At a glance.
- Ransomware claims a life in Düsseldorf.
- Maze ransomware changes tactics.
- Students object to online proctoring as malware (and "show dominance").
Lethal ransomware in Germany shows that life can be at risk, too, not just privacy.
An attack at a major German hospital brought down internal systems and forced a woman in need of emergency care to travel twenty miles to another city, in the first documented ransomware related fatality, Bleeping Computer and ABC News report. According to the AP, the patient died during transport to another hospital when the ransomware attack rendered emergency services at Uniklinik Düsseldorf unavailable. The hackers exploited a known and patchable Citrix ADC vulnerability, apparently intending to target an affiliated university, and when contacted about their mistake, quit the attack. Which gang hit Uniklinik Düsseldorf is unclear, but the hospital says it's remediating the attack. Ransomware groups Maze, DoppelPaymer, Nefilim, and CLOP say they don’t target hospitals. Over seven-hundred US healthcare facilities were hit last year, with one cybersecurity expert calling the death “inevitable.”
We received comments on the sad incident from Tim Erlin, vice president of product management and strategy at Tripwire, who wrote:
“When cyberattacks impact critical systems, there can be real world consequences. We’re not used to thinking of cyberattacks in terms of life and death, but that was the case here. Delays in treatment, regardless of the cause, can be life threatening. Ransomware doesn’t just suddenly appear on systems. It has to get there through exploited vulnerabilities, phishing, or other means. While we tend to focus on the ransomware itself, the best way to avoid becoming a victim is to prevent the infection in the first place. And the best way to prevent ransomware infections is to address the infection vectors by patching vulnerabilities, ensuring systems are configured securely, and preventing phishing.”
Randy Watkins, CTO at Critical Start, also sent us comments:
"Ransomware is an attack that's gaining popularity and attention. From an attacker's perspective, it's easy to use, effective, cheap, and was initially a way to quickly monetize on encrypted data. Like the rest of technology, this attack has evolved. Ransomware is being used to target organizations that may have sensitive data or critical systems, driving up the ransom with the added risk of information leakage. More terrifying is the targeting of hospitals. While some attackers have sworn not to target hospitals, others see it as a guaranteed payout with ultimate hostage, human life. To defend against these attacks, hospitals need to evolve their cyber security posture by ensuring computer hygiene and proper protection across the organization."
German prosecutors, Reuters reports, have opened a homicide investigation.
Change in Maze ransomware tactics.
Researchers at Sophos describe a change in how Maze ransomware is being distributed. The operators have begun distributing their ransomware payload inside a virtual machine, which renders the threat to data availability and privacy more difficult to detect. The Ragnar Locker gang began using the tactic earlier this year, and Maze is willing to learn from its criminal competition.
But then, they're never happy.
Some university students aren't thrilled about what they see as their new Big Brother. Remote proctoring solutions like Proctorio, Respondus, ProctorU, and Proctortrack, which variously require students to submit photo identification, perform 360 scans of their testing environment, activate their microphone and webcam, and have their screens and browsing data recorded while test taking, are ruffling more than a few feathers, WXII relays.
Some of the controversy plagues Honorlock, a solution used by at least eleven institutions of higher learning including the University of Wisconsin-Madison. The issues concern Honorlock's patented secondary-device monitoring system. Termed “malware” by a Badger Herald editorialist, the technology “can detect when these devices are accessing [honeypot] test bank content during an exam” and “capture a screen recording of the secondary device to provide evidence,” according to the company website. The vendor's terms of service set the users' expectations. Honorlock’s privacy statement assures students that they do “not scan your network,” explaining that the technology is “a lightweight Chrome extension, which gives us very limited access,” but adds, “Please understand, however, that no security system is impenetrable.”
Wisconsin says the tool “has undergone a systematic and rigorous vetting and approval process including our campus legal and technology experts.” A University of Texas at Dallas assistant provost explained in the campus paper that Honorlock is needed to make sure grades remain meaningful. (Students in Texas, meanwhile, threaten to test naked “to show dominance,” which is one way of looking at what's being shown.)