Anthropoid wrote:
jack t ripper wrote:
It's much more sinister than simply destroying files. The damn thing subverts the entire electronic medical record system utilizing a previously unknown Microsoft system vulnerability that was apparently discovered by the NSA and THEY wrote the kernel that runs the thing.
How the thing works is the system administrator gets a message saying "pay $100,000 in bitcoin by tonight and we will turn on your system again"

Standard practice is to have periodic backups of a system and to have at least two copies at all times, but preferably 3+. The backup process typically involves checking for file consistency (is the copy over here different than the copy over there?) and does not generally involve any elements of the OS, which is to say: you have two-plus copies of the OS on different drives in different locales (and preferably in different regions even). The backup systems have heightened security and restricted access . . .
I've had only one systems admin course and one OS course so I'm definitely no expert, where as the guys that made the malware almost certainly ARE experts. But I suspect that, depending on how this malware works, failing to follow best practices and/or taking short-cuts on best practices is probably a major contributing factor to how it gained a foothold.
With an "ideal" Active Directory setup, the malware would have to not only infect the OS on its initial target machine (which in itself might have been thwartable with better practices), but it would then have to fool the consistency checking and backup process AND manage to infect the backup OS, which would likely mean doing things that the infected OS never did in the first place.
or better yet..an actual air gap between the front line system and the back-up. Part of the problem I think is the complexity and demand for 24 hr a day access for an electronic medical record. Critical lab results and x-ray results for example have to be up to date by the minute or there is chaos. Ditto order entry for meds.
Even worse, the x-ray/MRI database is usually a proprietary thing that has to liason with the main EMR. Ditto lab results which are often managed by a contract lab with its own system. Ditto billing which is, believe or not, often DOS based.
Then you have add on software that Medicare essentially requires and it is a real nightmare. Often there are liasons with outside electronic record systems for the physicians so they can get results in their offices or even write orders or notes remotely.
All you need is interruption for 1 day and a big hospital can loses tens of millions and piss off all the patients and doctors who then might go elsewhere.