I suspect this is not the first such incident, but it’s the first that anyone has been willing to cop to. I also suspect that, somewhere, a lawyer is screaming, “NO SHUT UP YOU IDIOT!”
Admitting that this happened is probably not a very good move for the inevitable and totally justified lawsuit:
Getting ransomware is a lifestyle choice; it’s remarkably similar to going to a big “unmask” party and coming home with COVID-19. You get ransomware when your computing infrastructure is not carefully compartmented, your systems are poorly managed, and do don’t have backups.
The current state of play in the ransomware world is to scan a bunch of targets and, if you find one is vulnerable, break in, find some critical systems, and upload the ransomware onto them. It used to be that you just emailed in the ransomware in an attachment and expected some unfortunate ignoramus to click on it. A lot of organizations have moved past basic attachment security (and I do mean “basic”) so the attackers had to improve their play a tiny bit in order to continue their efforts.
A few years ago I pointed out that this is the end game for computer security: it’s so bad and our systems are so deeply compromised by government and commercial interests and crappy software, that attackers will always be able to try just a little bit harder and bypass anything useful that security people attempt to do. Let me explain that better: imagine that you’re running a foot-race against someone who is 100 times faster than you. But, they are cunning, and never reveal that fact. They always beat you by just a nose.* On the flip side, security practitioners have been (rightly) pointing out that systems are important and dangerous and that “eventually, this stuff is going to get someone killed.”
That’s that Rubicon, crossed.
(Alternatively, if you’re a fan of the book Horse Heaven: you’re racing against Justa Bob, the horse that was the fastest horse ever, but who was so lazy that he never bothered to win by more than the thinnest margin) [wc]
komarov says
Seeing this post I looked up a slightly more local news source, which, incidentally, also filed this in their IT/Internet section. I suppose it’s not a healthcare issue because you have no means of checking out security before being hospitalised. It confirms (or restates) pretty much everything from the Gizmodo article. In short, it was compounded idiocy on all sides, starting with the known but unpatched security flaws and ending with the fact that the hackers apparently hit the wrong target and tried to undo this when they realised their mistake. Well, too late. Nice work all around.
At least when Caesar crossed the Rubicon he wasn’t lost, as far we know.
lochaber says
I used to work with a guy that got hit by ransomware so often, he started keeping a backup because of it. Didn’t really help the rest of us when the computer attached to the lab equipment got hit by ransomware…
I imagine sending email attachments in spam and having downloads from sketchy websites still works well enough…
Marcus Ranum says
komarov@#1:
At least when Caesar crossed the Rubicon he wasn’t lost, as far we know.
And Roman legions came with an integrated power supply, so he didn’t have to reboot, first.