[new_here]

A lot of these articles don't actually mention specifically how the systems were compromised.

Was it a malicious email attachment that propagated through unsecured networks or outdated OS versions? And what data was encrypted? Are we talking regular excel files or actual databases?

It would be interesting to have some more detail or case studies so others could know how to fortify infection points and limit the blast radius of their own systems.

[nikhizzle]

So I don't have details on this specific case, but I did work in cybersecurity and can comment on the vast majority of similar cases I saw, including some which made the front page. Every single one I remember came from unpatched OS vulnerabilities for which the patch was already available.

Regular patching is necessary hygiene for corporate IT, but often the department is understaffed, or frankly told by management to prioritize shiny things instead.

[londons_explore]

Most corporate machines aren't directly on the internet though... How do attackers get through corporate firewalls to access said unpatched machines?

I would guess the easiest way is to phish a login to the corp VPN or to send an email with a malicious attachment to give the attacker something inside the corp firewall as a place to start their port scan of the internal network and begin their attacks.

[alex_anglin]

MITREs ATTaCK [1] matrix is a great resource for describing incidents like these. To answer your question, it is a combination of Initial Access and Lateral Movement techniques that depend upon an attackers aims. They're by no means the only activities involved of course.

https://attack.mitre.org/

[coldcode]

Missed patching on what, is my question. Windows, MacOS, Linux, routers, servers, networking, etc. - what exactly is being attacked? Sure you should patch everything, but clearly something is being attacked more than others.

[technion]

We don't usually get those details published in the case of events, but as someone who's seen more ransomware than I want to admit to, nearly every case comes down to either a word macro, or a .js file inside a zip file. Both of which are easily blocked with a GPO.

These guys do a lot of honeypot writeups that are pretty consistent with my experience: https://thedfirreport.com/

[sbarre]

My guess is that it's not mentioned because they don't know (yet).

A lot of places that get crippled by ransomware have outdated or underfunded IT departments (health care is particularly bad at this), so that kind of insight is barely on the table at the best of times.

Even when a postmortem is eventually done, companies don't want to have to admit the attack could have been prevented, or at least minimized, with better investment in security.

[switch007]

The media are keen to cover the story ASAP. It can take some time to do an investigation.

[mywacaday]

I had a hospital appointment this morning, physio said that the attack happened in one hospital and all IT systems were shutdown to prevent it spreading. They were back to paper to manage all appointments. She said the big issue was bed allocation, live count of available beds no longer available and people running between different departments to see if people can be admitted and/or ringing other hospitals to find available beds. Luckily ambulance and COVID vaccination systems not impacted.