Ransomware Attack i...
 
Notifications
Clear all

Ransomware Attack in Hospital

23 Posts
10 Users
0 Likes
1,463 Views
(@emyliana)
Posts: 4
New Member
Topic starter
 

Hi, I have got some trouble in my workplace right now and the IT department also is investigating to solve this issues. I am one of the medical record officers at one of the private hospital in my country. The ransomware encrypts the data of several patient records on hospital computers, and only in exchange with 100 bitcoins the attackers decrypt the data again. This is critical for hospitals due to there are deal with very sensitive patient data.

Therefore, I would like to ask the solution on
1.how to trace the evidence of ransomware?
2. Where to get the evidence and information about the sender?
3. Is it we can trace with the IP address?
4.How to decrypt the data without exchange of bitcoin from the attacker?
5.What is the prevention steps can be applied towards this ransomware attack?

I hope a response from all of you regarding this issues and maybe with your ideas/comments and solution can solve my cases.
Thank you.

 
Posted : 25/05/2017 5:28 pm
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

If it's a hospital and you have active ransomware happening, it sounds like you're unprepared and/or untrained to respond to such an event.

You should get expert assistance ASAP and contact your local law enforcement for assistance and guidance. Also get your hospital's legal team involved immediately as well.

https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise

If you need professional service help, try some of these

https://www.secureworks.com/contact/urgent-response
https://www.fireeye.com/services.html
https://www.guidancesoftware.com/got-breached

I'm sure there are many others.

 
Posted : 25/05/2017 6:42 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

I expect a response from all of you

Wow, i had no idea i was getting paid to give support to a hospital in Indonesia. Wait - i'm not.

1.how to trace the evidence of ransomware?
2. Where to get the evidence and information about the sender?
3. Is it we can trace with the IP address?
4.How to decrypt the data without exchange of bitcoin from the attacker?
5.What is the prevention steps can be applied towards this ransomware attack?

Going give a limited response to the points that matters

1-3. Going to skip these since you probably don't have any incident response, logs, forensics people - or any security since you're asking about it here. Treat it like a virus infection of the human body, cure the symptoms and learn from this experience to grow so you won't be hit again in the future.

4. You don't. You restore the systems and the data from a backup solution, which you apparently do not have.

5. Get proper security - not stupid infosec paperwork - malware don't give a crap about your certification/accreditation, backup data, harden clients, secure your network and do some user training.

 
Posted : 25/05/2017 7:22 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Just in case, the THREE GOLDEN RULES (of securing data) are
1) Backup
2) Backup again, storing the backup offline, possibly in a physically different location
3) While considering the implications of Rule #1 and #2, Backup!

About your questions
1) Forget about it, you either don't have it or you have it, that's enough evidence.
2) Really forget about it, you are not the police, and the sender (if it was an e-mail that triggered the whole thing) of this kind of crap very likely is just someone that was used by the actual malware author, whom you won't be able to find.
3) No, you cannot.
4) It may depend on the specific OS involved and whether the system was rebooted after the infection took place (or hibernated, if it was ever switched off no way), there are VERY thin possibilities in a restricted number of cases.[1]
5) The usual things, keep your installed OS as updated as possible, educate your users to NOT fall for phishing attempts via e-mail, secure data by making appropriate backups [2].
If you are actually a hospital (or any other organization with - say - 80-100 users or more, you should already have a local mail server, and have WSUS (or similar) updates implemented, besides any kind of firewalling (properly configured), and some capable IT personnel, if you haven't all of this is not something that can be created out of nothing, it requires money and time, besides - at least initially - the services of some security consultant.

jaclaz

[1] For at least some variants of WannaCrypt on some OS's
https://github.com/aguinet/wannakey
https://github.com/gentilkiwi/wanakiwi

[2] A basic free video course by Troy Hunt
https://www.varonis.com/learn/introduction-to-ransomware/

 
Posted : 25/05/2017 7:46 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

I have little to add except - please remember that English is probably not his native language - "expect" may just be translation issue.

Jaclaz - there used to be three slightly different golden rules of securing data - or there were when I was in data recovery.

1. Back it up.
2. Test your backup
3. keep it offsite

We had lots of clients who did 1 & 3 but only came to us after testing their backup when it was actually needed. Some of them even commented that they thought the backup to tape was very fast. It was fast because there was no data being written.

 
Posted : 25/05/2017 9:38 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Jaclaz - there used to be three slightly different golden rules of securing data - or there were when I was in data recovery.

We had lots of clients who did 1 & 3 but only came to us after testing their backup when it was actually needed. Some of them even commented that they thought the backup to tape was very fast. It was fast because there was no data being written.

You are correct ) I should have added that a backup strategy/method that is not tested (and verifiable) falls under the category of the non-backups.

The real issue with the possibilities of defending oneself against this kind of ransomware is that the backup media MUST be offline (from the network) at all times except for the actual time strictly needed for the backup operation and then needs to be duplicated (2nd backup copy to be later stored offsite) still while offline from network.

jaclaz

 
Posted : 25/05/2017 9:52 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

No, choose a different way to solve the problem. A non-technical as I do not assume that you or your IT is prepared/able to solve the issue fast.

Just make a fast triage Select which patients are most live-threatening affected by this issue.
Reconstruct by talking to involved medical staff which are the most critical information maybe some people know

in their heads/brains/memories

Set up immediately a paper-process and put all information down out of the short-time memories of the involved medical people.

Then - shut down at least the server the infected files were found. disconnect all network of the respective department.

The biggest fear I have is that the ransomware spreads faster than you realize.

So shut down part of your IT and call your government for help!!!

The time it takes to recover from ransomware is longer than the time you have to save your
patients lives.

There is NO FAST SOLUTION TO YOUR PROBLEM.

 
Posted : 25/05/2017 11:55 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

Do you need more help?

 
Posted : 26/05/2017 12:35 pm
kacos
(@kacos)
Posts: 93
Trusted Member
 

FWIW, In certain cases, some of the 'encrypted' data can be recovered with a carving tool.

https://www.scmagazineuk.com/file-carving-can-reverse-wannacry-ransomware-encryption-says-mcafee/article/662661/

 
Posted : 26/05/2017 12:38 pm
(@dsacn)
Posts: 4
New Member
 

Merci pour le partage!

 
Posted : 26/05/2017 1:16 pm
Page 1 / 3
Share: