±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 0 Visitors: 131

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Ransomware Attack in Hospital

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

RolfGutmann
Senior Member
 

Re: Ransomware Attack in Hospital

Post Posted: May 26, 17 12:35

Do you need more help?  
 
  

kacos
Senior Member
 

Re: Ransomware Attack in Hospital

Post Posted: May 26, 17 12:38

FWIW, In certain cases, some of the 'encrypted' data can be recovered with a carving tool.

www.scmagazineuk.com/f...le/662661/  
 
  

dsacn
Newbie
 

Re: Ransomware Attack in Hospital

Post Posted: May 26, 17 13:16

Merci pour le partage!  
 
  

jaclaz
Senior Member
 

Re: Ransomware Attack in Hospital

Post Posted: May 26, 17 15:20

- kacos
FWIW, In certain cases, some of the 'encrypted' data can be recovered with a carving tool.

www.scmagazineuk.com/f...le/662661/


Some more details are given here:
www.scmagazineuk.com/w...le/662657/

BUT it won't happen in the real world (not for any sensible amount of data). Sad

The ransomware in order to encrypt a file, needs of course to have the "source" file until the encryption process of the file has completed, i.e. it creates a new encrypted file and as soon as its creation is completed, deletes the "source" one.

This deletion is a "plain" deletion (not a "wipe") so right after the encryption of a single file the original file extents are added to the "unallocated" area and can be carved back to life (losing path, filename and all file system metadata BTW).

Then the malware goes to the next file to encrypt.

On a volume with lots of free space it is likely that the extents of the original file are not immediately overwritten but on any volume where free space is "tight" or anyway once the malware looped through the encryption process thousands or ten of thousands of times, only the few last files that were encrypted may be - at the most - recovered by carving.

This technique may provide some (anyway very partial) success only in a teeny-tiny number of cases, namely where the user by pure chance immediately noticed that the ransomware was running and encrypting files and had the promptness of "pulling the plug".

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Emyliana
Newbie
 

Re: Ransomware Attack in Hospital

Post Posted: May 26, 17 17:28

- MDCR
- Emyliana
I expect a response from all of you

Wow, i had no idea i was getting paid to give support to a hospital in Indonesia. Wait - i'm not.
oh..sorry. I have just noticed that. It was misstyping error..I just need a response from all of you regarding this issues

- Emyliana
1.how to trace the evidence of ransomware?
2. Where to get the evidence and information about the sender?
3. Is it we can trace with the IP address?
4.How to decrypt the data without exchange of bitcoin from the attacker?
5.What is the prevention steps can be applied towards this ransomware attack?


Going give a limited response to the points that matters:

1-3. Going to skip these since you probably don't have any incident response, logs, forensics people - or any security since you're asking about it here. Treat it like a virus infection of the human body, cure the symptoms and learn from this experience to grow so you won't be hit again in the future.

4. You don't. You restore the systems and the data from a backup solution, which you apparently do not have.

5. Get proper security - not stupid infosec paperwork - malware don't give a crap about your certification/accreditation, backup data, harden clients, secure your network and do some user training.
 
 
  

Emyliana
Newbie
 

Re: Ransomware Attack in Hospital

Post Posted: May 30, 17 07:46

Hi, I have got some trouble in my workplace right now and the IT department also is investigating to solve this issues. I am one of the medical record officers at one of the private hospital in my country. The ransomware encrypts the data of several patient records on hospital computers, and only in exchange with 100 bitcoins the attackers decrypt the data again. This is critical for hospitals due to there are deal with very sensitive patient data.

Therefore, I would like to ask the solution on:
1.how to trace the evidence of ransomware?
2. Where to get the evidence and information about the sender?
3. Is it we can trace with the IP address?
4.How to decrypt the data without exchange of bitcoin from the attacker?
5.What is the prevention steps can be applied towards this ransomware attack?

I hope a response from all of you regarding this issues and maybe with your ideas/comments and solution can solve my cases.
Thank you

Is there any other opinions and solution from others?  
 
  

RolfGutmann
Senior Member
 

Re: Ransomware Attack in Hospital

Post Posted: May 30, 17 12:23

Listen,

It sounds unpolite still asking for more solutions as in the previous posts you got professional help and enough solutions to decide on!

All solutions are on the table! Its your task to act.  
 

Page 2 of 4
Page Previous  1, 2, 3, 4  Next