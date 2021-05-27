A Zeppelin ransomware attack has damaged Waikato DHB and health minister says it may take weeks to revive 680 computer servers.

stuff has been given information from a source indicating that the Ministry of Health has identified the malware used in the cyber attacks in recent weeks on the health board as Zeppelin ransomware, which first appeared in the dark corners of the Internet in 2019.

Told Health Minister Andrew Little stuff he was not informed of the specific ransomware used as it was not his concern. He planned to travel to Hamilton on Friday to meet with health board executives.

For me, the priority of the moment is for patients to receive the proper care, and for staff to be cared for and able to operate the manual systems they have received. That recoveries are taking place.

ROBERT KUCHIN / Sende Health Minister Andrew Little will travel to Hamilton on Friday to meet with Waikato County Health Board executives as recovery from a malicious cyber attack continues.

The person or group behind the attack remained unknown, and Little was unaware of any further redemption deadlines being given to the health board. He said he did not expect any government agency to have been in contact or negotiating with the hackers.

Rewarding attacks are usually criminal actors as opposed to state actors, but we just don’t know until the investigation is complete.

We have a pretty clear approach which is not to deal with hackers … They are looking for a result, they are looking for consequences and even if they do not get what they want, they enjoy advertising. So we do not engage with them.

It had not yet been determined how much patient data had been stolen. The only confirmation of the theft so far was included in an email sent to media agencies Monday evening, including Things, who claimed to be from hackers.

And there was nothing that could be done to prevent the spread of stolen data, Little said.

Once the data is obtained and brought under the control of a third party, you lose control of it. You can warn people, you know, good people, not to use data that is not theirs. That’s all you can do.

They now have some of the data that has been sent to the media, so they will start to be able to identify specific patients and they will contact those patients to let them know that their data has been compromised.

It remained possible for hackers to access health board systems for days or weeks before ransomware implementation began. How IT systems health boards were violated continued to be investigated.

LIBBY WILSON / Sende Hospital staff had to use paper notes after the cyber attack.

The entire IT system remained offline, interrupting the entry of hackers. Email and phones were back and working.

Each district health board system was separate from the others and no other health boards were infected with ransomware, Little said.

The health board was working through about 680 computer servers that needed to be cleaned, restored and returned to the internet, he said.

It will go slower than expected, obviously. The last report I had … [on Tuesday] are they 20 percent of the way, recovering those servers. It will be more now, but there is still a long way to go.

There were backup files and this is the basis on which they are rebuilding each of the servers.

The agencies involved are now reluctant to give an estimate of how long the recovery may take, but it could take weeks, he said.

Christel Yardley / Sende Waikato Hospital is among the countries hit by the ransomware attack.

The whole government was on alert and the national security system was put into operation. Little had asked the Committee of Officers for Internal and External Security Coordination (ODESC), composed of government chief executives, to meet Wednesday to discuss the crisis response.

They confirmed that they were satisfied that both DHB and the Ministry of Health have received the resources they need. They have established the right kind of crisis management. They are making progress in recovering the systems, he said.

Zeppelin ransomware is used

The Ministry of Health more than a week ago issued an advice to the health sector to protect itself from the Zeppelin ransomware, which is understood to have been used against the Waikatos health board, according to material provided stuff from a source who requested anonymity.

The adviser, who came from the Government Communications Security Offices National Center for Cyber ​​Security, asked the agencies to put certain indicators in their systems that would notify them of a Zeppelin ransomware attack.

American computer security publication Bleeping Computer has reported that Zeppelin ransomware was first identified within Russian-speaking hacker forums in 2019, and newer versions of malware have recently been advertised for sale on underground forums.

The ministry has been asked to comment on how much of the health system was provided by this ransomware and why there was no protection against malware which has been circulating on the internet for years.

Jeremy Jones, head of cybersecurity at IT consultancy Theta, said the Zeppelin ransomware had existed since 2019 or earlier, but the latest malware update made it harder to detect [and] more aggressive.

Like a new car. So you drive a Toyota Corolla? Well, the 2008 Toyota Corolla is quite different from a 2020 Toyota Corolla.

He said it was extremely helpful for ransomware indicators to be shared, but they needed to look for precursors to an attack.

Zeppelin is just some kind of ransomware … But what many people do not really get is that ransomware is the final stage of a very long sequence of activities that a current cybercrime actor will go through to deliver that ransomware.

The adversary in this case would have made a lot of noise about that environment before they could deliver that ransomware.

Supplied Jeremy Jones, head of cyber security at IT Theta firm, said hackers have taken a different approach in recent years.

Such hackers had changed their tactics over the past year or so, he said. Criminals steal data first and then encrypt it.

That way if the victim does not pay the ransom, she can still use that data as leverage to extort it or sell it to someone else.

Jones said that, with offline IT systems health boards, the recovery would focus on removing aspects of the hackers’ work, such as ensuring they no longer have access to stolen administrative credentials.

Dealing with the issue without engaging hackers, including restoring encrypted data from bookings, was an approach he strongly encouraged.

As painful as this is for DHB.