The news that an unplanned ransomware attack to a German hospital resulted in the death of a woman has produced a large number of comments, articles etc. One of the most interesting ones, at https://medium.com/@fluchsfriction/lessons-from-the-first-deadly-hacker-attack-on-german-hospital-2977cb13916f , stresses several important lessons to be learned. Among them, an important one is the attack was not planned. This often happens with ransomware because this attack may involve systems that are infected randomly. In other words, the way malware spreads in a network makes it impossible, even for the attackers, to predict which systems will be attacked. If we recall that several groups are renting their malware to a large number of other groups for a percentage of the ransomware, it is obvious that the number of targets increases exponentially. In my opinion, another interesting point is in the subtitle that claims that “patch all” has failed. At Haruspex, we can rephrase an old Apple commercial to welcome the first IBM PC and say “welcome, seriously”.
We have told in any occasion, meeting or workshop that the important point is patching just the vulnerabilities in the critical attack path from the attack surface to the jewels of the crown. Even more, we have developed, tested, and validated platforms that can compute which vulnerabilities to patch and shown that they are just a few percentages of all the vulnerabilities. Hence, a small number of patches can defeat ransomware and attackers provided that you know which are those to apply.
PS: According to an old legend, the original commercial was “The bastard says welcome” but this was then censured
