Both are signs of the cyber insurance world trying to wrap its arms around ransomware, a phenomenon that is leading to costlier payouts, prompting insurers to demand security improvements from policyholders and in some cases driving companies to step back from what they’re willing to cover.
For instance, the annual growth rate in cyber insurance premiums the past four years has been 20%, while the average growth in claims has been more than 39%, according to a report from credit agency AM Best that warned of a “grim” cyber insurance market. Ransomware, AM Best said, now accounts for 75% of cyber claims.
The dirty secret is that insurance has been negotiating payouts with hacking gangs for years. Unsurprisingly, this has made ransomeware a viable business model for the gangs.
Western Digital, maker of the popular My Disk external hard drives, is recommending that customers unplug My Book Live storage devices from the Internet until further notice while company engineers investigate unexplained compromises that have completely wiped data from devices around the world.
The mass incidents of disk wiping came to light in this thread on Western Digital’s support forum. So far, there are no reports of deleted data later being restored.
“I have a WD mybook live connected to my home LAN and worked fine for years,” the person who started the thread wrote. “I have just found that somehow all the data on it is gone today, while the directories seem there but empty. Previously the 2T volume was almost full but now it shows full capacity.”
Other My Book Live users quickly joined the conversation to report that they, too, had experienced precisely the same thing. “All my data is gone too,” one user soon responded. “I am totally screwed without that data... years of it.”
This is exactly why you have more than one backup. Like with carry guns, two is one and one is none. And I've recommended Western Digital in the past. I guess I need to reassess that.
CMS's survey protocol does not include requirements for networked device cybersecurity, and the AOs do not use their discretion to require hospitals to have such cybersecurity plans. However, AOs sometimes review limited aspects of device cybersecurity. For example, two AOs have equipment-maintenance requirements that may yield limited insight into device cybersecurity. If hospitals identify networked device cybersecurity as part of their emergency preparedness risk assessments, AOs will review the hospitals' mitigation plans. AOs told us that in practice, however, hospitals did not identify device cybersecurity in these risk assessments very often. Assessing hospital safeguards for the privacy of medical records may prompt AOs to examine networked devices. Finally, CMS and the AOs do not plan to update their survey requirements to address networked devices or general cybersecurity.
I've been posting for years about how security for medical devices isn't an afterthought. It wasn't thought of at all.
Under active exploitation
This is exactly the sort of attack that you would expect. The print spooler code is almost certainly very old and not really maintained from a security perspective. It's deployed everywhere and very often enabled by users who have been burned once too much by clicking "No" to "Do you want me to turn this on?" messages. And so print spoolers are enabled all over the place when there's very little reason for the software to be running at all. If you have a modern printer (i.e. 5 year old or newer network attached printer) there is no reason for you to have the printer service enabled. You can turn this off via the instructions in the link.