Hacker News new | comments | show | ask | jobs | submit login

> Lessons learnt by ransomware developers - rather than using a single pretty arbitrary test, always rely on a more robust statistical model to detect whether your code is running inside a sandbox.

I like to imagine that one of the developers on that team filed a tech debt item to do exactly this, was never able to get their manager to prioritize it, and is now pulling out their hair saying, "I told you so!"




> I like to imagine that one of the developers on that team filed a tech debt item to do exactly this, was never able to get their manager to prioritize it, and is now pulling out their hair saying, "I told you so!"

Malware authors have budgets and schedules too. It's a business, probably more profitable than 90% of the startups in SV


That's not exactly high praise. A tuft of grass is more profitable than 90% of the startups in SV.


Especially if that tuft of grass is on piece of real estate in the bay area.


I wonder if Levi's jeans were more profitable than the average goldbug


Haha... That's a quite negative point of view. I mean even though most startups don't survive and won't make the involved parties more wealthy, there are people who actually use that stuff. From a user perspective it's profitable ;)

> It's a business

No, it's not, and it's pretty damn rude to make that claim in the presence of legitimate businesspeople.


Oh please. How many "legitimate businesspeople" believe its their moral duty to spend millions on tax evasion lawyers and schemes. That think nothing of destroying thousands of lives and millions of man years worth of hard-gotten savings from the defenseless with legal but immoral schemes. It is perfectly legitimate business people that refer to patients as "units" and literally let them die if not money can be made of them. I'll type all day and not get to 10% of legit accusations I can make against "legitimate businesspeople".

I'll take an honest crook any day.


Haha, yep. At least they're honest about screwing you.

They didn't say "reputable business". Even the mob is a business, meaning "something whose purpose is making money" (over-simplified, but I'm sure you'll get the point).


The definition of a business is an entity which provides goods/services to consumers.

The typical moral distinction b/w a business and other entities which make[1] money is a business (presumably) does it within the constraint of their counterparties enjoying the liberty of choice. This becomes a grey area when government enters the picture and removes liberties--which is why there is debate about the legitimate role of government's monopoly on legitimate violence/aggression here.

1 - note, a further distinction could be made between entities which create value, and those which transfer it.


> The definition of a business is an entity which provides goods/services to consumers.

That's not true. A business is a vehicle for making money, that's it. Most businesses do this by providing goods or services, but certainly not all - for example, financial traders that only manage their own funds, like the Renaissance Medallion fund.


Financial traders are still buying and selling goods and services with a counterparty.

Even here, we still can observe that in most cases (except those where government interferes, or perhaps with organized crime) the counterparty is also enjoying a choice in whether or not they want to do the deal. I would argue that in cases where a counterparty has no choice, such a scheme should not be viewed as a legitimate busines, as it historically would not be.


that's basically the root argument of libertarianism - that forced transactions are unethical and thus taxation is theft.

I'd still argue that a business does not have to provide a good or service to be considered a business though. The Medallion Fund that I mentioned solely exists to make money for its owners - it does not provide any goods or services.


I like to think that they know anything they implement will eventually get blocked, so they have a big collection of unexploited evasion tricks and just introduce them one by one.


I like to think wankers who stop hospitals go to jail and never work with a PC again. It would be nice if those BTC were hard to cash out too.


Not that it exonerates them whatsoever, but these kinds of attacks (including Wana Cryptor) usually aren't tailored for hospitals or any particular institution. They just harvest as many email addresses as they can (from leaks and purchased lists from spammers, etc.) and try to get as many infections as possible.

Hospitals just happened to be disproportionately affected by this attack because a lot of them have ineffective IT departments/mangement and never applied the MS17-010 patch.

Of course, these people are still felons and are likely responsible for millions of lost family photos, work and school documents, etc. They just aren't going out of their way to target hospitals.


I understand what you're trying to say, but think about what happens when the military strikes a hospital and calls it "collateral damage." While you're correct that these people probably did not intend to damage hospitals, they could have reasonably foreseen that an indiscriminate attack on computer networks around the globe would have deleterious effects on essential infrastructure.

This means that they knowingly or with reckless negligence unleashed such an attack on the world. If they had been more "scrupulous" criminals, they would have more narrowly tailored their attack on targets they believed deserved to be extorted or where such extortion would not interfere with life critical systems.

I'm not a lawyer, but if they were a nation state, I believe they would have violated the Geneva Convention's prohibition on attacking hospitals.

That said, I think this attack gives more weight to NSA critics that contend that their exploit research should be focused more on defense rather than offensive capabilities. Their carelessness combined with another group wanting to embarrass them is what allowed this indiscriminate attack to be inflicted on civilian infrastructure.


> think about what happens when the military strikes a hospital and calls it "collateral damage."

Old news. The more recent and much more insidious variant is calling the hospitals simply "valid targets".

Or in case of an unexpectedly intense media backlash, "a mistake".[0]

0: https://en.wikipedia.org/wiki/Kunduz_hospital_airstrike


When it comes to military/state objectives that the public poorly understands the risk scenario is quite different.

Which is why we're currently in a situation where zero-days that NSA easily knew would be leaked were not patched at least a month ahead of time were left unpatched. The costs aren't significant enough to motivate them to respond to their failures.

People like to blame the capitalistic incentives for not upgrading from Windows XP but to me the failure to respond to this obvious outcome of the leaking of NSA malware is far more insidious. These sys-admins managing old systems were not prepared for state-financed malware to be released to C-level cyber criminals as a 'threat-actor'.

The poor state of corporate information security has been exposed in the last few days, but even that sorry state is nothing compared to the failed responsibility of the US government to value their citizens over internal objectives. Which is increasingly a common narrative that is a unsurprisingly a result of the unencumbered growth of the security state and by proxy the executive branch whom they ultimately report to.


I understand your sentiment, but what exactly is the military to do when the enemy specifically uses hospitals to house command bunkers?


Do many people think that bombing the patients is the acceptable answer?

The hospital really needs to move the patients out immediately if the local military starts military operations from within hospital (which is basically a war crime).

Then, if the commanders force patients to stay by threat of violence to stay as human shields, that's a further war crime. The responsibility of casualties here is more with those using patients like this, than anyone else.


This seems like a long-winded way of saying "yes we bomb patients". Do you actually believe this?

There's probably a reason why we don't start killing hostages in an hostage situation.

Typically because the cost of not killing the hostage takers is basically the risk of dead hostages. There's nothing else at stake. You can safely assume that the next plane full of hostages that has terrorists at the controls will be shot down.

I'm not really advocating yes or no to bombing hospitals or schools to kill terrorist leaders hiding within - but your assertion is false. We will kill the hostages. All actual breaches involve a risk of % losses and that's baked into the decision to go in. Just a person somewhere trying to make a decision about the best outcome, for the "greater good".


Obviously using human shields like this is criminal. Do you see the people who bomb hospitals as baring any responsibility?

I believe many in the military would simple say that Total War doctrine, present since perhaps the US Civil War and definitely by World War I, would argue bombing patents to get at command-and-control would be acceptable during times of war.

Now before everyone buries me, total war is a rather rare military state, and probably only present a select few times in the 20th century.


About one million Germans were dead or wounded as a result of allied bombing. Almost certainly entire hospitals were blown up too, in Dresden if nothing else.

A small prize to pay for not having nazies stomp around my backyard (almost literally, there are remnants of a nazi bunker not half a mile from where I live).


Area bombing was largely ineffective and German production increased during the heaviest periods. In the view of many, it was a crime committed by a vindictive group of criminals. Area bombing has some well documented cases of slowing down the fall of nazis (hindering troop advances, taking away a lot of war production resources etc) but little evidence of speeding up the end.

Edit: good book on the subject https://www.google.co.nz/amp/s/amp.theguardian.com/books/201...


True of this attack, but ransomware attacks targeted specifically against hospitals have been booming over the past year or two. Aside from poor IT, hospitals often need immediate access to that data to treat patients, which makes them much more likely to pay. Which also means they generally ask for more than 300 dollars - that's the real proof that NHS was just collateral damage.


Indeed. t you chuck a Molotov into a crowded theater, you don't get to claim that you didn't mean to hit any children.


> never applied the MS17-010 patch.

Until today, there was nothing to apply if your computers were running XP or 2003. Guess which Windows versions are the most popular in UK hospitals? So I think your sentence should read like "Hospitals just happened to be disproportionately affected by this attack because they were forced to trust Microsoft would never put corporate profit before social responsibility."


XP and 2003 have been end-of-life for years. They both were released 14+ years ago. So you can just change what I said to:

"because a lot of them have ineffective IT departments/mangement and never applied the MS17-010 patch or are running ancient operating systems."

edit: And in fact, Microsoft did release a special XP hotfix for this vulnerability yesterday: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer...


> because a lot of them are running ancient operating systems that are the only ones that can interoperate with legacy hardware

FTFY


What news reports said anything about legacy hardware? The BBC and Reuters articles claimed the NHS suffered infection of their patient records servers and their reception computers.


Apparently the impacted XP and 2003 machines were accessing the same disk servers as the patient record systems. Thus an infected CAT scanner controller (or whatever) was able to destroy the patient records.

That doesn't tell a story of missing money or maintenance contracts. It tells of poor or even irresponsible and incompetent deployment procedures.

You shouldn't allow your CAT scanner to write over your patient records at a server. You shouldn't even have them in the same network segment.


And on legacy software. My NHS Trust seems to have escaped unscathed, but it has software that won't run on modern systems which is why XP is still seen in most departments.


What software is that? There is a 32-bit version of Windows 10, which can still run 16-bit Windows/DOS programs, and IE11 still supports ActiveX, Silverlight, Java applets and even (in IE10 compatibility mode) VBScript.

So AFAICT 32-bit W10 can run most anything 32-bit XP can (likewise the 64-bit versions, though neither can run 16-bit programs), and IE11 can run most anything IE8 can (with minor configuration).

Is it software that relies on undocumented APIs? (I can't imagine why hospital software would require exotic methods of poking at the kernel or hardware).


A lot of times it's the hardware interface that's the issue. Old stuff uses serial and parallel ports, motherboard slots,or even abuses PS2 for other purposes.

Good luck finding a windows 10 compatible PC that has ISA slots for example. A lot of old custom hardware hooked right into the ISA bus


There is definitely software made for one version of Windows that won't run on another, regardless of bit count. Not a lot of it, but it's there.

In my experience, industrial software is often pretty poorly designed, so it wouldn't surprise me if it's more common in a hospital environment.


because .. drivers?


For what? Surely buying new printers is less expensive in the long or even short run than continuing to use an EOL-ed operating system.


We're not talking about printers.

We're talking about medical equipment, such as CAT scanners, dialysis machines, radiation therapy devices, chemical analysators and the like. Stuff where the computer interface could be an afterthought, added to a machine that was designed years ago with a physical knobs-and-dials type of user interface, and implemented and certified for a particular PC hardware generation. Then this interface PC becomes obsolete in 15 years even if the equipment itself would work for a hundred.


Is there any reason why medical equipment couldn't at least be airgapped or on a network without an outside connection at least? Still seems irresponsible.


Imaging tech here. Remote logins from vendor service staff are very helpful when stuff breaks as they can order parts or suggest fixes without coming in. They also track things like helium levels and water temperatures. Problems in these areas can be very very expensive. Losing a hour can be a loss in thousands in revenue very easily, let alone a few weeks of scanner time and tens (or maybe even low hundreds) of thousands in helium and parts.

Other reasons for network connectivity include retrieving and sending image sequences and data files (basically the actual scans) which is done all day everyday.

The more alarming part is the retrieving of raw data which is the unreconstructed scan. This involves attaching a memory stick that is supposedly clean and uploading to that. Generally this stick is stuck into any old researcher PC and files are off loaded. Vendors don't particularly like this but getting 10-20 gig files off the scanner via command line is pretty clunky at the best of times.


Such devices absolutely should be isolated in separate networks (DMZs), and connections to outside world should be removed except for the bare minimum.

That the NHS has not done this is their actual failing and negligence. It doesn't take that much money to move such devices to a quarantined network.


I mean, they are being systematically under-funded by one of the UK parties such that it will fail, so they can then point at it saying "I told you so", and so then get to adopt a US-like system, so they too can get in on that sweet, sweet cashflow :/

I assume drivers for scanners... but yes, if you underfund a healthcare system (remember half the cost of the US system for better outcomes) and constantly demand "efficiency savings" (and cancel long term Microsoft support contract) managers will cut IT before frontline services.


Places that cut the IT budget first are also places that raise the IT budget last.


XP has been unsupported for over three years and 2003 for nearly two years. Still using them at this point is gross negligence on the part of the hospitals.


>Still using them at this point is gross negligence

I'd guess that most hospitals don't do in-house development for the software they use. They paid someone else for it, probably at "enterprise" rates; it's hard to blame them for not having the budget or desire to replace working systems with new shiny (complete with new bugs) every X years.


Sigh, we need to fix the software economy. Imagine if the software being used by hospitals and other public institutions was open source as a rule. Then maybe it could actually be reused and collaborated on instead of rotting away with the need of replacing it all when it's just not usable any more.


If only some guy with a long beard had told us for the last 30 years what was going to happen! :)

This thread seems to be a series of "well, they had to make this error because previously they had made this other error"... presumably this can go on ad naseum, but isn't the eventual resolution going to be "spend money to install current hardware and software"? They could have done that at any point in the past. Complicated etiologies for broken systems, miss the forest for the trees.


>Complicated etiologies for broken systems...

...are how the state-of-the-art is advanced in other industries? Imagine if the FAA's response to an air disaster was, "Never mind root causes, you just should've bought a newer plane".


If they were flying airplanes from the 50's not supported by their constructors anymore, I'd say it'd be pretty good answer.



Back in the late 90's the government of the time split the NHS into Trusts and outsourced the IT to the likes of ICL (not sure who does it now). With that the last time any major overhaul was done upon the hardware and software was Y2K and as with most outsourced IT contracts it focused upon support from a reaction basis and not a proactive one.

With that the GSN (Government Secure Network) is still a good ring-fence (that's outsourced as well) but once something gets inside, boom.

Now with the Trusts - they do have a local IT bod and in the cases I dealt with, somebody who knew how a PC works and enthusiastic, which is nice but also dangerous and I had to deal with a few issues that were as I call them "enthusiastically driven". As such you have all these Trusts operating at some level as independants and with varity of results.

One case, was one `IT manager` at a Trust who was posting on a alt.ph.uk (UK hacking usenet group) and offering up inside information about how they operated. That did not happen as the alt.ph.uk lot are a moral ethical lot and health services are taboo, so was rightly shot down and equally the chap was soon in talks with security services.

But with so many legacy systems, and an event driven support mentality (again Y2K being an exception) then such events can and will happen. Sadly many trusts lack provision to handle such issues and as with many IT area's are event driven instead of being proactive. Indeed ITIL the golden managment love-in solution for support management is event-driven and many an implementation ticks all the ITIL boxes of compliance and yet still lack proactive support. This alas is mostly gets compared to firefighters pouring water on buildings so they won't catch fire and sadly pretty darn systemic in many an organization.

With that the best anybody in IT can do it to flag up an issue in a documented way to cover there ass then the outlined event does transpire to prevent unfair scapegoating. A sad situation of which many of not all IT support staff in all capacities can attest too.

Ironicaly DOS based legacy systems with no networking and exitic ISA cards in some equally over-priced hardware still work and the need to replace them does become moot, alas that example gets projected upon other systems that are networked. But the whole health industry has many legacy setup's that are expensive to replace, more so if they work and the motivation to limit potential damage from future events above and beyond backup's becomes a management issue that lacks a voice for budgets.


No argument about the hospitals.

But making BTC hard to cash out is a hard problem. Although particular addresses can be blacklisted, mixing services are now mainstream. Some return fresh BTC from miners. Even so, it's problematic to mix humongous quantities. For example, the Sheep Marketplace owner/thief overwhelmed Bitcoin Fog with 10^5 BTC. The trail went dead after that, but he got busted while cashing out. His girlfriend was receiving huge international wire transfers, and could not explain where the money was coming from.


It probably originated in Russia or one of the other cybercrime-heavy ex-Soviet states (Ukraine, Belarus, etc), so outside the jurisdiction of UK authorities. Although this time it appears to have done most of its damage in Russia, so the perpetrators might not benefit from the usual blind eye.


I've seen ransomware that explicitly tried to avoid hospitals, schools, government, etc., so there's that. I always assumed it was out of self interest though.


Yes screwing some Radom punter over is quite different that triggering an attack that meets the crtiteria for a CNI attack.

All this means instead of pc plod being unable extradite the perps from eastern Europe to you get the serious players involved.


Nah, let's not jeopardize the fungibility of bitcoins please. Besides, with anon-coins like zcash, what you're proposing would not be possible.


There is nothing that stops them to relaunch attack with modified version. Initial wave will use spam, then worm-like part of the ransomware will penetrate internal networks.


Sure but this generated a lot of press so it made the vuln more known; Microsoft released a patch and systems are likely less vulnerable to the same attack.

Similar attacks using other vulns or tooling are inevitable but this is prob much less impactful and the registration probably mitigated a lot of damage



You make it sound like some professional outfit. Is it really like that? I would've thought that it's a bunch of teens.


I doubt it. This is organised crime motivated by money (which is usually something adults do); the very fact that the program tries to detect whether it's being sandboxed indicates a certain level of professionalism.


You think a bunch of teens orchestrated a global attack on this scale? Surely this is satire and you dropped the /s right?


>...orchestrated a global attack on this scale?

Was it "orchestrated", or did the worm just spread randomly and opportunistically?


My bet is a bunch of teens. Not really orchestrated as much as exploited a vulnerability amplified by p2p connection, which led to worldwide scale.

By the look and UX of the virus (yes there's a UX there too), they do seem to have a better grasp than most script kiddies, who usually can barely extend whatever script they've got.


Hard to say. It could be an organized crime gang, terrorists, state actor, someone not making enough money legitimately in a 3rd-world country, bored middle-aged techie or teenager wanting to "get away" with something. There may or may not be levels of management, contractor(s) or multiple participants. (Shady "businesses" most definitely have subcontractors. Heck, I know of someone whom got their degrees paid for by a shady illegal gambling outfit.)


Why wouldn't they do it initially? It would take like 5 minutes to make it use a random string instead of a hardcoded one.


will he/she be called into a HR meeting to make a Performance Improvement Plan? ;)


Probaly get a pair of concrete over shoes


Potato, potahto.


I'm that developer but instead of working on malware, I just want to make sure that iPhones can actually use the website.


Malware is more interesting.

The site itself doesn't seem to have enough ads or well placed enough ads to be "income as a goal". So I'm guessing it's a " proof I can do stuff " or "trophy room" blog, which doesn't care (HR and recruiting will happily use worse websites to judge canidate value, or trophy rooms will be put in a room no one else wants/cabin so far from everyone it doesn't have electricity)




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: