The last story presented below is of a ransomware attack on a hospital system that has been listed as being responsible for 4 deaths. By comparison, the other incidents are just annoyances.

First we have Ransomware. And there is a lot of it. The Week in Ransomware – September 25th 2020 – A Modern-Day Gold Rush

Companies still refuse to take security seriously, and as a result, the Forces of Ransomware™ are running amok.

The linked article is dismaying, with how many cases/varieties of Ransomware have been discovered. There was one bright spot, in that the insurance companies are not just blindly underwriting insanity, but insisting on some security.

News also broke this week about how an insurance company utilizes security scans to find exposed and vulnerable devices on clients’ networks. These proactive scans have reduced their ransomware claims by 65%!

They have to do something, or they are going to put themselves out of business insuring companies that have limited security in place.

Then there is the continuing resistance to applying software updates. Over 247K Exchange servers unpatched for actively exploited flaw. I can’t even feel sorry for these people.

The systems in question have not been patched AT LEAST since February of 2020. So 7 months, soon to be 8 months.

Cyber-security firm Rapid7, added an MS Exchange RCE module to the Metasploit penetration testing framework it develops on March 4, after several proof-of-concept exploits surfaced on GitHub.

One week later, both CISA and the NSA urged organizations to patch their servers against the CVE-2020-0688 flaw as soon as possible given that multiple APT groups were already actively exploiting it in the wild.

That was back in March; here’s the situation today.

Rapid7 once again made use of its Project Sonar internet-wide survey tool for another headcount.

And the numbers are almost as grim as they were before, with 61.10% (247,986 out of a total of 405,873) of vulnerable servers (i.e., Exchange 2010, 2013, 2016, and 2019) still being left unpatched and exposed to ongoing attacks.

The company’s researchers found that 87% of almost 138,000 Exchange 2016 servers and 77% of around 25,000 Exchange 2019 servers were left exposed to CVE-2020-0688 exploits, and that roughly 54,000 Exchange 2010 servers “have not been updated in six years.” [My emphasis. Z-Deb]

So you don’t update your systems for 6 freaking years. What exactly do you think is going to happen? I can’t even feel sorry for any of these people.

And finally we have the RYUK attack on Universal Health Services. UHS hospitals hit by reported country-wide Ryuk ransomware attack.

“When the attack happened multiple antivirus programs were disabled by the attack and hard drives just lit up with activity,” one of the reports reads.

“After 1min or so of this the computers logged out and shutdown. When you try to power back on the computers they automatically just shutdown.

“We have no access to anything computer based including old labs, ekg’s, or radiology studies. We have no access to our PACS radiology system.”

And it isn’t just that a bunch of hospital employees can’t access their email, or billing records.

Four deaths were also reported after the incident impacting UHS’ facilities, caused by the doctors having to wait for lab results to arrive via courier. BleepingComputer has not been able to independently corroborate if the deaths were related to the attack.

Look I get that modern medicine is dependent on computers for a whole bunch of stuff, but this incident demonstrates that we are not doing it correctly. Not by half.

The internet was fun while it lasted. (Hat tip Security Now.)

You could spend your whole life writing about ransomware. Maybe that is an exaggeration. Maybe.

First up, Carnival Cruise Lines. World’s largest cruise line operator Carnival hit by ransomware

“On August 15, 2020, Carnival Corporation and Carnival plc (together, the “Company,” “we,” “us,” or “our”) detected a ransomware attack that accessed and encrypted a portion of one brand’s information technology systems. The unauthorized access also included the download of certain of our data files,” the cruise line operator stated in their filing.

Employee and customer data was probably stolen as part of the attack.

Konica Minolta was hit. Business technology giant Konica Minolta hit by new ransomware.

Business technology giant Konica Minolta was hit with a ransomware attack at the end of July that impacted services for almost a week, BleepingComputer has learned.

The company that produces Jack Daniels whiskey, Brown-Forman, was also hit, but they seem to be doing something right. U.S. spirits and wine giant hit by cyberattack, 1TB of data stolen.

Sodinokibi (REvil) ransomware operators were able to steal data, but apparently failed to encrypt systems.

“Brown-Forman was the victim of a cybersecurity attack. Our quick actions upon discovering the attack prevented our systems from being encrypted” – Brown-Forman spokesperson

Brown-Forman is not negotiating with REvil, so any data stolen is likely up for sale.

At least some of the people are taking security seriously, but there is still work to be done.

Companies never like to talk about “what happened?” Or “How did this happen?” so there aren’t many lessons to be learned.

A review of the 2019 ransomware attack on Norsk Hydro, for the geeks in the audience. How to Survive a Ransomware Attack Without Paying the Ransom.

For those who don’t follow these things… It has been called, “The worst cyberattack in Norway’s history.”

At around midnight Oslo time on March 19, 2019, computers owned by Norsk Hydro ASA, a large aluminum manufacturer, started encrypting files and going offline en masse. It took two hours before a worker at its operations center in Hungary realized what was happening. He followed a scripted security procedure and took the company’s entire network offline—including its website, email system, payroll, and everything else. By then, a lot of damage was already done. Five hundred of Hydro’s servers and 2,700 of its PCs had been rendered useless, and a ransom note was flashing on employees’ computer screens.

Norsk Hydro didn’t pay the ransom for all the reasons that you can imagine. Lack of guarantees. Making Norsk Hydro an attractive target for other attacks. Feeding the evil beast.

It ended up costing the company 60 million US dollars. Insurance paid 3.6 million. Oh, and they had a reasonable amount of security in place before all this started. They weren’t ignoring stuff and hoping for the best. Here’s the moral of the story…

Even when you do everything you can to protect yourself from a cyberattack, a determined adversary will almost always be able to wreak havoc. In other words, it’s less a question of how to stop hackers from breaking in than how to best survive the inevitable damage.

The description of how things worked at an aluminum plant in Cressona, Pennsylvania is pretty fascinating. How people adapted to every computer at work being shut off.

Because they love to put stuff online, but can’t be bothered about security. Ransomware Hit Over 1,000 U.S. Schools in 2019.

The FBI advises all U.S. entities currently targeted by a heavy barrage of ransomware attacks to follow these best practices:

• Regularly back up data and verify its integrity
• Focus on awareness and training
• Patch the operating system, software, and firmware on devices
• Enable anti-malware auto-update and perform regular scans
• Implement the least privilege for file, directory, and network share permissions
• Disable macro scripts from Office files transmitted via email
• Implement software restriction policies and controls
• Employ best practices for use of RDP
• Implement application whitelisting
• Implement physical and logical separation of networks and data for different org units
• Require user interaction for end-user apps communicating with uncategorized online assets

Of course a lot of the problems for the past few years were caused by (or at least it was a contributing factor) unpatched, unsupported Windows machines. So I seriously doubt that the rest of this will happen. And the backups must be offline. (Ransomware will encrypt your raid server.)

If you can’t update or upgrade, then you have no business putting stuff on the public internet. Unless dealing with ransomware is something you like to do. But schools and cities will continue to put insecure servers on the public internet, and then shriek about how it was “totally unexpected” when bad things happen.

Because of course they are. At some point this stops being news. Zeppelin Ransomware Targets Healthcare and IT Companies.

And it is important to note that this is a phishing (may be spear phishing) attack on health care.

In a new report from Cylance, researchers have discovered the Zeppelin ransomware being used in targeted attacks against IT and healthcare companies. In at least some of the attacks, Cylance believes that they targeted MSPs in order to further infect customers via management software.

Because if you infect a service provider, you infect all of their clients. (I just said something about outsourcing of IT work…)

My take is still that doctors refuse to follow instructions that aren’t provided by doctors of higher status, but a lot of this probably overworked people, and a good phishing campaign. With probably a little bit of “It won’t happen to me! What are the chances?” Welcome to the 21st Century.

Is this even if news anymore? When do we start looking at the number of schools not hit with ransomware? Livingston School District in New Jersey Hit With Ransomware.

Students at the Livingston public school district in New Jersey are undoubtedly happy for a two hour delayed opening tomorrow. Unfortunately, this delay is not being caused by snow, but rather by a ransomware attack that the district is still recovering from.

There is little other real information. The district made some “reassuring statements” that didn’t cross over into lies, but were probably close.

“Our understanding is that these criminals do not typically steal data, but rather render the systems unusable”

While true, is not an assurance that no data was stolen. And then of course Bleeping Computer cites an instance were encrypted data was stolen, and released because no ransom was paid.

What a shock. Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks.

As PBS noted in its coverage of the Vanderbilt study, after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined.

The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.

Do you think that security is worth anything? Do you think that doctors will actually follow recommendations from someone who isn’t a doctor?

I’m leaning toward not news. Brooklyn Hospital Loses Patient Data In Ransomware Attack.

The hospital provided very little information, except to say that the attack happened in July. There was an investigation, and attempts to recover the files in the intervening months.

The unrecoverable information includes names and certain dental or cardiac images. The hospital highlights that the investigation did not find any evidence that the data was exfiltrated from its systems or otherwise misused.

Does it need to be stated again? Organizations have decided that backups are not needed. (People have decided that as well, both are wrong.) Or in other cases, they have a backup server which is online to their network, and that gets encrypted as well. At least some of the backups need to be offline.

In the case of Demant (a Danish company), the costs are high. Ransomware incident to cost Danish company a whopping $95 million.

While they had an insurance policy, it will not cover a quarter of that bill. And there are worries that while they were down, and unable even to support retail sales, customers switched brands, and will not be back.

And the company isn’t saying “ransomware.” Though Danish media is reporting it that way, and it “sure did look like one from the outside.”

Most of the losses have come from lost sales and the company not being able to fulfill orders. The actual cost of recovering and rebuilding its IT infrastructure were only around $7.3 million, a small sum compared to the grand total.

So what part of that $7 million has the IT department been pleading for? But as they say, there is much more.

Furthermore, “in our hearing aid retail business, many clinics across our network have not been able to service end-users in a regular fashion.”

These business upheavals have been a disaster for the company’s bottom line. In a message to its investors, Demant said it expects to lose somewhere between $80 million and $95 million.

So, for that $7 million, could the IT folks have made themselves immune to ransomware? Probably not. But they might have been able to mitigate the cost, and it’s not like the company didn’t end up spending the money anyway. The difference is between a scrambling emergency, that impacts customers, as well as both top-line growth and the bottom-line, and a planned implementation.

Other incidents from 2019 include…

defence contractor Rheinmetall, airplane parts manufacturer Asco, aluminum provider Norsk Hydro, cyber-security firm Verint, the UK Police Federation, utility vehicles manufacturer Aebi Schmidt, Arizona Beverages, engineering firm Altran, the Cleveland international airport, and chemicals producers Hexion and Momentive.

Hat tip to Security Now episode #735.