Kentucky Hospital Declares ‘Internal State of Emergency’ After Ransomware (Locky) I...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

So this raises a few issues here.

1) My mail server at $dayjob is rejecting contact from 93% of "in-use"
IPv4 addresses (out of 221 routable IPv4 /8 "A-classes", I find that
only 193 of them seem to be in-use as far as being a source of email).  
As a result, I'm seeing very little in terms of malicious spam with
viral attachments (but the handful of locky attachments that I have seen
over the past few months, as I've posted previously, are easily evading
AV/AM detection as my VT results have shown).

Out of 193 IPv4 /8 A-classes, I'm blocking 100% of 84 of them, and a
very high percentage of the rest.  During the first 3 months of this
year, my server has rejected SMTP contact from about 8700 unique IP
addresses, spread across 5500 different /24 IP subnets.  

2) I believe that it was starting with XP that Microsoft endowed Windoze
with the ability to transparently handle, expand or otherwise process
.zip files.  Yet we constantly see the negative results of this as it
has become a major way to deliver and launch malware.

There once was a time when bandwidth and connection speeds were low and
people had more technical needs (and know-how) to compress files into
.zip format to transfer them to others.  That time has passed.  Files
that need to be moved around (by email or otherwise) are transmitted or
attached as-is.  So does windows today need the ability to process .zip
files?  
Would it solve more problems than it creates if Microsoft were to push
an update that strips Windoze of it's automatic .zip-file handling
ability?  Would such a system be practically invulnerable to harm caused
by malicious .zip email attachments?

3) If an outright disabling of the OS's native ability to handle .zip
files is out of the question, then why can't user-initiated processing
or handling of .js or other script files be blocked or prevented?  

Is Windoze incapable of discerning the difference when a browser is
launching a script (during the course of rendering a web page) vs when a
user is launching a script from a double-click action?  Are there no
policy settings or registry entries that can prevent such a
user-initiated script-handling event?

Was it ever anticipated that users would launch .js files directly (even
if they don't know they're doing it)?  And does the OS not have a way to
know (and to block) .js file handling and execution when invoked by
users in this way?

Can't the Windoze .zip file-handling mechanism be modified so that it's
default action when handed a zip-compressed .js file is to *NOT* hand
the file to the Windows Scripting Agent for execution?

                *    *    *    *    *    *

Me and my windoze 98-based systems continue to laugh at the so-called
superiority of the NT-line of Windoze.  The NT version of windoze
continues to be the Emperor With No Clothes.  Unnecessarily complex and
over-burdened with conflicting and contradictory features and
functionality, in a state of constant bug-fixing, patching and
update-downloading.

(as if it wasn't already bad enough, how many win-7 users are battling
to keep their systems from being involuntarily "upgraded" to win-10?)

Macro$haft authors white-papers that show the cost of ownership of each
new version of Windoze.  Analysis aimed at corporate and institutional
IT admins and buyers to convince them why they should migrate to the
next version of Windoze.  Do these cost-of-ownership documents include
the cost of extortion that the instututions and organizations pay to
criminals who have hacked and encrypted their systems?  (I ask
sarcastically...)

==========================================================

Hospital Declares ‘Internal State of Emergency’ After Ransomware
Infection

A Kentucky hospital says it is operating in an “internal state of
emergency” after a ransomware attack rattled around inside its networks,
encrypting files on computer systems and holding the data on them
hostage unless and until the hospital pays up.

---------------------
http://krebsonsecurity.com/wp-content/uploads/2016/03/methodhop-580x443.png

A streaming red banner on Methodisthospital.net warns that a computer
virus infection has limited the hospital’s use of electronic web-based
services.
---------------------

Henderson, Ky.-based Methodist Hospital placed a scrolling red alert on
its homepage this week, stating that “Methodist Hospital is currently
working in an Internal State of Emergency due to a Computer Virus that
has limited our use of electronic web based services.  We are currently
working to resolve this issue, until then we will have limited access to
web based services and electronic communications.”

Jamie Reid, information systems director at the hospital, said malware
involved is known as the “Locky” strain of ransomware, a contagion that
encrypts all of the important files, documents and images on an infected
host, and then deletes the originals. Victims can regain access to their
files only by paying the ransom, or by restoring from a backup that is
hopefully not on a network which is freely accessible to the compromised
computer.

In the case of Methodist Hospital, the ransomware tried to spread from
the initial infection to the entire internal network, and succeeded in
compromising several other systems, Reid said. That prompted the
hospital to shut down all of the hospital’s desktop computers, bringing
systems back online one by one only after scanning each for signs of the
infection.

“We have a pretty robust emergency response system that we developed
quite a few years ago, and it struck us that as everyone’s talking about
the computer problem at the hospital maybe we ought to just treat this
like a tornado hit, because we essentially shut our system down and
reopened on a computer-by-computer basis,” said David Park, an attorney
for the Kentucky healthcare center.

The attackers are demanding a mere four bitcoins in exchange for a key
to unlock the encrypted files; that’s a little more than USD $1,600 at
today’s exchange rate.

Park said the administration hasn’t ruled out paying the ransom.

    “We haven’t yet made decision on that, we’re working through the
process,” with the FBI, he said. “I think it’s our position that we’re
not going to pay it unless we absolutely have to.”

“We haven’t yet made decision on that, we’re working through the
process,” with the FBI, he said. “I think it’s our position that we’re
not going to pay it unless we absolutely have to.”

The attack on Methodist comes just weeks after it was revealed that a
California hospital that was similarly besieged with ransomware paid a
$17,000 ransom to get its files back.

Park said the main effect of the infection has been downtime, which
forced the hospital to process everything by hand on paper. He declined
to say which systems were infected, but said no patient data was
impacted.

“We have downtime procedures to going to paper system anyway, so we went
to that paper system, he said. “But we don’t feel like it negatively
impacted patient care. They didn’t get any patient information ”

Ransomware infections are largely opportunistic attacks that mainly prey
on people who browse the Web with outdated Web browsers and/or browser
plugins like Java and Adobe Flash and Reader. Most ransomware attacks
take advantage of exploit kits, malicious code that when stitched into a
hacked site probe visiting browsers for the the presence of these
vulnerabilities.

The attack on Methodist Hospital was another form of opportunistic
attack that came in via spam email, in messages stating something about
invoices and that recipients needed to open an attached (booby-trapped)
file.

It’s a fair bet that as ransomware attacks and attackers mature, these
schemes will slowly become more targeted. I also worry that these more
deliberate attackers will take a bit more time to discern how much the
data they’ve encrypted is really worth, and precisely how much the
victim might be willing to pay to get it back.

http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of-emergency-after-ransomware-infection/

Site Timeline