to shut down its technology network and causing delays in care.

“We’re in a similar situation to yesterday, when we identified the situation and saw the cyberattacks,” he told The Times of Israel.

Questioned on the current situation, Ben Moshe said: “We don’t know the extent of the damage.” Regarding the timescale for getting back to normal, he said: “We have no idea. We just worked all night.”

Cybersecurity experts say the process could be a very long one.

Ido Geffen, a vice president at CyberMDX, an Israeli startup that offers cybersecurity solutions for medical devices and clinical assets, told The Times of Israel that the full recovery of data could take months.

Einat Meyron, a cybersecurity consultant and cyber resilience expert, said: “There is a long road ahead to recovery. We’ve seen similar events in the US, Belgium, and Portugal for example where hospitals were attacked, and they needed about three to six months just to get to a point where they could start working [normally] again.”

Channel 12 reported Thursday that the attackers left an email address on the servers that were attacked. An outside company acting on behalf of the hospital made contact with the hackers, who demanded $10 million dollars in ransom.

The report noted that as a government hospital they were barred from paying ransoms.


A hospital ward at Hillel Yaffe Medical Center on October 14, 2021, as staff try to manage without regular IT systems (courtesy of Hillel Yaffe Medical Center)

At Hillel Yaffe, some non-urgent procedures have been canceled, but most of the hospital’s work is continuing, using alternative IT systems, some of which have been installed specially. The ability of doctors to access nationally-held patient records which include their medical background (as opposed to internal hospital records) hasn’t been interrupted. This is because Hillel Yaffe recently introduced hand-held devices that provide this access.

Hospital management praised its staff for facing the new challenges well, in a statement on Thursday. “Along with the efforts of cyber and computing experts to rehabilitate the computer systems and investigate the incident, the medical work continues and our teams provide a very good response in the face of the existing challenges.”

Cybersecurity experts say that the attack, while serious, could have been worse. “In this attack, we know it came from the internet, meaning an attacker gained access to a password and then was able to get into the network,” said Geffen. “The good thing is, no medical devices or critical equipment were affected, as far as we know. In similar attacks in the US and Europe, critical devices that patients were connected to were indeed affected and that is a much worse situation.”

He added: ”Right now, the hospital is likely in the containment phase, making sure the attack doesn’t spread and trying to ensure all critical operations are still working. Then comes the investigation and recovery phase to determine what exactly happened and try to recover data.”

This is a long process if the hospital is to be sure that no “backdoors,” namely malware by which unauthorized users can get around security measures and regain access, are left in place.

“This can take months because it’s a careful operation to make sure the hackers didn’t leave any backdoors,” Geffen said.


US government discloses more ransomware attacks on water plants
By Sergiu Gatlan
October 15, 2021

Image: Ivan Bandura

U.S. Water and Wastewater Systems (WWS) Sector facilities have been breached multiple times in ransomware attacks during the last two years, U.S. government agencies said in a joint advisory on Thursday.

The advisory also mentions ongoing malicious activity targeting WWS facilities that could lead to ransomware attacks affecting their ability to provide potable water by effectively managing their wastewater.

Since they are part of the 16 U.S. critical infrastructure sectors, their compromise and incapacitation via spearphishing and outdated software exploitation attacks would directly impact national security, economic security, and public health or safety.

Multiple ransomware strains were used in the incidents revealed in this advisory to encrypt water treatment facilities' systems, including Ghost, ZuCaNo, and Makop ransomware:

In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.

In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility's wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.

In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim's SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).

In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system.

Attackers had also infiltrated WWS plants' networks attempting to poison the drinking water, as it happened in March 2019 when a former employee at Kansas-based WWS facility failed in his attempt to use unrevoked credentials for malicious purposes after he resigned.

While not included in the advisory, an unknown threat actor also gained access to the water treatment system for Oldsmar, Florida, in February 2021 and tried to poison the town's drinking water by raising the levels of chemicals used to clean wastewater to hazardous levels.

Other breaches of water treatment facilities have happened over the past two decades, including a South Houston wastewater treatment plant in 2011, a water company with outdated software and hardware equipment in 2016, the Southern California Camrosa Water District in August 2020, and a Pennsylvania water system in May 2021.

"To secure WWS facilities—including Department of Defense (DoD) water treatment facilities in the United States and abroad— [..] , CISA, FBI, EPA, and NSA strongly urge organizations to implement the measures described in the Recommended Mitigations section of this advisory," the joint advisory says.

You can find the complete list of mitigation measures recommended by the four federal agencies here.


International Ransomware Summit Sets Sights on Crypto
Representatives from the EU and 31 countries called for a collaborative crackdown on crypto and ransomware risks.

By Scott Chipolina
Oct 15, 2021 

In brief
Representatives from the EU and 31 governments have called for a global approach to ransomware.
The Biden administration has already taken several steps to crack down on ransomware and crypto.

Representatives from the European Union (EU) and 31 other countries met during a virtual summit this week to coordinate a global response to ransomware, per the Wall Street Journal.

“We are dedicated to enhancing our efforts to disrupt the ransomware business model and associated money-laundering activities,” the representatives reportedly said in a collective statement yesterday.

The representatives also said that internationally coordinated scrutiny of cryptocurrencies would be integral to facing the ransomware threat head-on. Ransomware groups, they said, can easily transfer any stolen funds to jurisdictions that aren’t up to scratch on tracking illicit transactions.

“We also recognize the challenges some jurisdictions face in developing frameworks and investigative capabilities to address the constantly evolving and highly distributed business operations involving virtual assets,” the representatives added.

Ransomware activities—and their associated ties to cryptocurrencies—have become a major focus for the Biden administration’s national security agenda.
National security, ransomware, and crypto

In the United States, President Biden has made ransomware a priority for the administration’s approach to national security.

Earlier this summer—amid ransomware attacks against Colonial Pipeline and meat processing firm JBS—the U.S. Department of Justice said it would elevate ransomware to a similar priority level as terrorism.

The Biden administration also spent the summer setting up a bespoke ransomware task force, aimed at combating cyberattacks and tracing cryptocurrency ransoms.

Anne Neuberger, deputy national security adviser said during an accompanying briefing that the administration is working on ways to quell the use of Bitcoin and other cryptocurrencies for illegal activities.



In August, the Biden administration also dusted off the State Department’s Rewards for Justice program—an initiative from 1984 that has paid over $150 million to over 100 informants that helped prevent acts of terrorism.

The State Department is even incorporating cryptocurrency payments—to the tune of $10 million—to dark web informants that can identify any person who is participating “in malicious cyber activities against U.S. critical infrastructure.”

To top this all off, there are also rumors the Biden administration is eyeing an executive order to crack down on the crypto industry.

Yet, ransomware remains a global problem, as U.S. national security adviser Jake Sullivan said during this week’s virtual summit.

“No one country, no one group can solve this problem,” Sullivan said.

No comments: