Tag Archives: ransomware

Davidson County, NC Hit By Ransomware – Reverts to Paper

While yet another local government being shut down by a ransomware attack is old news these days, it still can point to a few valuable things.

This time it is Davidson County, NC, home of Greensboro.

At 2:00 in the morning the county’s CIO was woken up – there was something strange going on with the 911 system.

What they figured out what that ransomware had compromised 70 servers and an unknown number of desktops and laptops.

Oh, yeah, and the phones weren’t working, which is sort of a problem for the 911 dispatchers.

The county manager said it could take weeks or months to fully resolve.  He also said that this kind of attack is common in Europe.  It is, but it is equally common in the U.S.  Just recently neighboring county Mecklenburg had the same problem.

One bit of good news is that they have cyber insurance.  That likely will help them pay for some of the costs.  At the time of the first article, they had not decided if they were going to pay the ransom.

By Monday the county said that 911 was working as was the tax collector.  You can see why both of these are important to the county.

They continue to work on the restoration, but did not give a time when things would be back to normal – just soon.

What what are the takeaways here?

  • Have a disaster recovery plan – it sounds like they did have one of these.
  • Have a business continuity plan  – how do we the doors open or answering the phone.  And, if you are a web based business and your web site is down, now what?
  • Having cyber insurance will help pay for all this.
  • Make sure you have backups.  Make sure it covers ALL of your data and systems.
  • Figure out how long it will take to restore those backups.  For nearby Mecklenburg, it was a couple of months.  Is that OK?  If not, what is plan B?
  • How are you going to communicate about it.
  • MUTUAL AID – this one is easier for non-profits and the public sector, still it is worth considering.  Davidson County received offers of assistance from the nearby City of Lexington and from Rowan County as well as the North Carolina Association of County Commissioners.  And they are talking with Mecklenburg County – that went through the same ordeal recently.  When I was in college in upstate New York (this was in the dark ages before the Internet), the volunteer fire departments up and down the Finger Lakes would invoke that mutual aid using fog horns that traveled across the lakes for miles.  A particular  burst meant that this fire department or that needed help.  It was a life saver, literally.  Maybe it is with a customer or a business partner or an investor.  You may not need the aid, but having it available could make a huge difference.

Ultimately, having a plan and testing that plan is hugely important.  Don’t hope it won’t happen to you.  That might be the case, but then again, it might not be the case.  Will you be ready if it happens to you?

Information for this post came from the Dispatch and Greensboro.com

Facebooktwitterredditlinkedinmailby feather

Ransomware. Backups. MTTR. Disaster Recovery. Business Continuity.

Ransomware and hospitals.  Not a great combination.

The Register is reporting that Hancock Hospital paid ransom attackers $60,000 to get control of their system back.

Pictured: Hancock Health, 801 N. State St. in Greenfield.(Tom Russo | Daily Reporter)

Hancock Health in Indiana was hit with a ransomware attack last week.  As the hospital detected “something wrong”, they decided to shut down all hospital systems, all wellness center systems, Physicians offices systems and, in fact, the entire Hancock Health Network.

The attack put the hospital and its affiliates back into the medical stone age.  No electronic medical records.  No email.  All paper.

Like many other attacks, this attacker, apparently, found a publicly exposed remote desktop protocol (RDP) open port and the rest, as they say, was history.

When the hospital figured out that it was being attacked they contacted the FBI and an outside IT specialist.  However, the Lone Ranger used all of the silver bullets up – there are  none left.

This is where the title of this blog post comes in.

If you get hit with a ransomware attack, the experts say that you are okay if you have good backups.  Well, maybe.

But there is more to it.

Business continuity –  can you continue to operate while you sort things out.  In this case, the hospital reverted to paper.  But paper is slow and cumbersome and introduces errors.

Disaster recovery – do you have a plan for how you are going to recover from the disaster.

MTTR – MTTR standards for mean time to repair.  That goes along with RTO or Recovery Time Objective and RPO or Recovery Point Objective.  All of these mean HOW LONG WILL IT TAKE TO GET BACK IN OPERATION?  And, HOW MUCH DATA ARE YOU WILLING TO LOSE?

That is what tripped up Hancock.  They decided to pay the $60k and get working again.

The county in which Charlotte, NC is in, Mecklenburg, decided that they were not going to pay the ransom and it is still recovering, months later.

In late 2016,  Madison County, Indiana, decided to pay their ransom to get access to their data – it cost them $200,000.

According to the FBI, there are thousands of these attacks every day.  According to some reports, ransomware is a $9 billion industry.

So as you think about how to deal with a possible ransomware attack; think about this:

  • Backups
  • Mean Time To Repair
  • Business Continuity
  • Disaster Recovery

Put those all together and you will be in pretty good shape.


Information for this post came from The Register and The Greenfield Reporter.

Facebooktwitterredditlinkedinmailby feather

A New Form of Ransomware

The British shipping company Clarksons was hacked and decided not to pay the ransom.  So far, nothing new.  No ransom, no data.

Well, maybe, they had backups that they could restore – and thumb their nose at the hackers.

I think this is becoming a bigger problem for hackers.  As a result, hackers are changing tactics.

There are still plenty of vanilla ransomware attacks that want your money in exchange for the encryption key.

But now there are many that say that if you don’t pay up we are going to publish what we hacked.

There is a very important distinction between these two types of attacks.  In the traditional attack, it is presumed (but not known) that the hackers did not steal your data – that they did not make a copy of it and upload it somewhere.  In this attack, in order for it to work, the hacker had to steal the data.  ONE THING THIS MEANS IS THAT, UNLESS YOU CAN PROVE THE HACKERS ARE LIEING, YOU LIKELY HAD A REPORTABLE BREACH IF YOU ARE IN AN INDUSTRY OR STATE THAT REQUIRES YOU TO REPORT BREACHES.  I don’t even play a lawyer on the Internet, but I think you are going to be hard pressed to convince regulators that your data was not compromised.

This concept is not far fetched;  in fact, hackers have done this (recently) before.  For this type of attack, whether you have backups or not doesn’t really matter.  What matters is what are the consequences of this data being made public.

In this case, Clarksons has said that they are not paying the ransom and expect the data to be made public.

Of course we have no way of know IF the attackers will really expose the data (I guess we could call that a revenge-release) and Clarksons has been very tight lipped about what was taken and how much was taken.

What they have said is be prepared for stuff to be released.

So, I guess, we wait.  And see.  Stay tuned.

For the rest of us, we have a new cyber security worry.  Making backups and having a disaster recovery plan won’t help with this one.  The only way to protect yourself from this one is the keep the bad guys out.

One other thought.  Data that doesn’t exist can’t be hacked so it is useful to consider the trade-off between keeping data that might, some day, be useful to someone, maybe and data that can be hacked.  This is not always an easy decision, but one that needs to be made.

A corollary to this is that we may need this data for legal or archival reasons, but does it need to be available, online, to all employees.  An example of this might be a mortgage company.  They may need to keep the loan package for all closed and declined loans for seven years, but what if those loans are stored on a disk?  In a bank vault?  It could be difficult to hack.  Just saying.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Montgomery County Hit With Ransomware – Pays $40-$50,000 To Get Files Back

Montgomery County, Alabama joined the ranks of probably millions of others and paid a ransom to get their data back after hackers threatened to erase their data if the ransom was not paid within 7 days.

While details are sketchy, reports are that the attack began Monday around 5PM (at the end of the day) and probably spent all nite encrypting data.  By Tuesday morning systems such as vehicle tags, car registrations and marriage and business licenses were down.  Reports said that 70 terabytes of data was encrypted with no one noticing it.

The Chairman of the County Commisioners, interviewed on the Montgomery Advertiser link below said it was an “unfortunate situation” and “you don’t think about these situations until they happen”, but now he says it is “kind of an emergency situation”.

While we can laugh at his response because it wasn’t our systems that are down, the reality is that all of his comments are pretty accurate.  Most businesses don’t have a disaster recovery program, an incident response program, tested backups or trained emergency resources already identified and contracted for.  In fairness, some businesses are prepared, but they are the minority.

The County CIO, Lou Ialacci said that they tried to restore from backups but were unable to for some reason not related to the attack.  Perhaps, the backups weren’t working or didn’t exist.

The Chairman of the County Commissioners NOW says that they are going to do whatever it takes to prevent this from recurring.

That comment is also not unusual – after the horse is out of the barn, down the round and the barn on fire, it gets pretty real for people.

The county also said not to worry – no data has been compromised.  Are they sure?  It wouldn’t be very hard to encrypt the data and then copy it to the cloud somewhere.  Since the hacker has the key, he or she can then decrypt it at their leisure.  Don’t know in this case, but it definitely happens some times.

In Montgomery County’s case, they had to pay the hackers 9 Bitcoin or about $40,000 to $50,000 in taxpayer dollars based on the then current Bitcoin price.

My guess is that Montgomery County was not specifically targeted by Vladimir Putin, so I think we can safely say this was an attack of opportunity.

The county is being pretty quiet as to what happened, but likely someone clicked on a link or opened an attachment and it was all over at that point.

The message here is that businesses especially and individuals too need to be prepared,  Anyone can get targeted.  The bad guys might send out 10 million emails and hope a few people click on it.  At $40-$50 thousand a pop, you don’t need very many people clicking to earn a very nice living.  Ten people click on it and you might make a cool half mil – tax free, I might add.

Are you prepared?

Are you sure?

Have you tested it?

You don’t want to be the next Montgomery County.

Information for this post came from the Montgomery Advertiser and TechTalk.

Facebooktwitterredditlinkedinmailby feather

Maersk Says Ransomware Will Cost Them $200-$300 Million

In case you thought that people were overhyping the effects of ransomware,  perhaps you should rethink that.

The Maersk shipping line, which runs container ships and ports around the world, among many other businesses, had to shut down some of their port operations after computers were infected with the NotPetya ransomware.

This week Maersk’s CEO says that the ransomware attack is expected to cost them between $200 and $300 million dollars due to lost business.  At this point no lawsuits have been filed but that doesn’t mean that there won’t be any and if there are, that would add to the cost.

That is in spite of the fact that they say that no third-party data was lost.  Does that wording mean that they lost no customer data but did lose company data?  They are not saying.

They are saying that they have added more security measures as a result of having to shut down their port operations.

Another company, Merck, says that it STILL has not fully recovered from the attack and said that the attack affected manufacturing, research and sales worldwide.

Part of Merck’s costs are going to be due to losses related to their active pharmaceuticals ingredient operations which “grow” certain ingredients.  If the computers that control them go offline, it could affect the entire batch and depending on how long it takes to recover from that, it could dry up the supply chain for certain products.

Merck says that it does not yet know the magnitude of the impact on operations.  I think it is safe to say that if they have not recovered from the outage after SIX WEEKS, the cost will be significant.

And last week, Fedex said that the cost of their downtime, missed delivery and lost business due to NoyPetya will be MATERIAL to their full year profit and loss.

So here we have three very profitable multi-nationals with sophisticated IT operations and who were affected by this recent ransomware. They are all saying that it will cost them a lot of money.

It is reasonable to conclude that if you are not ready to respond to a ransomware attack – of which there are at least hundreds every day – that your operations could be impacted and your finances will likely take a hit.

As the Boy Scouts say – BE PREPARED!

Information for this post came from CNBC and Threatpost.

Facebooktwitterredditlinkedinmailby feather

The $10 Million Alternative to Paying Ransomware

Earlier this year, the Erie County Medical Center in Buffalo, New York was hit with a ransomware attack.  ECMC is a level 1 trauma center, teaching hospital and regional center for a variety of medical services – including, unfortunately, ransomware.

At 2 A.M. on Palm Sunday computer screens across the medical center flashed “What happened to your files?” and thus began a saga which is still playing out.

In the end 6,000 PCs were affected and many were infected.  The hackers wanted 1.7 Bitcoin for a key to decrypt each PC or 24 Bitcoins to decrypt all of the computers.  At the time, that represents about $25,000 to $30,000.

By 3:30 AM they had shut down all computer systems as a precaution.

The next decision was whether to pay the ransom or not.  By 5:30 AM they had called in cyber security experts from the consulting firm of Grey Castle from nearby Troy, NY.  Their incident response plan was working.  As Grey Castle’s experts explained to the management team what happened, they were in shock.  Kind of like their patients sometimes.  And, like those patients, they were making life or death decisions about the hospital’s IT systems.

After considering their options, they decided not to pay the ransom for a variety of reasons – they had backups, they could use a regional health information network called HealtheLink to get records from up to the time of the attack and they didn’t really know if they could trust the outcome if they did pay the ransom.  Would the data be intact and could they even trust the hackers to deliver the keys?

The hospital borrowed laptops and placed them in the emergency room and ICU and created an ad hoc network to get access to HealtheLink.

In the mean time, the disaster plan came into effect.  The hospital went back to paper patient charts.  Many hospital staffers had never worked with paper charts in their lives so the road was a bit bumpy.

All in all the hospital’s disaster recovery plan worked.  From the initial attack on April 9 they marched forward.  By April 19 – 10 days later, they had wiped computers and started delivering rebuilt computers to some critical departments such as emergency and critical care.

By early May doctors could begin to upload progress notes.

By mid May doctors could enter electronic prescriptions again.

In addition to working with Grey Castle, the hospital engaged experts from Microsoft, Cisco, Symantec and Meditech (their electronic health records vendor).   They brought in IT staff from Catholic Health Services and other hospitals and staff worked on their days off.   This was truly a all hands on deck effort.

Amazingly, the emergency room never went on diversion, critical because they are a level 1 trauma center.  Diversion is a process where ambulances are sent to more distant and sometimes less qualified hospitals because the primary hospital cannot not accept new patients for some reason.

Six weeks after the attack they were close to back to normal.

There are lessons here; some of which the hospital had in place and others that they learned as a result.

ECMC says expenses tied to the event were nearly $10 million.

Half of that money was for new hardware, software and assistance.  The other half was for overtime pay and other expenses and reduced revenue.

In addition, the hospital predicts expenses going forward of $250,000 to $400,000 a month for employee education, system upgrades and hardening of systems.

So what are the lessons?

  • Having a tested incident response plan allowed them to respond to the situation quickly and be able to not have to turn away customers (ambulances).
  • A tested disaster recovery/business continuity plan allowed the hospital to operate minus all the hardware and software they were used to working with.
  • The ability to get help from (competing) hospital systems in town gave them some much needed extra resources.  Whether by formal agreement (usually called mutual aid and commonly used by emergency services) or informally, having a plan to marshal outside resources can be very helpful.
  • Practicing for emergencies is critically important and that is not a one time event.  Just like anything complex, it needs to be rehearsed over and over until it is automatic.
  • A big part of their success can be attributed to their cyber insurance.  Just last year they made a decision to increase the insurance policy amount from $2 million to $10 million and while insurance never covers all costs, if it covers 75%, that allows the hospital to do what they need to do.  Insurance will never pay for those things that you should have done but didn’t, but it will pay for a lot of things – IF YOU HAVE THE RIGHT POLICY!

On the other side of the equation, however are lessons learned out of the incident.

  • How come they did not detect the event more quickly?
  • How come the ransomware was able to attack so many computers (HINT:  the network was not partitioned effectively)?
  • The fact that they are having to spend that $250-$400k a month NOW is because they did not take cyber security seriously enough before.  Would you rather spend $25k a month now or $400k a month later?  Kicking the cyber security can down the road was an expensive lesson for ECMC.

The good news is that any business can learn from events like this.  Are you prepared- really prepared?

Information for this post came from the Buffalo News and another Buffalo News article.


Facebooktwitterredditlinkedinmailby feather