NHS IT virus?

[phantom]

Sounds quite serious, interestingly was on a train back from London tonight and there was someone on the phone trying to get NHS trusts to shut down there servers. Was like something out of a movie the way he kept shouting JUST SHUT IT DOWN!

He mentioned Vodafone and Telefonica too but not seen that reported yet? 

[Gazred]

I've seen Telefonica mentioned in the press saying they are aware of it but are unaffected. Fed-Ex have been hit, quite a big name there. Sure to be lots more.

Can't begin to imagine the cost on the NHS to put this right. At minimum your re-imaging every infected device or burning HDDs. They'll carry more technical debt than a large private sector company and were probably quite vulnerable.

If anyone is considering a career in IT, cyber security and software development are key areas right now and for the foreseeable future.

[Fiale]

It's actually malware that infects old sytems (e.g. Win 10 updated the security to prevent this piece malware months ago). Sadly some NHS computers are still on Win XP, anyway someone somewhere messed up and clicked a malware link. It's called WanaCrypt0r 2.0 virus, it's ransom-ware and has been around for a while and the NHS should have been protected from it. Here is the security update for it https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

[TRL]

your only as good as your thickest end user unfortunately.

 

We had Ransomeware a few weeks back, as most of our servers are virtualised, the one affected was rolled back a day and restored within 30 minutes.  If they had any sense they would be using virtualised desktops as well, every day it reboots gets re-imaged and virus gone.

I understand that XP may still be used, often due to to legacy software, but you really should be able to knock out ransomeware and get yourself back into a pretty good state (even if you may have lost a few hours worth of data at worst) with a few click of a button.

 

Unfortunately, as IT is where bean counter find big cost savings, some departments get into this state.  Blame them bean counters!

[Guest]

If you've got Windows, just make sure your patching is up to date.

If you have XP or Windows Server 2003, just turn your computer off  (it's not possible to patch it).

It's ransomware and by the looks of it, is a worm infection i.e. needs no user interaction.

Note:

XP and 2003, you can mitigate I suppose. Make sure your machine and the Internet has a firewall between it and ports 135, 139 and 445 are blocked (normally done nowadays with modern cable/adsl routers?). Make sure you don't click on any links or load any applications pushed to you by email - this should be common sense

[Reigate Red]

Time to raid the supermarkets for tinned food yet

[northsomersetred]

58 minutes ago, TRL said:

your only as good as your thickest end user unfortunately.

We had Ransomeware a few weeks back, as most of our servers are virtualised, the one affected was rolled back a day and restored within 30 minutes.  If they had any sense they would be using virtualised desktops as well, every day it reboots gets re-imaged and virus gone.

I understand that XP may still be used, often due to to legacy software, but you really should be able to knock out ransomeware and get yourself back into a pretty good state (even if you may have lost a few hours worth of data at worst) with a few click of a button.

 

Unfortunately, as IT is where bean counter find big cost savings, some departments get into this state.  Blame them bean counters!

Well TRL my brother in law was going on about this years ago saying it was the way forward to protect from such attacks.

BTW he works in a round building in Cheltenham so i would guess he knows his stuff

[TRL]

16 minutes ago, northsomersetred said:

Well TRL my brother in law was going on about this years ago saying it was the way forward to protect from such attacks.

BTW he works in a round building in Cheltenham so i would guess he knows his stuff

You certainly can minimise by taking the right actions. VDI your desktop estate and virtualise your servers, it really is pretty easy to roll yourself out of a situation, but as mention further up, technical debt is a killer.

 

Of course there are industries where virtualistion may not be possible, but for the most part, its good, 

 

Oh the round building where those that work there must not utter its name, but mention Cheltenham give a knowing nod and everyone knows :laugh:.  So topsecret,pretty much everyone knows what itiis.  

[Guest]

1 hour ago, TRL said:

You certainly can minimise by taking the right actions. VDI your desktop estate and virtualise your servers, it really is pretty easy to roll yourself out of a situation, but as mention further up, technical debt is a killer.

 

Of course there are industries where virtualistion may not be possible, but for the most part, its good, 

 

Oh the round building where those that work there must not utter its name, but mention Cheltenham give a knowing nod and everyone knows :laugh:.  So topsecret,pretty much everyone knows what itiis.  

This is an attack on data/storage.

If you don't realise you're being attacked till it's too late (and your virtualised instance isn't patched/updated), and you don't do scheduled backups, your toast.

It is still necessary to update your virtualised hosts, update your AMIs and do backups.

[bristolmoose]

Don't store data on PCs, only servers, preferably virtualised.

Protect them with a backup solution like Shadowprotect. It can take incremental backups every 15 minutes so you can roll back to before the attack with minimal loss.

Also it can replicate to an off site server so if any backup files onsite are affected you're still OK, or use drive rotation as some ransomware can also encrypt attached USB drives.

Having brought a few companies back from the brink after these attacks I've learnt you can never have too many backups!

These viruses tend to leave the OS alone in the main, so often you only need to restore data not whole machines. They need the machines to run so you can see their demands!

[TRL]

3 hours ago, bcfcfinker said:

This is an attack on data/storage.

If you don't realise you're being attacked till it's too late (and your virtualised instance isn't patched/updated), and you don't do scheduled backups, your toast.

It is still necessary to update your virtualised hosts, update your AMIs and do backups.

well that is the basics, if you don't do that as a IT department you get everything you deserve.

[Guest]

3 minutes ago, TRL said:

well that is the basics, if you don't do that as a IT department you get everything you deserve.

Most of the guys here aren't techies so I keep it simple.

Virtualisation is good in many ways, but it's still necessary to do the basics (keeping it simple). This is a ransomware attack (encrypting data and demanding a ransom to unencrypt), and by the looks of it, the attack vector is smb rather than the normal social engineering vector (which might still be required), therefore easy to automate, hence the mass chaos at the moment. If we are unkind to IT departments, this current attack is the result of poor IT management (MS17-010, has been around since March). Only takes one muppet on the inside to not follow policy and their machine becomes ground zero inside a network - most businesses have a nice shiny FW to filter shit. As they say: like boiled sweets, hard on the outside, soft on the inside.

Backup is key here. If you have virtualisation, all the better - just build a new patched version of your instance and spin it up (again keeping it simple). Depending on how often data backup takes place determines how much data is lost. Obviously, this is just an opinion.

[TRL]

8 hours ago, bcfcfinker said:

Most of the guys here aren't techies so I keep it simple.

Virtualisation is good in many ways, but it's still necessary to do the basics (keeping it simple). This is a ransomware attack (encrypting data and demanding a ransom to unencrypt), and by the looks of it, the attack vector is smb rather than the normal social engineering vector (which might still be required), therefore easy to automate, hence the mass chaos at the moment. If we are unkind to IT departments, this current attack is the result of poor IT management (MS17-010, has been around since March). Only takes one muppet on the inside to not follow policy and their machine becomes ground zero inside a network - most businesses have a nice shiny FW to filter shit. As they say: like boiled sweets, hard on the outside, soft on the inside.

Backup is key here. If you have virtualisation, all the better - just build a new patched version of your instance and spin it up (again keeping it simple). Depending on how often data backup takes place determines how much data is lost. Obviously, this is just an opinion.

Indeed. And it also says alot  about keeping internal systems locked down with hardware and software firewalls where only the relevant ports for any application or user access is open. Lazy network admins can cause massive problems.

If the port is not required block it. It may be a bit of an administrative nightmare to start with but it's well worth the hard yards.

Firewall on on outside. Another firewall for web apps.. Another firewall to get to the application servers and another to the data tier. With another from the user vlans  going into web and application where needed.

Most damage is done from the inside. Lock the inside down not just the outside. Your hard booked sweet analogy is indicative of lots of businesses IT. It's a good analogy.

[Guest]

27 minutes ago, TRL said:

Indeed. And it also says alot  about keeping internal systems locked down with hardware and software firewalls where only the relevant ports for any application or user access is open. Lazy network admins can cause massive problems.

If the port is not required block it. It may be a bit of an administrative nightmare to start with but it's well worth the hard yards.

Firewall on on outside. Another firewall for web apps.. Another firewall to get to the application servers and another to the data tier. With another from the user vlans  going into web and application where needed.

Most damage is done from the inside. Lock the inside down not just the outside. Your hard booked sweet analogy is indicative of lots of businesses IT. It's a good analogy.

And don't forget, most users don't need admin privileges on their machines

In fact, just go to thin client model (cue jokes).

[Major Isewater]

And don't forget to wash your hands after using a computer keyboard.

[TRL]

40 minutes ago, bcfcfinker said:

And don't forget, most users don't need admin privileges on their machines

In fact, just go to thin client model (cue jokes).

Indeed vdi

 

If not no admin rights and no saving locally.

We have fat webbed feet clients in Swindon

[Guest]

59 minutes ago, TRL said:

Indeed vdi

 

If not no admin rights and no saving locally.

We have fat webbed feet clients in Swindon

So they ducked the problem then 

[TRL]

45 minutes ago, bcfcfinker said:

So they ducked the problem then 

They just have different types of viruses! 

[WhistleHappy]

Just goes to show that the medical profession aren't lying when they tell us anti-biotics are no use against viruses ... if they were the NHS wouldn't have had such a serious problem.

I'd still have shoved a couple of penicillin pills into me hard drives and USB's if I'm honest though, in case it might have helped a bit eh? 

 

[Guest]

8 hours ago, WhistleHappy said:

Just goes to show that the medical profession aren't lying when they tell us anti-biotics are no use against viruses ... if they were the NHS wouldn't have had such a serious problem.

I'd still have shoved a couple of penicillin pills into me hard drives and USB's if I'm honest though, in case it might have helped a bit eh? 

 

Your sort of right, antibiotics won't work, however, it's not because this is a virus, they just don't work against worms. Give your hard-drives a wack with a spade 

[Lanterne Rouge]

6 hours ago, bcfcfinker said:

Your sort of right, antibiotics won't work, however, it's not because this is a virus, they just don't work against worms. Give your hard-drives a wack with a spade 

Has anyone thought of just turning it off and back on again?

[Guest]

6 hours ago, Red Right Hand said:

Has anyone thought of just turning it off and back on again?

The next step: Have you tried sticking it up your arse?

[Dollymarie]

Can I ask what is maybe a silly question. My laptop, as in my own, not linked to the NHS or anything. Do I need to be worried? I don't use it regularly, so it's not been turned on for maybe a week or so now. It's running windows 7. Do I need to do anything? 

[WRERE]

4 hours ago, Dollymarie said:

Can I ask what is maybe a silly question. My laptop, as in my own, not linked to the NHS or anything. Do I need to be worried? I don't use it regularly, so it's not been turned on for maybe a week or so now. It's running windows 7. Do I need to do anything? 

Do you have the latest update of Windows 7? If not I'd recommend updating to it as that patches the exploit the virus uses. The virus initially gets into your system via emails so be aware if you haven't/aren't going to update, but I'd imagine you'll be ok.

[WhistleHappy]

7 hours ago, Dollymarie said:

Can I ask what is maybe a silly question. My laptop, as in my own, not linked to the NHS or anything. Do I need to be worried? I don't use it regularly, so it's not been turned on for maybe a week or so now. It's running windows 7. Do I need to do anything? 

Maybe you should run the vacuum around and do a bit of washing up for a start... then you can shine up the windows with some white vinegar and newspaper...  

[Red-Robbo]