Qilin Ransomware: Analyzing the threat that hit London Hospitals
ฝัง
- เผยแพร่เมื่อ 18 มิ.ย. 2024
- Qilin Ransomware hit a pathology services provider that affected several hospitals in London causing data loss and delaying surgeries. This video analyzes this Ransomware as a Service and its variants. Try the new Malwarebytes for free: mwb.link/4ay7nag (sponsor)
Join the discussion on Discord: discord.tpsc.tech/
Get your business endpoints tested by us: tpsc.tech/
Contact us for business: thepcsecuritychannel.com/contact - วิทยาศาสตร์และเทคโนโลยี
The hospitals affected were unable to access the records for blood stocks, so had to make an emergency appeal for O -ive donors to donated asap. This was serious.
it's concerning that people find it in any volume interesting, fun, or important to hijack hospitals with ransomware.
They want money ?
@@ZzzZzz-yd2je yes but that is a very concerning way to do it, i mean imagine probably killing a few people just for some money, what a scummy and sad way to do it.
@@ZzzZzz-yd2je Exactly. Same reason governments send their people to die in wars: more resources.
@@wfwfwffw I mean, whoever does this in the first place isn't exactly ethical to begin with. It's not that surprising.
As much as I can respect the talent/ingenuity of someone whom can find loopholes in the system, I'm also appalled at the idea that someone would target such a critically delicate part of infrastructure (don't Cancer patients suffer enough as it is?)
Congrats on the 500K subscribers. It is well deserved and earned.
Hear hear
Hitting hospitals is insane
Yeah I can confirm that this attack wasn’t just in the UK, but this attack happened also to hospitals in Sweden
thanks for another film❤
Hospitals need to have physical information along side the digital, they cant rely on systems/networks. Theres need to have a backup for these types of cases.
This isnt possible now a days. I Work in the Radiotherapie. It is Impossible to Store a hole patien Data on paper. The importend parts are stored in paper, But its a small part of the Medical importend History.
Thanks for the valuable information.
Brilliant video. Looking forward to the new Cyber content.
Very interesting, and thank you for explaining
Great video as always. I have to say though that after the latest MalwareBytes update I have been bombarded with popups from it. A video to disable those would be nice, as I had to dig around quite a bit to kill them. I dont like needless pop up messages .
Second. This sample also attacked Serbia
which company in Serbia?
@@user-td8ng4dn1r EPS (Elektroprivreda Srbije) experienced the Qilin attack
@@user-td8ng4dn1r Elektroprivreda Srbije got attacked by the said sample
@@Kokomilenkoski1202 ty for resposne
Great video ❤
this is unforgivable
Looking forward to seeing your testing with all major AV/EDR vendors. Crowdstrike is the leader these days, so looking forward to seeing the results from that solution.
I'd argue SentinelOne is close. However, I think he mostly focuses on private AVs specifically Kaspersky cause he's paid by them
@@IPendragonI in 2023/2024, the top 3 are Crowdstrike, MS, and SentinelOne. I would venture to say any of the leaders are going to close, so definitely agree.
*cough* *cough* SElinux *cough* *cough*
Awesome Thank you for Sharing 💯✴
It may not have impacted 'ER' as you put it, but:
"In total, 1,134 elective surgeries have been postponed as a result of Qilin's attack on Synnovis, which began June 4, and 2,194 outpatient appointments have also been pushed back.
The NHS's previous update from June 14, six days prior to its most recent one, stated that around 1,500 surgeries and appointments had been delayed. That was a combined figure, it should be noted, one that has more than doubled in less than a week."
The real story here is why the hospital Disaster Recovery plans failed to operate.
The reason for these systems failing so badly is that the two key NHS Trusts involved, used each other for their backup - but all used the same single service provider. Most of us would have recognised this potential problem early on.
The good news is that many other NHS Trusts and their laborartory services were about to go down the same route - but are now recalualting the risks. Some good may come from this attack.
Thanks.
So if the data is in a DVD Disk there is zero chance to encrypt the data xD
If you rewrite this virus a little bit then you can do it easily but let's be real, no one uses DVD Disk anymore
@@anonuser260 Yeah? How will you rewrite it to modify the files on a read only disc?
@@filipstamate1564 maybe you can make a copy -> encrypt and corrupt the dvd
@@filipstamate1564By hijacking the kernel and overriding the read and write procedures. Write encrypted data to the CD on the first write and encrypt the data during the read process if not already encrypted.
Buy lets be real, who thinks a CD-R is more cost effective than CD-RW for data that has to change.
@@filipstamate1564 scramble the output when a file is opened/read
In my opinion, the security issue lies in the lack of adequate data integrity monitoring and systems based on data classification.
Thanks for another interesting insight into the world of low life Scammers and Hackers
Evaluating different security vendors, if they can handle different ransomware strains, that's good research paper material.
For the rest of you that don't have any remediation against the London threats, CrowdSec CTI is offering a completely free list of 5k+ ipv4s to block threats like this one.
I haven't done pen testing in almost 20 years, because I pivoted to becoming a programmer instead. But why don't you just hook and check if each application is trying to poll all files on the disk, and then see if they are trying to read in specific files like TXT, PDF, etc. Surely it can't be too hard to heuristically determine cryptolockers.
Many if not most EPP vendors do, but often they disable/bypass the endpoint protection before encrypting.
I would guess the developers of the ransomware would try this and implement their own, different system.
For ransomware protection, integrity monitoring-based rules can be highly effective. For example, a robust integrity monitoring service can revert changes made to critical systems. By setting a rule that triggers when more than 100 files are modified at once and is classified as sensitive, the system can automatically revert those 100 files and lock down the endpoint for investigation. Simple rules like this can significantly enhance.
I'm well outside my knowledge so take this as you will, but malware and security are at an arms race with each other. You can design security for heuristic checking of that behavior, but malware authors will then build their malware to either circumvent the security or they will attack the security directly before executing their payload. At 2:58, this malware disables services before encrypting the files. I imagine this is done to weaken the system and make the malware more successful.
So you're not wrong. I wouldn't be surprised if some antimalware tools already do this. But there is no "permanent" solution either. Malware authors will just work on a workaround, and then you have to defend against that. Endless cycle.
Hello,
Please be aware that, in most cases, software cannot disable the service of EDR solutions due to tamper protection and from reading the service that more of policy and data logs plus services. But it will not be able to target the edr.
Software used for Critical Infrastructure should be open source you will not change my mind.
Please do an extensive and deep dive reverse engineering video about this Malware. Get as much technical as possible ! Thanks for the video !
I got first, that's what's up! I love the videos man keep it up!
PS I know ow you like MWB and have done videos on it. Could you do one on malwarebytes threatdown.
Malware targeting Linux it’s not something you see every day, But it is definitely something worth investigating.
I would suspect the build to target linux users comes from the fact that healthcare is a common user for Linux installations, so the threat is there.
Can you do some videos on encryption and testing different options? And actually testing it if possible?
Do they not realize they might need these critical services as well and I assume don't want to fall victim to suchs an attack?
You are the GOAT 🫡
*From a ransomware attack to canceled cancer surgeries. This is beyond messed up...*
Edit: Didn't effect emergency services?
Depends on ... are diagonstic systems also infected. Example Work CT scan and Radiodiagnostic record system? If yes "stroke unit" are realy in Trouble.
Siemens make a good Job in secure there applience. To prevent infection.
What should I watch out for more in terms of ransomware I have all of my users well educated on not running stuff and phising, but what can I do otherwise is there anything ransomware is what worries me the most
*cough* *cough* SElinux *cough* *cough*
RaaS works like a business, malware is cross-platform. Truly we live in a future.
Give IOCs not just onky link to AV vendor.
Can you try this against ELK?
Whoever is behind this, is not a normal hacker, a very sick individual to target hospitals. I don't believe the hacker community would be supporting or enjoying anything like this.
Password: DONKEY
xD
I bet Gordon Ramsay is a secret criminal haha
What about Black Basta? have you made a video yet?
News flash Kaspersky banned in the United States 😮
Is it actually called as killin or chillin instead?
I think so, in Chinese that Q is pronounced similarly to how “ch” would be pronounced in English
Missing the Analysis
I'm embarrassed that someone working in my country's healthcare system will run an exe on an NHS computer. Why are there no rules that prevent them from doing that physically on their systems?
Even the health care workers are well trained. There's always a chance a Chinese spy infiltrate to run "Qilin"
Could you test the new version of malwarebytes?
Would you kindly do a linux illustration on the same.
Hi
Bye 👋
? Would allowing private citizens to have and encrypt their own systems would that solve this problem?
I'm not sure what being a private citizen has to do with anything, but if you encrypt your data prior to the ransomware affecting the machine, then you will at least be safe from the threat of the ransomware group selling the data. It does not, however, protect you from the denial-of-service attack that inevitably occurs, and will not prevent destruction of data.
So, you can solve 1 problem, but the other 2 problems still remain.
The problem with performing encryption - especially in real-time, and/or if there are numerous changes that happen constantly (like in a database), and/or if you are working with very large filesizes (at least in the gigabyte range and above) - is that it is extremely expensive in terms of processing power, it's slow to encrypt a large amount of files, and decryption takes even longer. Imagine working with a shared Excel sheet that multiple users are interacting with. It's not impossible to encrypt something like that in real-time (BitLocker is a popular service by Microsoft, for example), but the amount of problems it can/would cause makes it infeasible.
Does this type of thing bypass Bitdefenders Ransomware Remediation?
Will such a thread work if the drive is encrypted like in upcoming windows 11 version ?
Attacking hospitals is a serious problem for attackers cz if somebody dies because of that, they will be screwed.
Thanks for the video.
it will encrypt over already encrypted ones
But how do they actually get them to run their ransomware?
To disable services this would need to be run with admin priviledges? It would be most basic thing to do drop admin priviledges from daily driver accounts but same time apparently impossible.
It is just so much more convenient to have admin accounts - and some always sneak in somewhere by someone. So one senior doctor may have acquired admin priviledges by being friends with the IT staff, and therefore just runs all computers in the doctor's offices on his floor with admin priviledges, because it's so much more convenient. One other ignorant employee just needs to click on the wrong phishing e-mail and it's done.
So yeah, virtually impossible to have no admin priviledges anywhere.
@@antonk.653 If you still have users (and IT admins) with admin rights on their normal accounts and no seperate accounts for admin rights, you are still living in the middel ages. It's really not done anymore.
@@ctrlaltdude If you knew how much middle ages you still encounter on a regular basis!
Does Nomoreransomware have tool to decrypt it ?
What is the source code for this ransomware? Knowing this helps to prevent it from running.
MSPs are awful, they need to have standards.
But I thought Apple's and Macbook's were immune to malware??!?!?! 🤣😋
ARM is just a CPU architecture, it's not Apple exclusive. You'll see more and more Windows laptops running ARM CPU these days. No one ever claimed Mac is immune to malware, they have a very small market share, so the criminals logically just focus on the bigger slice of the pie - workstations and servers of organisations running Windows.
@@neloangelo__13 Yeah I know about the ARM architecture. My sarcastic comment was not directed at ARM chips but at Leo's comment that even Apple's we susceptible to malware and hacking. And there are ABSOLUTELY Apple fanboys out there that have said Apple's were immune to hacking for decades! That is what I was making fun of! Thanks.
Can you talk about Kaspersky being banned? This is not good one of the best products out there.
He's paid by them, so he can't. I've been asking for months for him to talk about it
Wouldn't be surprised if the virus could be sitting on more hard drives in a hospital just waiting to be activated.
Analyzing?
Wait what, malwarebytes has a dark mode? I no longer have to FRY my eyes every time I scan a selected folder, yay
Can you talk about the one that just hit all the CDK POS that car dealers are using?
Anyway to decrypt the effected files ?
Yes
What is Better?? Malwarebytes or Windows Defender
Could you analyze the free Steam games "Egg", "Banana", "Cats" and "Banana & Cucumber", to check whether they run anything malicious or mine crypto in the background? These games are extremely popular at the moment and I'm sure a video about them would bring even more visibility to your channel. Love your videos!
System and network isolation is the key of protecting critical systems. Normal users should never have direct access to those systems.
I enjoy this channel, but most of it goes over my head. This is probably too simplistic, but if paying the ransom were made illegal, wouldn't most of it stop? Isn't paying the ransom just financing the victimization of others? It seems immoral to pay the ransom.
A couple of probably dumb questions about malwarebytes. How do I know that malwarebytes, or any similar program, isn't itself malware? It looks like malware bytes is targeted at people who know more about software and computers than I do; is that the case?
hmm indonesia is always be soft target. lol
Hacker are now getting devlish or evil for money😢😢😢.
Is there an antivirus that does NOT include a VPN in it but still the full package?
bitdefender
@@enpassantcheckmate nope, mine installed vpn on its own lmao
Pretty random request lol. You dont need to use the av vpn
@@GBR9794 I think you need the antivirus plus one and not total security package
It is probably carelessness or even working foul play that allowed access
There is a long story about speculations how linux is not immune, just like any other OS.
1. yes, linux is not immune
2. linux may have some vulnerabilities, just like any other OS. The difference: in linux it's less likely to find any in stable distros, and more likely to find in some rolling/unstable.
3. The viruses are not typical for linux. viruses are typical for windows )
4. Malware can be tailored for any OS, and it's more about a social engineering. It's just like lure someone into a trap
now those brits gotta wait another 60 months for their treatment
China hacker?
Russia hacker?
Yes
R*ssians as usual
I only trust Kaspersky to ro protect me online.
The taste of their food and the face of their women made British man the best sailor in the world
Fucking windows
You didn't bother to watch the video, did you?
Please use some sort of transitions in your videos. Ramming sentences together makes it difficult to listen to.
What are you talking about lol. What do you want him to do? I think he is very clear and easy to understand. And i have never seen someone complain with something like that before
@@TeenPerspektiva Like it says, jamming edits together without a break between sentences. What to do? Use a break. And now you've seen someone complain about it.
@@louf7178 well i havent been able to notice the problem you are trying to point out. I dont see this jamming of edits you are talking about. Seems decently paced to me..
@@TeenPerspektiva 2:12 - 3:16 It got info-dense, and I was expecting the rest to be similar. It did get better after that.
For people that are not fluently familiar with the content, it gets to be too much.
@@louf7178 i see. Thats fair enough
So you're british? You dont sound it. Ugh.....