±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 3 Visitors: 149

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Ransomware Attack in Hospital

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4  Next 
  

Emyliana
Newbie
 

Ransomware Attack in Hospital

Post Posted: May 25, 17 17:28

Hi, I have got some trouble in my workplace right now and the IT department also is investigating to solve this issues. I am one of the medical record officers at one of the private hospital in my country. The ransomware encrypts the data of several patient records on hospital computers, and only in exchange with 100 bitcoins the attackers decrypt the data again. This is critical for hospitals due to there are deal with very sensitive patient data.

Therefore, I would like to ask the solution on:
1.how to trace the evidence of ransomware?
2. Where to get the evidence and information about the sender?
3. Is it we can trace with the IP address?
4.How to decrypt the data without exchange of bitcoin from the attacker?
5.What is the prevention steps can be applied towards this ransomware attack?

I hope a response from all of you regarding this issues and maybe with your ideas/comments and solution can solve my cases.
Thank you.  

Last edited by Emyliana on May 26, 17 17:32; edited 1 time in total
 
  

jpickens
Senior Member
 

Re: Ransomware Attack in Hospital

Post Posted: May 25, 17 18:42

If it's a hospital and you have active ransomware happening, it sounds like you're unprepared and/or untrained to respond to such an event.

You should get expert assistance ASAP and contact your local law enforcement for assistance and guidance. Also get your hospital's legal team involved immediately as well.

www.fbi.gov/news/stori...n-the-rise

If you need professional service help, try some of these:

www.secureworks.com/co...t-response
www.fireeye.com/services.html
www.guidancesoftware.c...t-breached

I'm sure there are many others.
_________________
------------------------
t: @JasonPickens 
 
  

MDCR
Senior Member
 

Re: Ransomware Attack in Hospital

Post Posted: May 25, 17 19:22

- Emyliana
I expect a response from all of you

Wow, i had no idea i was getting paid to give support to a hospital in Indonesia. Wait - i'm not.

- Emyliana
1.how to trace the evidence of ransomware?
2. Where to get the evidence and information about the sender?
3. Is it we can trace with the IP address?
4.How to decrypt the data without exchange of bitcoin from the attacker?
5.What is the prevention steps can be applied towards this ransomware attack?


Going give a limited response to the points that matters:

1-3. Going to skip these since you probably don't have any incident response, logs, forensics people - or any security since you're asking about it here. Treat it like a virus infection of the human body, cure the symptoms and learn from this experience to grow so you won't be hit again in the future.

4. You don't. You restore the systems and the data from a backup solution, which you apparently do not have.

5. Get proper security - not stupid infosec paperwork - malware don't give a crap about your certification/accreditation, backup data, harden clients, secure your network and do some user training.  
 
  

jaclaz
Senior Member
 

Re: Ransomware Attack in Hospital

Post Posted: May 25, 17 19:46

Just in case, the THREE GOLDEN RULES (of securing data) are:
1) Backup
2) Backup again, storing the backup offline, possibly in a physically different location
3) While considering the implications of Rule #1 and #2, Backup!

About your questions:
1) Forget about it, you either don't have it or you have it, that's enough evidence.
2) Really forget about it, you are not the police, and the sender (if it was an e-mail that triggered the whole thing) of this kind of crap very likely is just someone that was used by the actual malware author, whom you won't be able to find.
3) No, you cannot.
4) It may depend on the specific OS involved and whether the system was rebooted after the infection took place (or hibernated, if it was ever switched off no way), there are VERY thin possibilities in a restricted number of cases.[1]
5) The usual things, keep your installed OS as updated as possible, educate your users to NOT fall for phishing attempts via e-mail, secure data by making appropriate backups [2].
If you are actually a hospital (or any other organization with - say - 80-100 users or more, you should already have a local mail server, and have WSUS (or similar) updates implemented, besides any kind of firewalling (properly configured), and some capable IT personnel, if you haven't all of this is not something that can be created out of nothing, it requires money and time, besides - at least initially - the services of some security consultant.

jaclaz

[1] For at least some variants of WannaCrypt on some OS's:
github.com/aguinet/wannakey
github.com/gentilkiwi/wanakiwi

[2] A basic free video course by Troy Hunt:
www.varonis.com/learn/...ansomware/
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

PaulSanderson
Senior Member
 

Re: Ransomware Attack in Hospital

Post Posted: May 25, 17 21:38

I have little to add except - please remember that English is probably not his native language - "expect" may just be translation issue.

Jaclaz - there used to be three slightly different golden rules of securing data - or there were when I was in data recovery.

1. Back it up.
2. Test your backup
3. keep it offsite

We had lots of clients who did 1 & 3 but only came to us after testing their backup when it was actually needed. Some of them even commented that they thought the backup to tape was very fast. It was fast because there was no data being written.
_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 


Last edited by PaulSanderson on May 26, 17 13:00; edited 1 time in total
 
  

jaclaz
Senior Member
 

Re: Ransomware Attack in Hospital

Post Posted: May 25, 17 21:52

- PaulSanderson

Jaclaz - there used to be three slightly different golden rules of securing data - or there were when I was in data recovery.
...
We had lots of clients who did 1 & 3 but only came to us after testing their backup when it was actually needed. Some of them even commented that they thought the backup to tape was very fast. It was fast because there was no data being written.


You are correct Smile I should have added that a backup strategy/method that is not tested (and verifiable) falls under the category of the non-backups.

The real issue with the possibilities of defending oneself against this kind of ransomware is that the backup media MUST be offline (from the network) at all times except for the actual time strictly needed for the backup operation and then needs to be duplicated (2nd backup copy to be later stored offsite) still while offline from network.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

RolfGutmann
Senior Member
 

Re: Ransomware Attack in Hospital

Post Posted: May 25, 17 23:55

No, choose a different way to solve the problem. A non-technical as I do not assume that you or your IT is prepared/able to solve the issue fast.

Just make a fast triage: Select which patients are most live-threatening affected by this issue.
Reconstruct by talking to involved medical staff which are the most critical information maybe some people know

in their heads/brains/memories

Set up immediately a paper-process and put all information down out of the short-time memories of the involved medical people.

Then - shut down at least the server the infected files were found. disconnect all network of the respective department.

The biggest fear I have is that the ransomware spreads faster than you realize.

So shut down part of your IT and call your government for help!!!

The time it takes to recover from ransomware is longer than the time you have to save your
patients lives.

There is NO FAST SOLUTION TO YOUR PROBLEM.  
 

Page 1 of 4
Page 1, 2, 3, 4  Next