This is not what we need in these final chapters of 2020 with COVID cases spiking.
> Charles Carmakal, senior vice president for Mandiant, told Reuters that UNC1878 is one of most brazen, heartless, and disruptive threat actors he’s observed over the course of his career.
This is what terrorism looks like in 2020. Horrifying, terrifying, disgusting.
There have been ransomware attacks that are covers for outright attacks, iirc some where the payment and decryption mechanism didn't even function.
On a more theoretical level, it's certainly possible to do both at the same time, two birds with one stone. But it seems a lot of the big gangs are suspected state-sponsored, which is less terrorism and more cyber warfare
NotPetya is a good example. Looked like a broad ransomware attack very similar to the earlier Petya attack. Turned out it was very likely a broad cover for a very narrow attack against Ukraine’s power grid during Russian invasion.
Say what you will about Russia, but I don't believe they'd attack hospitals dealing with COVID in the middle of the pandemic as a cover for some kind of attack.
I know anti-Russia propaganda is at its height now and I even admit it's weird watching how worked up Americans get about stuff they're been doing all around the world since WWII, but as bad as Russia might be, I don't really buy they're behind it.
> Say what you will about Russia, but I don't believe they'd attack hospitals dealing with COVID in the middle of the pandemic as a cover for some kind of attack.
I wouldn't characterize it as an attack, its closer to "preparing an attack". And why not - the former President of the United States outright said on TV that the US had placed dormant implants deep inside key Russian infrastructure without pulling the trigger as a preparations/part of countermeasures for electoral meddling in 2016. The decision to pull the trigger was left as an option for his successor. I do not doubt the Russians may be getting similar "insurance" against a possible unfriendly posture from Washington starting January 2021.
I wasn’t commenting necessarily on this attack. Just saying the claim that ransomware attacks are purely financial is demonstrably untrue in at least one case.
And plenty just want to get paid - it's actually pretty impressive how many take down / don't share if they are paid or actually come through with the decryption keys.
Hard to see how they are terrorists? What are they pushing to accomplish with their terror campaign.
Anyways, my health care system constantly assures me security is its "top" priority and "state of the art".
Not saying that it's the case with most (or even any) ransomware, but it's very common for terrorist organisations/liberation movements/violent non-state actors fund their activities through organised crime. ETA used to rob banks, the Contras trafficked cocaine, the RIRA smuggles cigarettes and launders agricultural fuel, the remnants of the Islamic State have turned to illegal forestry, etc. etc.
I'm not saying all ransom ware attacks are terrorists, just that ransomware attacks are not always profit-motivated, some are covers for larger attacks, some are just disruption operations, and either one of those can be considered terrorism, or cyber warfare. (I am not the user who originally said this was terrorism)
If it's a fake ransomware then yeah that's probably terrorism. If it's fake it's obviously not done for profit. I'm referring to actual ransomware that works, that's done for profit.
> On a more theoretical level, it's certainly possible to do both at the same time, two birds with one stone.
I'm not sure how well that would work. Ransomware generally has responsive and helpful support people, because without that it will be hard to convince victims to pay. If they spend their time instilling fear instead of confidence in the payment process, then no one will pay.
> I'm referring to actual ransomware that works, that's done for profit.
From what I have recently learned, this may no longer be accurate. The latest Risky Business happens to touch upon the subject.
Criminal groups in Russia have financial arrangements with the central government, and may occasionally do some freelancing for them. Now China is getting on the same boat, but apparently with less entrepreneurial approach to target selection.
If they are the only ones, I would be very much surprised. The net result is that ideological and for-profit motives will be harder to distinguish, as the same crew may well be doing different campaigns for different reasons at any given time.
>If they are the only ones, I would be very much surprised. The net result is that ideological and for-profit motives will be harder to distinguish, as the same crew may well be doing different campaigns for different reasons at any given time.
Sure, some of the campaigns might be ransomware, some might be terrorism. I don't see how this disagrees with what I said.
The goal of terrorism is always political. Fear is the tool used by terrorism to reach the goal. Fear is a defining feature, but just means to an end.
As others have noted: while this instance is unlikely to be terrorism, this is a tool that is useful in terrorism and has been used as such in the past.
> The use of violence or of the threat of violence in the pursuit of political, religious, ideological or social objectives
One could argue these are all political. In the end, you can deduce anything to being political.
Or this definition by Alex P. Schmid from 1988:
> "Terrorism is an anxiety-inspiring method of repeated violent action, employed by (semi-)clandestine individual, group, or state actors, for idiosyncratic, criminal, or political reasons, whereby—in contrast to assassination—the direct targets of violence are not the main targets. The immediate human victims of violence are generally chosen randomly (targets of opportunity) or selectively (representative or symbolic targets) from a target population, and serve as message generators. Threat- and violence-based communication processes between terrorist (organization), (imperiled) victims, and main targets are used to manipulate the main target (audience(s), turning it into a target of terror, a target of demands, or a target of attention, depending on whether intimidation, coercion, or propaganda is primarily sought".
Source and more scholar definitions see [2].
For in-depth criteria I can recommend Alex P. Schmid's "Revised Academic Consensus Definition of Terrorism" from 2011 [3] as it is what scholars at Leiden University use.
Regarding the criterium is it always political, see #9:
> 9. While showing similarities with methods employed by organized crime as well as those found in war crimes, terrorist violence is predominantly political – usually in its motivation but nearly always in its societal repercussions;
(Its too large to quote all 12 criteria; again, please see [3] (no HTTPS))
Sometimes, the goal of ransomware is political, but its disguised as if goal is financial. This provides cover for e.g. a state actor.
I take issue with the first two: "idiosyncratic, criminal, or political reasons." Only political reasons is legitimately terrorism. Terrorism and provoking mere "terror" are not the same thing.
> the unlawful use of violence and intimidation, especially against civilians, in the pursuit of political aims.
From Oxford dictionary. Terrorism absolute includes the political struggle. The point is that terrorism uses violence and intimidation to further its goals and that it has no legal base for it.
Terrorist, too; it's a cheap and easy way to apparently get around those pesky human rights. Only caveat is that you can't use it against white people because those are on our side.
You can use it against white people. You just have to dig though their social media until you find at least one of them saying something that can be construed as racist. Then the "domestic terrorist" label applies to the whole group.
On the other hand, I believe that the word terrorism and the characterization of acts as terrorists should not be taken too lightly as it can lead to misuse of power rather quickly.
I wouldn't want to use the word lightly either, but if Russia is trying to destabilize our economy, for their own political gain, and they inadvertently threaten or kill many people in the process (by shutting down hospital information systems)... that is the textbook definition of terrorism.
Oh good, were all part of rogue terrorist nations then. Shall we talk about Vietnam or Korea? Or how about the use of "Strategic Bombing" in WWII, which was specifically designed to crumble cities by terrifying their citizens into leaving. That's not even to mention the use of nuclear weapons, which under this definition would probably make the US the worst terrorist organization in the world.
Perhaps an even closer corollary would be our embargo of Cuba, which effectively cut them off from having viable trading routes. We did it to destabilize their economy, so they would get rid of Communism because we don't like Communists. How many people have died of starvation because we're artificially dampening their economy?
Fear of losing money if you pay the ransom or if you don't pay the ransom? They certainly don't want to make you fear paying the ransom, because that would mean you won't pay and they wouldn't profit.
Fear of losing money if you don't pay the ransom: yes. But this could sort of apply to many salespeople, marketers, negotiators. They want to make it sound very good to take the deal and very bad (yes, maybe scary) to not take the deal.
The way the fear is targeted between ransomware and terrorism is also quite different. Terrorism wants the general public to be scared. Ransomware doesn't want the general public to be scared, because that would lead to people patching their systems, reducing future profit opportunities.
Sure, but the attacks done for revenue reasons would be classified as profit-motivated rather than terrorism. The attacks done for fear would be classified as terrorism. Ransomware attacks are known for having responsive and helpful support people, because they want a reputation for promptly decrypting the data when the payment is given.
We can easily reconcile the two by recognizing that profit doesn't have to be money and that terrorists definitely profit from fear (otherwise they wouldn't do it). Everything we do is for profit, even if that profit isn't measured exclusively in dollars.
We can further reconcile them by saying that the entire mechanism for extracting money from the ransom victim is by making them afraid. In this case, afraid of losing their computer systems.
I'm not following. Are they asking for ransom or not? If yes, then they are getting actual monetary profit, we don't need to think about "profit [that] isn't measured exclusively in dollars". If no, then it's not ransomware.
>We can further reconcile them by saying that the entire mechanism for extracting money from the ransom victim is by making them afraid. In this case, afraid of losing their computer systems.
You might be partially right. But I see it more of them trying to convince you to take a deal. They're trying to sell you something: your data. They want you to have as little fear as possible that you can get your data back. They want you to be 100% confident in the payment process. Yes there's fear of what would happen if you don't pay. But that's a path they want you to avoid. You could almost categorize any negotiation this way. The person you're negotiating with will try to convince you how good it is to take the deal and how bad it is to not take the deal.
The other difference between this and regular terrorism is that regular terrorism wants the general population to be scared. In ransomware, they have no goal at all of making the general population scared. In fact making the general population scared would be counterproductive, because it could lead to people patching their computers making future profits harder.
The hospital chain I work for was hit with ransomware last month. Door locks, time clocks, and photocopy machines still worked, but all computers were down. We use paper records, but it was frustrating and inconvenient. We're not allowed to pay due to laws. Corporate started slowly building us a brand new, but terrible, network 5 weeks after the old one went down. Definitely caused a little staff burnout, but not more than corporate's relentless attempts to extract additional profit from us at the expense of our patients and our wellbeing.
If they treat you like an ATM machine, you treat them as such. 40 hr weeks, go home, and DGAF.
Patients dieing because people don't work 80hr weeks? Why are you working for such a shit management team? That's management's problem. Don't like it? Quit. Really don't like it? Name and shame.
It's unfortunate we live in a day and age that kind of thinking is necissary but it is. Burnout in the middle of a pandemic can get you killed.
We had our computers go down for ~12 hours one day. Paper charts came out, which was a massive undertaking. I could not imagine my system being down for 5 weeks.
Wasn't there a ransomware case in Germany recently where when they advised the hackers that they'd hit a hospital, the hackers immediately turned over the unlock keys, without a ransom?
Not that that is any way a defense, and I'm sure there was as much a self-interested motivation of "We are going to be hit hard if we ransom a hospital _now_" as much as "doing the right thing"...
Self-interest; a financial crime is nowhere as high on the priority list as one causing injury and death. It crosses the line from fairly petty crime to getting an international warrant on your ass.
Exactly. That provincial government in <insert stereotypical corrupt country> who you're paying off may well turn your ass over if you kill people because protecting your industry is their cash cow and they don't wanna lose that because someone killed people.
At a certain point a “hack” becomes an “attack” and the response moves from “police action” to “military response” and I’m guessing that only state actor or sponsored groups are willing to cross that line.
> Not that that is any way a defense, and I'm sure there was as much a self-interested motivation of "We are going to be hit hard if we ransom a hospital _now_" as much as "doing the right thing"...
One involves the violent deaths of hundreds or thousands of innocent civilians.
The other involves financial loss and probably a temporary shut-down of one or more hospitals.
Frankly, a cyberattack is the kind of thing a hospital can and should be hardened against. This is an administrative and regulatory failure being dressed up as "terrorism."
Criminals that use ransomware should be prosecuted and sent to prison, not disappeared to Guantanamo Bay and tortured.
While I agree hospitals should have protocols to handle these situations, it's just not that straight forward. These IT systems are big and complex, and not standardized.
I worked on critical systems in the energy sector and while we were buried in federal compliance paperwork, the systems and software were always a target that was evolving and hard to keep up with. The energy management system was a huge bureaucratic battle between IT and engineering and there were compromises made (that I didn't always agree with) for the sake of support and maintainability within the IT tech landscape. For compliance reasons, and because the system is "offline", upgrades and patches were really challenging and honestly kind of terrifying. The risk of taking something down and impacting grid operations was harrowing. It really made our small team reticent to touch anything. I don't envy these hospitals, it's a really tough battle to ensure your systems are always up to date, locked down, and operational.
Also, a hospital going down is not a small problem. My wife is an ICU doctor for a large hospital and her patients' are sometimes hanging on by a thread. If they lost their EHR and patient history, I imagine that would present a really scary challenge. It's not just financial.
Come on. Blowing up a hospital is a crime, and arguably terrorism. Disabling the hospital and systematically preventing it from treating patients is a lesser thing. But still arguably terrorism if done intentionally.
And yes, it matters if an enemy or friend does it. That's so obvious to not merit discussion.
Is this just pedantry? I'm making room for an interpretation, that's all. Hospitals are a special case. No reason to read any attitude into it. And no reason for a deliberately argumentative response.
Do you actually think that this comment adds to the conversation at hand or are you just using this as an opportunity to wedge in the 'but America does it too!' trope?
I think it's an interesting comment and see no reason America deserves some special shield from criticism, trope or not. It should be responded to on its own merit, just like anyone sharing any other opinion on HN.
It seems pretty irrelavent to me. Nobody was talking about specific state actors, claiming that X is evil while America is a saint, etc. The comment feels like a response to an argument that nobody made.
It's not interesting. Every major thread on HN has at least one comment trying to force the America Bad angle into the conservation regardless of whether the discussion is about the US.
If the primary conversation - derived from the linked article - is about the US and about a topic having to do with something negative about the US, then it's both interesting (as the root source) and makes reasonable sense that it should be in the thread.
Otherwise it's nothing more than a political agenda - someone being triggered and unable to control theirself - being force-wedged into a conversation where it doesn't belong and it degrades the quality of HN dramatically. As it would if the same treatment were applied to any other nation.
Imagine if every large thread had someone trying to force comments about all the bad things France or Britain have done. Every single major thread. Now apply it to dozens of nations. Of course that wouldn't be allowed because it would be insane. It's insane to allow it for the US just the same.
It's not interesting to you. Not every comment needs to be interesting to everyone.
> Every major thread on HN has at least one comment trying to force the America Bad angle into the conservation
This is an extreme exaggeration. Plenty of large threads don't discuss this. I'd wager the vast majority.
> If the primary conversation - derived from the linked article - is about the US and about a topic having to do with something negative about the US…
There are plenty of sub-conversations on every thread that aren't explicitly about the main topic. On this post alone, there are comments about the definition of terrorism, bitcoin, health insurance laws, American military action, etc. It seems like you're singling out "criticism of America" as the only taboo topic for no real reason.
> Imagine if every large thread had someone trying to force comments about all the bad things France or Britain have done.
Nobody is "forcing" comments. People are leaving comments. About all sorts of opinions, including those criticizing other countries. And absolutely none of this happens on "every large thread".
> someone being triggered and unable to control theirself
Didn't sound like the commenter was triggered at all.
Takes a goofy definition of terrorism to get Bay of Pigs to fit.
A military attempt to overthrow a violent leader of another country doesn’t really land in the same category of shutting down hospitals and killing sick people with no political power.
Using violence to attempt to cause a regime change without formally declaring war, sounds much more like the traditional definition of terrorism to me [although maybe not the perfect fit], then randsomware which sounds like organized crime to me.
> Using violence to attempt to cause a regime change without formally declaring war, sounds much more like the traditional definition of terrorism
Or insurrection.
Unless we're talking about some fourth-world wish-we-had-even-bananas republic, there will be geopolitics in play. The rebelling groups are almost certainly being funded, either directly or indirectly, by foreign governments.
Those rebels, are they terrorists or freedom fighters? Are the foreign governments funding terrorism or supporting unnecessarily violent grass-roots opposition? Where does political meddling end and waging a covert war begin?
Sorry, to be clear. The definition of terrorism that most people are used to is the one that involves attacking people not anywhere in the government leadership hierarchy. For example, blowing up a commuter bus serves no purpose to take over a regime (unless the president was on that bus). The end goal is purely to cause fear.
Trying to quickly or quietly overthrow a government is pretty much the opposite of that effect. You want a quick change and the end goal is power, not fear for the sake of fear.
Governments can fall if the people feel they aren't protected, although in practise that rarely happens. Groups like the FLQ, IRA, etc may have bombed civilian targets that really didn't have to do with the government, but they were still clearly aiming at political change.
Which groups do you think is fear for the sake of fear? Lots of groups are characterized that way for propaganda purposes, and deep down inside there are probably more than a few that just want the world to burn, but im not sure any exist that literally claim to just want to cause fear without tying it to some broader political goals.
> Trying to quickly or quietly overthrow a government is pretty much the opposite of that effect
I agree generally that quiet coups aren't generally in the terrorism category, but i still think they have much more in common with terrorism than (apolitical) ransomware does.
Bringing a country to its knees by weakening morale and trust in government is textbook regime change. Ransoming hospitals is fairly depraved, but if you could overthrow an enemy superpower without launching any missiles, would you do it?
You gotta wait for it to be declassified. Syria was likely CIA funded. Same with Libya. Just wait a bit. It all comes out after everyone's stopped caring.
Are you speaking about Syria and Libya today that was a result of the Arab Spring in multiple Arab countries, which took everyone including CIA by surprise? Do you really believe the CIA is capable of something on that scale?
Syria is just as complicated if not more so. It turned into a proxy war between the US and Russia and don't forget ISIS and the many different factions who have received funding from multiple sources.
How many people have been killed in the US this year causing and because of the protests at the hands of government and extremists? I don't think we'll be getting a NATO bombing anytime soon. I also can't picture that happening in Nigeria.
If it took the CIA by surprise, why were Syria and Libya on the short list of countries that General Wesley Clark identified as regime change targets in 2007, three years before the Arab Spring?
Because that's a wish list vs. a "we assume this will happen/are actively working on it list"? I'm pretty sure the CIA also shortlisted every Eastern Bloc state in the 80s for regime change. Doesn't mean the SU fell because of the CIA.
It also acted as a starting gun for every other country on earth to create and/or massively expand their cyber warfare capabilities. Sparking a new arms race for the 21st century, normalizing acts of (cyber) aggression against foreign infrastructure during peacetime.
Assuming the conventional wisdom about the event is accurate:
A state military attacking a perceived threat to the national security of that state (while at the same time doing its damndest to make sure nobody knew about it) is pretty clearly outside the definition of terrorism. It fits squarely into espionage / warfare.
None of the terrorism boxes get ticked. It wasn't a splashy, overt thing meant to instill fear. It wasn't carried out against emotionally-charged targets attempting to incite, nobody claimed credit, etc.
Everything adverse that happens is not terrorism. The term has kinda worn itself out, which is bad, because that word invokes a whole bunch of executive power shifts.
Well, a lot of the turmoil in the Middle East is at least partially (I'd argue mostly) to blame because of the US.
Al Qaeda was trained by the CIA. I think it's relatively accepted that there were no WMDs in Iraq, so that entire invasion/war could be classified as terrorism. There are countless drone strikes with civilian casualties around the world. Whether or not you agree with why we did it, the CIA is credited with Stuxnet (it's terrorism even if you think this is one of the "good" ones).
There are certainly more, but let's not pretend like the US isn't intimately involved in directly inserting itself into international affairs illegitimately.
You should read your links and learn the differences between middle eastern extremists groups. The mujahideen are not Al Qaeda. Most people say the Taliban are trained by the CIA. But even that’s not technically correct. Taliban are also not Al Qaeda.
"Haqqani - one of bin Laden's closest associates in the 1980s - received direct cash payments from CIA agents, without the mediation of the ISI.
"This independent source of funding gave Haqqani disproportionate influence over the mujahideen."
"Haqqani and his network played an important role in the formation and growth of al Qaeda, with Jalalhuddin Haqqani allowing bin Laden to train mujahideen volunteers in Haqqani territory and build extensive infrastructure there."
From a more extensive page linked from there:
"Sheik Omar Abdel Rahman, an associate of Bin Laden's, was given visas to enter the US on four occasions by the CIA [...] Rahman was a co-plotter of the 1993 World Trade Center bombing."
"Afghan Arabs 'benefited indirectly from the CIA's funding, through the ISI and resistance organizations [...] at an estimated cost of $800 million in the years up to and including 1988'"
"The Guardian alleges that the CIA helped Osama bin Laden build an underground camp at Khost, which bin Laden used to train Mujahideen soldiers."
In a 2004 article entitled "Al-Qaeda's origins and links", the BBC wrote:
"During the anti-Soviet war Bin Laden and his fighters received American and Saudi funding. Some analysts believe Bin Laden himself had security training from the CIA."
"Two-time Prime Minister of Pakistan Benazir Bhutto said Osama bin Laden was initially pro-American [and] Robin Cook, Foreign Secretary in the UK from 1997–2001, wrote, 'Throughout the '80s [Bin Laden] was armed by the CIA and funded by the Saudis'.
And what do the Saudis have to say about it?
Prince Bandar bin Sultan of Saudi Arabia stated (in the wake of 9/11):
"He [Osama bin Laden] came to thank me for my efforts to bring the Americans, our friends, to help us against the atheists, he said the communists. Isn't it ironic?"
A war that was started on incorrect pretenses is not the same thing as terrorism. Among other things, the US did not deliberately target the Iraqi civilian population, and made their best efforts to avoid civilians being harmed. The US provided substantial reconstruction aid to Iraq to help undo the damage of the war afterward - more than $60 billion.
However, it's hard to avoid there being some undesired casualties in war, especially when the the fighters on the opposing side are using guerilla tactics and hiding within the civilian population, such as deliberately fighting, sniping, or using mortars from within what are otherwise civilian compounds, or even mosques, forcing the US to either ignore the attacks (unacceptable) or respond and attack mosques and civilian compounds.
All of our soldiers are unformed, with a flag, and follow rules of engagement that involve not attacking anyone except positively identified targets (i.e. observed holding weapons). Terrorist groups operating in the middle east wear no uniform and exploit our rules of engagement by attacking, dropping their weapons before the coalition can respond, then pretending to be civilians. Even though they're the only men-of-age in an area from which an attack just took place, since they stashed their weapons somewhere, the rules of engagement mean that our troops can't do much if they didn't observe a person holding a weapon.
Uniformed soldiers fighting other uniformed soldiers is different than terrorists that attack civilians or soldiers and then hide, pretending to be civilians.
The Iraq war was started on pretenses that we now know are false, but let's not conflate that with groups that deliberately target civilians (with suicide bombs in shopping centers), or conduct attacks even on military facilities and then pretend to be civilians when pursued for a counter-attack.
> Among other things, the US did not deliberately target the Iraqi civilian population, and made their best efforts to avoid civilians being harmed.
Maybe for the second Iraq war, but for the first one that's bullshit – before the first Iraq war, Iraq was the richest third world country. The US bombed it back to the stone age, using more bombs than were dropped on Germany during WW2, hitting civilian infrastructure like water treatment plants, which then resulted in the following years in hundreds of thousands of dead children.
Cyber attacks are probably the least interesting enterprise that North Korea is involved in [1]
They're also involved quite heavily in the illegal drug trade and bootlegging cigarettes and alcohol, using their embassies and diplomats as a distribution network, as well as counterfeiting currency and pharmaceuticals, running an international restaurant chain [2], building statues for tinpot dictators [3], shipping citizens off to Russia as "contract workers", smuggling ivory, trafficking arms, and previously leased out embassy buildings in Berlin to a hostel [4]
The expression "state sponsored terrorism" is vague and subject to a lot of biases. For what it's worth, most state-sanctioned cyberattacks are _not_ profit oriented. They rather aim to disrupt the operations of an organization (see: American cyberattacks against ISIL), establish deterrence (see: the US allegedly planting digital "bombs" in Russia's networks), collect intelligence (see: the OPM hack). The exception being North Korea, a state that conducts cyberattacks for the explicit purpose of making money.
I wonder at what threshold asymmetric responses get put into play, with these actors clearly focused on basic terrorism.
At what point is a ‘kinetic response’ to a cyberattack warranted ?
Terrorism is almost, but probably not exactly the right word, but it's 'of that level of concern'.
If Hospitals nation-wide are under attack, it's a massive national security issue.
We need to figure out some kind of new way to secure general purpose devices - and also - there needs to be much more investment in thwarting and retaliating against these people.
If some random hackers and do this - imagine how badly and quickly a foreign state actor with deep pockets could shut things down.
Does anyone else feel that any organization that isn't doing regular secure backups with a way to restore that data deserves for this to happen? It like an airplane running out of gas because the pilot forgot to fill up the tank. Its kind of step one of working with computers.
You certainly express an unpopular opinion, and at first glance you are right: secure backups should be a priority for any IT organization.
However, not all backups are continuous and pervasive. There are often backup windows, gaps, and processes that halt with no one noticing. Ryuk also actively disables and deletes backups to maximize impact, while also seeking out mount points that might be backup targets - and encrypts those as well.
Of course, we're also talking about hospitals here. Even a well-managed system with hourly differential backups leaves plenty of time for radiology data to be lost in the critical hour before life saving surgery.
More realistically though, how long would it take you to discover and remove a sophisticated penetration, then restore every device, ensure none of the restores are also infected by the malware that had probably been there for a while, and bring a hospital system with thousands of impacted systems back online? 72 hours? A week? A month?
What happens to the patients? Admissions to the emergency room? What if adjacent hospitals are also hit, or are already impacted by the COVID spike and have no open beds?
People literally die due to hospital ransomware attacks. No one deserves that.
Ransomware is akin to kidnapping, it's just the data and customers that are held hostage, not kids or loved ones. Always blame the criminal, never the victim.
There is an expectation that information and services are to be secured with a certain level of care and standards. I don't see how that applies to people.
> Always blame the criminal, never the victim
This argument excludes the concept of negligence. If the victim was grossly negligent then they are also to blame.
There are a lot of systems in a hospital. Maybe 3000 different systems, made by different suppliers, some long gone.
In good countries, we maintain important records and have roll back capabilities on most of the things we control ourselves. But that doesn’t necessarily include the MRI machines windows XP that is maintained by some third party supplier that operates through another 3rd party seller, and that’s just one of the 3000 things that can go wrong.
Then there is the parts where attacks will affect you, even if they don’t do any damage that can’t be reversed. Typically global internet access gets shut down during an attack, but that makes transfers harder. It also makes acute arrivals harder, because the ambulance helicopter might not be in range of your “internal internet” and thus may not be capable of feeding you important live data.
Some attacks target the network itself, and while you’ll generally have a good set of people running that, they aren’t always a match for nation state backed hacking tools.
So there is just a billion things that can go wrong, even if you have the best of the best working on it, and in many countries, there is a good chance that’s not even the case. I can count myself lucky to work in a country where we take digitisation very serious in the public sector, and I can easily see why things could go wrong.
It's easy to say "well they should've filled the tank" when you're comfortably sitting on the ground, but it's little consolation for the people 30,000 feet in the air, or for the patients in hospital waiting for time critical, life saving treatment.
Most of current best practices for backups, redundancy and business continuity are intended for the risks of random disasters. Malicious attacks are substantially different.
There are many organizations which are doing regular secure backups, but are doing so in a way that can be sabotaged once a skilled attacker gains domain admin privileges, and sabotaging backups is one of key things that the attackers are doing after they are in the network and before triggering the ransom encryption. We're not talking about a virus randomly spreading, in such high-ransom targeted attacks the preparation before triggering a ransom is done manually by skilled teams going on from one target to another.
Yes there probably is some blame on the hospitals for not securing things well, but there is a huge difference between preventing something from failing, and preventing something from being actively sabotaged.
If a hospital had random power cables everywhere and someone tripped over one and unplugged an important device, that would be far far more on the side of the hospitals fault than an attack on the computer systems.
> Charles Carmakal, senior vice president for Mandiant, told Reuters that UNC1878 is one of most brazen, heartless, and disruptive threat actors he’s observed over the course of his career.
This is what terrorism looks like in 2020. Horrifying, terrifying, disgusting.