
N.J.’S Largest Hospital System Pays Up in Ransomware Attack - LinuxBender
https://threatpost.com/ransomware-attack-new-jersey-largest-hospital-system/151148/
======
ikeboy
We need to make it illegal to pay ransoms.

Paying a ransom is like defecting in a prisoner's dilemma: it benefits you at
the expense of hurting everyone else who will be stuck in the same situation.
Making it illegal just forces everyone to cooperate and is something everyone
would prefer.

Should be possible to prosecute under existing laws: you're providing support
to a criminal enterprise, sounds illegal already.

~~~
dmix
This story provides a good counterpoint. What if doing so saves lives at a
hospital who needs to get back online ASAP? A "saves lives" loophole?

Not to mention every law should first be measured on whether it is at all
practical to meaningfully enforce. I guarantee there has been 100x more
companies who've paid the ransom and didn't release a press release like this
one did.

If a whole bunch of people are going to do it anyway quietly and the law isn't
going to stop them, we're just going to occasionally double up the fines on
the random businesses that get caught. While these endless ransomware hackings
continue.

I'd much rather we spent public resources on prevention.

~~~
Wowfunhappy
You're saving lives now but endangering future lives.

If no one paid the ransom, ransomware wouldn't exist. the more people who pay
the ransom, the more incentive attackers have to create ransomware.

~~~
jonny_eh
> If no one paid the ransom, ransomware wouldn't exist

Even if we made it illegal, it doesn't mean people wouldn't pay them. It would
just punish victims further.

~~~
ironmagma
Put another way, which would you rather do, indirectly kill people or break
the law? This is the decision a hospital administrator would be faced with. I
suspect that most people would see fit to disobey the law in this situation.
It could easily be argued to be a legitimate case of civil disobedience.

~~~
wcip
I work in this space. Its probably not a matter of kill people, doctors in
ER's don't really need a EHR to function and sometimes do without due to
technical issues. The issue is that the hospital won't be able to bill without
documentation.

------
ngneer
How arrogant to comment that these hospital systems should have been secured
by now, given that WannaCry has hit hospitals in the past couple of years.
Shows a lack of understanding of the economics of security. I agree with the
point made by others about not negotiating with terrorists. Outlawing payments
would not prevent the attacks, though, the prisoner's dilemma will remain. I
am not an economist, but as long as the value of the assets being rescued is
greater than the value of the money handed over, the trade will occur. At some
point, yes, the ransom will be too great, but the parties will continue to
seek the path of least resistance.

~~~
tinus_hn
Yeah, we should just accept their mediocrity! After all, you can’t expect
people to take all these difficult security measures like installing updates
and using complex passwords.

~~~
ngneer
I said nothing of the sort. Only that the manner in which the security expert
commented on their practices came off high and mighty. Knowing how to secure a
system is not enough, knowing how to get there matters.

------
jakewins
A friend of mine is an MD at a major hospital in the midwest. As I've
understood it this is standard practice for them. Their computers freeze up,
and the message - my friend has sent me screen shots - will say something like
"Hi <hospital name>, the computer is encrypted, please contact the IT
department", IT department pays the ransom and the computers kick back on.

From a financial POV, as long as the ransom costs per year is lower than the
cost to replace their Cerner systems, it makes sense to simply see it as the
cost of operations I guess?

~~~
alistairSH
Perhaps a dumb question... How does ransomware propagate from end-user PCs to
the servers that host critical applications and data? Surely, they don't allow
end-users to run email or access the web from "secure" servers?

~~~
PeterisP
IIRC the modus operandi for at least a few of these large ransomware attacks
was that the initial attackers who succeed in phishing or whatever would
install a remote backdoor there and sell the access for something like $2-10k
to professional teams who have the infrastructure and capacity to handle it
"properly" \- use that foothold to spread across all the workstations, gain
user credentials to access servers and destroy backups, and then trigger
ransomware everywhere at once perhaps a week after the initial infection,
transforming it from a driveby nuisance to a targeted attack that's hard to
recover from and that can justify a big payout. Some of the victims _had_
reasonable backups, but they were intended for disaster recovery, not
malicious action; so they were accessible from the compromised machines and
thus could be disabled or destroyed.

An automated attack that manages to hit a random workstation can extract a
ransom of a couple hundred dollars; but if they invest a couple day's hacker
labor to move deeper, then there are many public cases of $50 000 - $500 000
ransoms paid, and multiple cases such as Baltimore city and Atlanta city which
suffered losses in excess of $10m as a result of not paying the ransoms.

------
newhotelowner
How do you prevent your system from a ransomware attack?

If the user is using Windows 10 Professional and doesn't have admin access,
can they still be a victim of a ransomware attack?

~~~
nradov
You prevent users from running untrusted applications. Only whitelisted
applications can execute.

[https://docs.microsoft.com/en-us/windows/security/threat-
pro...](https://docs.microsoft.com/en-us/windows/security/threat-
protection/windows-defender-application-control/applocker/applocker-overview)

~~~
Cheyana
I don't see how this would help when all of this ransomware is usually a
javascript dropper that gets in through the browser, encrypts files, and then
gets out after the damage is done.

The only thing that ever saved us in the half dozen or so times that we've
been hit is a robust backup system.

~~~
nradov
Are you certain that was the attack vector, and if so which specific browser
vulnerability was it? I'm not aware of any browser JavaScript sandbox escape
vulnerabilities that would allow file write access since about 2015. While
it's remotely possible there is a zero-day vulnerability being exploited out
there it seems highly unlikely. If your organization has been hit multiple
times by similar problems then the IT management must be terribly incompetent.

------
post_break
I wonder if Ransomware insurance will be offered by the same companies that do
personnel ransom insurance.

~~~
selectodude
These hospitals are uninsurable. They'd balk at the cost that the insurance
companies would demand they pay for enhanced network security.

~~~
panarky
Nah, most large organizations already have kidnap and ransom policies that pay
off in event of extortion.

They often also have cyber insurance that covers data leaks, but even without
cyber insurance the K&R policy often covers costs to recover from ransomware,
either by paying the ransom or by replacing/restoring systems.

------
vuln
Ugh I hate when reports are published but lack basic information like malware
family and indicators of compromise. The FBI FLASH reports are the worst
offenders. I suspect in this case the hospital did not share maybe due to
legal reasons?

~~~
ga-vu
Probably because reporters don't work for cyber-security firms and don't give
a shit about the C&C URL... just saying.

------
gyuserbti
The untold story in these things is the role of forced EMR regulations. I've
worked in healthcare for some time, as does my spouse and my family.

These record systems used to all be developed in-house systems, fully self
supporting, with little outside involvement. Then in the 2000s gov regulations
started mandating adoption of EMRs.

Especially here this seems like a no-brainer but in actuality for many
hospitals they were unnecessary and introduced with massive cost overruns as
hospitals were forced to buy them from a limited pool of vendors that were
approved by deadline rather than by intrinsic need.

How does this relate to the ransoms? Because if the EMRs were adopted
organically, my guess is it would have happened more gradually, with more
diversity of systems, more open source, more testing, and more emphasis on
security, backup, and self-reliant reliability.

It's hard to overemphasize the change in records infrastructure in hospitals
due to mandated EMRs, and a lot of it has been for the worse. EMRs would have
been implemented eventually without the mandates, but at lower cost and
greater security probably.

It's just another example of how overregulation in healthcare that sounds good
but in practice ends up creating unnecessary costs and causing problems. It
also once again doesn't get attention in healthcare price discussions, because
it's structural, indirect, and removed from the immediate billing.

I blame these types of ransomware attacks in part on EMR mandates and those
who encouraged them. Should bthe federal gov, which encouraged this mess, pay
the costs, either of the ransoms, or the cost of not paying?

