Qilin Ransomware: Analyzing the threat that hit London Hospitals 

They want money ?

@@ZzzZzz-yd2je yes but that is a very concerning way to do it, i mean imagine probably killing a few people just for some money, what a scummy and sad way to do it.

​@@ZzzZzz-yd2je Exactly. Same reason governments send their people to die in wars: more resources.

@@wfwfwffw I mean, whoever does this in the first place isn't exactly ethical to begin with. It's not that surprising.

As much as I can respect the talent/ingenuity of someone whom can find loopholes in the system, I'm also appalled at the idea that someone would target such a critically delicate part of infrastructure (don't Cancer patients suffer enough as it is?)

Hear hear

This isnt possible now a days. I Work in the Radiotherapie. It is Impossible to Store a hole patien Data on paper. The importend parts are stored in paper, But its a small part of the Medical importend History.

If you rewrite this virus a little bit then you can do it easily but let's be real, no one uses DVD Disk anymore

@@anonuser260 Yeah? How will you rewrite it to modify the files on a read only disc?

@@filipstamate1564 maybe you can make a copy -> encrypt and corrupt the dvd

@@filipstamate1564By hijacking the kernel and overriding the read and write procedures. Write encrypted data to the CD on the first write and encrypt the data during the read process if not already encrypted. Buy lets be real, who thinks a CD-R is more cost effective than CD-RW for data that has to change.

@@filipstamate1564 scramble the output when a file is opened/read

I'd argue SentinelOne is close. However, I think he mostly focuses on private AVs specifically Kaspersky cause he's paid by them

@@IPendragonI in 2023/2024, the top 3 are Crowdstrike, MS, and SentinelOne. I would venture to say any of the leaders are going to close, so definitely agree.

*cough* *cough* SElinux *cough* *cough*

which company in Serbia?

@@user-td8ng4dn1r EPS (Elektroprivreda Srbije) experienced the Qilin attack

​​@@user-td8ng4dn1r Elektroprivreda Srbije got attacked by the said sample

@@Kokomilenkoski1202 ty for resposne

Many if not most EPP vendors do, but often they disable/bypass the endpoint protection before encrypting.

I would guess the developers of the ransomware would try this and implement their own, different system.

For ransomware protection, integrity monitoring-based rules can be highly effective. For example, a robust integrity monitoring service can revert changes made to critical systems. By setting a rule that triggers when more than 100 files are modified at once and is classified as sensitive, the system can automatically revert those 100 files and lock down the endpoint for investigation. Simple rules like this can significantly enhance.

I'm well outside my knowledge so take this as you will, but malware and security are at an arms race with each other. You can design security for heuristic checking of that behavior, but malware authors will then build their malware to either circumvent the security or they will attack the security directly before executing their payload. At 2:58, this malware disables services before encrypting the files. I imagine this is done to weaken the system and make the malware more successful. So you're not wrong. I wouldn't be surprised if some antimalware tools already do this. But there is no "permanent" solution either. Malware authors will just work on a workaround, and then you have to defend against that. Endless cycle.

Hello, Please be aware that, in most cases, software cannot disable the service of EDR solutions due to tamper protection and from reading the service that more of policy and data logs plus services. But it will not be able to target the edr.

Depends on ... are diagonstic systems also infected. Example Work CT scan and Radiodiagnostic record system? If yes "stroke unit" are realy in Trouble. Siemens make a good Job in secure there applience. To prevent infection.

it will encrypt over already encrypted ones

Even the health care workers are well trained. There's always a chance a Chinese spy infiltrate to run "Qilin"

I think so, in Chinese that Q is pronounced similarly to how “ch” would be pronounced in English

Bye 👋

I'm not sure what being a private citizen has to do with anything, but if you encrypt your data prior to the ransomware affecting the machine, then you will at least be safe from the threat of the ransomware group selling the data. It does not, however, protect you from the denial-of-service attack that inevitably occurs, and will not prevent destruction of data. So, you can solve 1 problem, but the other 2 problems still remain. The problem with performing encryption - especially in real-time, and/or if there are numerous changes that happen constantly (like in a database), and/or if you are working with very large filesizes (at least in the gigabyte range and above) - is that it is extremely expensive in terms of processing power, it's slow to encrypt a large amount of files, and decryption takes even longer. Imagine working with a shared Excel sheet that multiple users are interacting with. It's not impossible to encrypt something like that in real-time (BitLocker is a popular service by Microsoft, for example), but the amount of problems it can/would cause makes it infeasible.

Yes

It is just so much more convenient to have admin accounts - and some always sneak in somewhere by someone. So one senior doctor may have acquired admin priviledges by being friends with the IT staff, and therefore just runs all computers in the doctor's offices on his floor with admin priviledges, because it's so much more convenient. One other ignorant employee just needs to click on the wrong phishing e-mail and it's done. So yeah, virtually impossible to have no admin priviledges anywhere.

@@antonk.653 If you still have users (and IT admins) with admin rights on their normal accounts and no seperate accounts for admin rights, you are still living in the middel ages. It's really not done anymore.

@@ctrlaltdude If you knew how much middle ages you still encounter on a regular basis!

He's paid by them, so he can't. I've been asking for months for him to talk about it

ARM is just a CPU architecture, it's not Apple exclusive. You'll see more and more Windows laptops running ARM CPU these days. No one ever claimed Mac is immune to malware, they have a very small market share, so the criminals logically just focus on the bigger slice of the pie - workstations and servers of organisations running Windows.

@@neloangelo__13 Yeah I know about the ARM architecture. My sarcastic comment was not directed at ARM chips but at Leo's comment that even Apple's we susceptible to malware and hacking. And there are ABSOLUTELY Apple fanboys out there that have said Apple's were immune to hacking for decades! That is what I was making fun of! Thanks.

bitdefender

@@enpassantcheckmate nope, mine installed vpn on its own lmao

Pretty random request lol. You dont need to use the av vpn

@@GBR9794 I think you need the antivirus plus one and not total security package

It is probably carelessness or even working foul play that allowed access

Russia hacker?

Yes

R*ssians as usual

You didn't bother to watch the video, did you?

What are you talking about lol. What do you want him to do? I think he is very clear and easy to understand. And i have never seen someone complain with something like that before

@@TeenPerspektiva Like it says, jamming edits together without a break between sentences. What to do? Use a break. And now you've seen someone complain about it.

@@louf7178 well i havent been able to notice the problem you are trying to point out. I dont see this jamming of edits you are talking about. Seems decently paced to me..

@@TeenPerspektiva 2:12 - 3:16 It got info-dense, and I was expecting the rest to be similar. It did get better after that. For people that are not fluently familiar with the content, it gets to be too much.

@@louf7178 i see. Thats fair enough