Ransomware Gang Frees Irish Medical Data—but Leak Threat Remains

The Health Service Executive (HSE), the body that runs Ireland’s socialized healthcare system, suffered a catastrophic malware attack last week. Ransomware scrotes wielding the Conti malware demanded $20 million to decrypt all the files.

But now they seem to have had a change of heart. The gang sent a free decryption tool to HSE, apparently without money changing hands.

Cybersecurity Live - Boston

But they’re still warning they’ll leak private health records unless they get their money. In today’s SB Blogwatch, we ponder ways to control this scourge.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: D120.

What’s Gaeilge for ‘HIPAA’?

What’s the craic? Joe Tidy reports—“Hackers bail out Irish health service”:

Flimsy code of ethics”
The Conti ransomware group was reportedly asking the health service for $20m … to restore services after the “catastrophic hack.” [But now it’s] unexpectedly gifted … the Health Service Executive (HSE), which runs Ireland’s healthcare system … with the tool to help it recover.

Irish prime minister Micheál Martin said on Friday evening that getting the software tool was good, but that enormous work is still required to rebuild the system. … There have been cancellations across all outpatient services, with colonoscopies down by as much as 80% and chemotherapy and daily elective procedures down by 50%.

Conti is still threatening to publish or sell data it has stolen unless a ransom is paid: … “We will sell or publish a lot of private data if you will not connect us and try to resolve the situation.”

Some of these gangs operate by a flimsy code of “ethics”, stating they don’t intend to endanger lives. [But] the Conti gang … clearly knew they were attacking a health service, and spent days trying to secure a ransom payment. … Perhaps they were under pressure from law enforcement or other hackers to rein it in.

That’s thousands of miles away. Sergiu Gatlan brings it home—“FBI: Conti ransomware attacked 16 US healthcare, first responder orgs”:

RaaS”
The info was shared via a TLP:WHITE flash alert … to help system admins and security professionals defend their orgs’ networks against future Conti attacks: … “The FBI identified at least 16 Conti ransomware attacks … within the last year. … These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S.”

Conti shares some of its code with the notorious Ryuk Ransomware. … The U.S. government previously warned the healthcare industry of ransomware targeting hospitals and healthcare providers in October 2020, after Ryuk operators took down the computer and phone systems of Fortune 500 hospital and healthcare services provider Universal Health Services (UHS).

Conti ransomware is a private Ransomware-as-a-Service (RaaS) operation believed to be controlled by a Russian-based cybercrime group known as Wizard Spider.

Wizard whatnow? Conor Lally explains the situation—“Part of world’s first cyber-cartel”:

Russia tolerates Wizard Spider”
The Russian-speaking cybercrime gang, Wizard Spider … is the biggest and most advanced gang in the world’s first cyber-cartel. That cartel, made up of five Russian-speaking cyber gangs, was formed last year and dominates ransomware attacks across the globe.

Wizard Spider is much bigger than the other gangs in the Ransom Cartel, also known as the Maze Cartel, and is split into several teams. … All of the groups in the … cartel, which officially joined forces last summer — Twister Spider, Wizard Spider, Viking Spider, Lockbit gang, SunCrypt gang — engage in the same activities as those now underway against the HSE.

The code they use in their malware or ransomware is programmed to uninstall itself if it locks onto a Russian language system. … It is widely suspected across the international community that Russia tolerates Wizard Spider as long as they attack targets in the West.

A Russian language system, you say? That gives Brian Krebs an idea—“Try This One Weird Trick Russian Hackers Hate”:

Install a different keyboard”
Virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian. … This prohibition dates back to the earliest days of organized cybercrime, and it is intended to minimize scrutiny and interference from local authorities.

Will installing one of these languages keep your Windows computer safe from all malware? Absolutely not. … There is no substitute for adopting a defense-in-depth posture, and avoiding risky behaviors online. But … the worst that could happen is that you accidentally toggle the language settings and all your menu options are in Russian. If this happens … Windows+Spacebar is your friend.

To install a different keyboard language on a Windows 10 computer … hit the Windows key and X at the same time, then select Settings, and then select “Time and Language.” Select Language, and … you should see an option to install another character set. Pick one, and the language should be installed the next time you reboot.

Is that a good idea? allen has all the key questions: [You’re fired—Ed.]

Completely valid idea”
Is doing this in Windows a significant security improvement? Probably not.

Does it have an above-zero chance of (helpfully) preventing a virus from running on the system? Yes, there is clear evidence this type of kill switch is built into many versions of malware.

If you look at this as yet-another layer in your security onion (aka a Defense-in-depth strategy with many other layers with it), the facts are that this takes such little effort to implement, almost certainly results in at least some amount of extra security, and there is little or no downside.

I wouldn’t jump out of my chair to implement this on all systems, and this does not at all replace any other standard security measures that should be in use. But it’s a completely valid idea.

O RLY? Fabian Wosar—@fwosar—simply scoffs:

They will know”
Within the ransomware hunting team, we often joke about what new “innovative” ways people will claim to be the next big fix for ransomware. One of these 8-year-old running gags [is] changing your keyboard layout to Russian.

While most ransomware families have keyboard layout or default language checks, most of them check the active or default configuration. Not just some registry key. So unless you actually want to use your system in Russian with a Russian keyboard, you’ll still get hit.

Ransomware [threat actors] will know everything about your company. They will know whether you are a real Russian company or not. … So instead of mass deploying a Russian keyboard layout to all your network, how about rolling out MFA and making sure your VPN appliances and internet-facing systems are updated in a timely manner.

You know—things that will actually improve your security posture.

MFA you say? Well, 2FA, at least—here’s rahmrh:

2-factor”
We worry about making longer and more complex passwords and changing passwords more often and the real issue is it is easier to break the desktop system [with] phishing schemes. … 2-factor at least slows down the access to the big systems but rarely is the desktop device protected with 2-factor.

But ajsnigrutin brings this topical simile:

Swab”
All these … ”mitigations” seem to me, as keeping the back door open, and requesting a urine sample, DNA sample, anal swab, pap smear and a prostate exam from people entering the main entrance.

How high are the stakes? Nick Merrill explains, “The threat of ransomware”:

Chaos”
Ransomware attacks don’t just disrupt pipelines, hospitals, or water plants; they disrupt trust in the predictability of everyday life. Remember: this pipeline ransomware did not directly cause the gas shortage: the ransomware freaked people out, making them panic-buy oil. The panic caused the shortage, not the hack.

The real threat of ransomware—of cyberattacks generally—is that they induce panic, breaking trust in public life. High-profile ransomware attacks shake our … confidence in the reliability of our everyday world. Will we be able to buy gas? Is our water safe to drink?

Cybersecurity is a matter of maintaining—perhaps even repairing—public trust. … That’s the imperative. … If a profit-motivated business can take down an oil pipeline, I shudder to think what havoc a coordinated state attack could wreak.

The United States is not prepared for that level of chaos.

Meanwhile, Camel Pilot knows the solution:

Should be illegal to pay the ransom. And should be an automatic firing of the CTO and CEO.

And Finally:

Disdyakis triacontahedron (aka D120)

Hat tip: Gareth Branwyn

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Sheila Sund (cc:by)

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 357 posts and counting.See all posts by richi