Join Us!

Ransomware Attack i...
 
Notifications
Clear all

Ransomware Attack in Hospital  

Page 1 / 2
  RSS
Emyliana
(@emyliana)
New Member

Hi, I have got some trouble in my workplace right now and the IT department also is investigating to solve this issues. I am one of the medical record officers at one of the private hospital in my country. The ransomware encrypts the data of several patient records on hospital computers, and only in exchange with 100 bitcoins the attackers decrypt the data again. This is critical for hospitals due to there are deal with very sensitive patient data.

Therefore, I would like to ask the solution on
1.how to trace the evidence of ransomware?
2. Where to get the evidence and information about the sender?
3. Is it we can trace with the IP address?
4.How to decrypt the data without exchange of bitcoin from the attacker?
5.What is the prevention steps can be applied towards this ransomware attack?

I hope a response from all of you regarding this issues and maybe with your ideas/comments and solution can solve my cases.
Thank you.

Quote
Posted : 25/05/2017 6:28 pm
jpickens
(@jpickens)
Active Member

If it's a hospital and you have active ransomware happening, it sounds like you're unprepared and/or untrained to respond to such an event.

You should get expert assistance ASAP and contact your local law enforcement for assistance and guidance. Also get your hospital's legal team involved immediately as well.

https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise

If you need professional service help, try some of these

https://www.secureworks.com/contact/urgent-response
https://www.fireeye.com/services.html
https://www.guidancesoftware.com/got-breached

I'm sure there are many others.

ReplyQuote
Posted : 25/05/2017 7:42 pm
MDCR
 MDCR
(@mdcr)
Active Member

I expect a response from all of you

Wow, i had no idea i was getting paid to give support to a hospital in Indonesia. Wait - i'm not.

1.how to trace the evidence of ransomware?
2. Where to get the evidence and information about the sender?
3. Is it we can trace with the IP address?
4.How to decrypt the data without exchange of bitcoin from the attacker?
5.What is the prevention steps can be applied towards this ransomware attack?

Going give a limited response to the points that matters

1-3. Going to skip these since you probably don't have any incident response, logs, forensics people - or any security since you're asking about it here. Treat it like a virus infection of the human body, cure the symptoms and learn from this experience to grow so you won't be hit again in the future.

4. You don't. You restore the systems and the data from a backup solution, which you apparently do not have.

5. Get proper security - not stupid infosec paperwork - malware don't give a crap about your certification/accreditation, backup data, harden clients, secure your network and do some user training.

ReplyQuote
Posted : 25/05/2017 8:22 pm
jaclaz
(@jaclaz)
Community Legend

Just in case, the THREE GOLDEN RULES (of securing data) are
1) Backup
2) Backup again, storing the backup offline, possibly in a physically different location
3) While considering the implications of Rule #1 and #2, Backup!

About your questions
1) Forget about it, you either don't have it or you have it, that's enough evidence.
2) Really forget about it, you are not the police, and the sender (if it was an e-mail that triggered the whole thing) of this kind of crap very likely is just someone that was used by the actual malware author, whom you won't be able to find.
3) No, you cannot.
4) It may depend on the specific OS involved and whether the system was rebooted after the infection took place (or hibernated, if it was ever switched off no way), there are VERY thin possibilities in a restricted number of cases.[1]
5) The usual things, keep your installed OS as updated as possible, educate your users to NOT fall for phishing attempts via e-mail, secure data by making appropriate backups [2].
If you are actually a hospital (or any other organization with - say - 80-100 users or more, you should already have a local mail server, and have WSUS (or similar) updates implemented, besides any kind of firewalling (properly configured), and some capable IT personnel, if you haven't all of this is not something that can be created out of nothing, it requires money and time, besides - at least initially - the services of some security consultant.

jaclaz

[1] For at least some variants of WannaCrypt on some OS's
https://github.com/aguinet/wannakey
https://github.com/gentilkiwi/wanakiwi

[2] A basic free video course by Troy Hunt
https://www.varonis.com/learn/introduction-to-ransomware/

ReplyQuote
Posted : 25/05/2017 8:46 pm
PaulSanderson
(@paulsanderson)
Senior Member

I have little to add except - please remember that English is probably not his native language - "expect" may just be translation issue.

Jaclaz - there used to be three slightly different golden rules of securing data - or there were when I was in data recovery.

1. Back it up.
2. Test your backup
3. keep it offsite

We had lots of clients who did 1 & 3 but only came to us after testing their backup when it was actually needed. Some of them even commented that they thought the backup to tape was very fast. It was fast because there was no data being written.

ReplyQuote
Posted : 25/05/2017 10:38 pm
jaclaz
(@jaclaz)
Community Legend

Jaclaz - there used to be three slightly different golden rules of securing data - or there were when I was in data recovery.

We had lots of clients who did 1 & 3 but only came to us after testing their backup when it was actually needed. Some of them even commented that they thought the backup to tape was very fast. It was fast because there was no data being written.

You are correct ) I should have added that a backup strategy/method that is not tested (and verifiable) falls under the category of the non-backups.

The real issue with the possibilities of defending oneself against this kind of ransomware is that the backup media MUST be offline (from the network) at all times except for the actual time strictly needed for the backup operation and then needs to be duplicated (2nd backup copy to be later stored offsite) still while offline from network.

jaclaz

ReplyQuote
Posted : 25/05/2017 10:52 pm
RolfGutmann
(@rolfgutmann)
Community Legend

No, choose a different way to solve the problem. A non-technical as I do not assume that you or your IT is prepared/able to solve the issue fast.

Just make a fast triage Select which patients are most live-threatening affected by this issue.
Reconstruct by talking to involved medical staff which are the most critical information maybe some people know

in their heads/brains/memories

Set up immediately a paper-process and put all information down out of the short-time memories of the involved medical people.

Then - shut down at least the server the infected files were found. disconnect all network of the respective department.

The biggest fear I have is that the ransomware spreads faster than you realize.

So shut down part of your IT and call your government for help!!!

The time it takes to recover from ransomware is longer than the time you have to save your
patients lives.

There is NO FAST SOLUTION TO YOUR PROBLEM.

ReplyQuote
Posted : 26/05/2017 12:55 am
RolfGutmann
(@rolfgutmann)
Community Legend

Do you need more help?

ReplyQuote
Posted : 26/05/2017 1:35 pm
kacos
(@kacos)
Member

FWIW, In certain cases, some of the 'encrypted' data can be recovered with a carving tool.

https://www.scmagazineuk.com/file-carving-can-reverse-wannacry-ransomware-encryption-says-mcafee/article/662661/

ReplyQuote
Posted : 26/05/2017 1:38 pm
dsacn
(@dsacn)
New Member

Merci pour le partage!

ReplyQuote
Posted : 26/05/2017 2:16 pm
jaclaz
(@jaclaz)
Community Legend

FWIW, In certain cases, some of the 'encrypted' data can be recovered with a carving tool.

https://www.scmagazineuk.com/file-carving-can-reverse-wannacry-ransomware-encryption-says-mcafee/article/662661/

Some more details are given here
https://www.scmagazineuk.com/wannacry-mcafee-outlines-recovery-technique-for-when-the-worst-happens/article/662657/

BUT it won't happen in the real world (not for any sensible amount of data). (

The ransomware in order to encrypt a file, needs of course to have the "source" file until the encryption process of the file has completed, i.e. it creates a new encrypted file and as soon as its creation is completed, deletes the "source" one.

This deletion is a "plain" deletion (not a "wipe") so right after the encryption of a single file the original file extents are added to the "unallocated" area and can be carved back to life (losing path, filename and all file system metadata BTW).

Then the malware goes to the next file to encrypt.

On a volume with lots of free space it is likely that the extents of the original file are not immediately overwritten but on any volume where free space is "tight" or anyway once the malware looped through the encryption process thousands or ten of thousands of times, only the few last files that were encrypted may be - at the most - recovered by carving.

This technique may provide some (anyway very partial) success only in a teeny-tiny number of cases, namely where the user by pure chance immediately noticed that the ransomware was running and encrypting files and had the promptness of "pulling the plug".

jaclaz

ReplyQuote
Posted : 26/05/2017 4:20 pm
Emyliana
(@emyliana)
New Member

I expect a response from all of you

Wow, i had no idea i was getting paid to give support to a hospital in Indonesia. Wait - i'm not.
oh..sorry. I have just noticed that. It was misstyping error..I just need a response from all of you regarding this issues

1.how to trace the evidence of ransomware?
2. Where to get the evidence and information about the sender?
3. Is it we can trace with the IP address?
4.How to decrypt the data without exchange of bitcoin from the attacker?
5.What is the prevention steps can be applied towards this ransomware attack?

Going give a limited response to the points that matters

1-3. Going to skip these since you probably don't have any incident response, logs, forensics people - or any security since you're asking about it here. Treat it like a virus infection of the human body, cure the symptoms and learn from this experience to grow so you won't be hit again in the future.

4. You don't. You restore the systems and the data from a backup solution, which you apparently do not have.

5. Get proper security - not stupid infosec paperwork - malware don't give a crap about your certification/accreditation, backup data, harden clients, secure your network and do some user training.

ReplyQuote
Posted : 26/05/2017 6:28 pm
Emyliana
(@emyliana)
New Member

Hi, I have got some trouble in my workplace right now and the IT department also is investigating to solve this issues. I am one of the medical record officers at one of the private hospital in my country. The ransomware encrypts the data of several patient records on hospital computers, and only in exchange with 100 bitcoins the attackers decrypt the data again. This is critical for hospitals due to there are deal with very sensitive patient data.

Therefore, I would like to ask the solution on
1.how to trace the evidence of ransomware?
2. Where to get the evidence and information about the sender?
3. Is it we can trace with the IP address?
4.How to decrypt the data without exchange of bitcoin from the attacker?
5.What is the prevention steps can be applied towards this ransomware attack?

I hope a response from all of you regarding this issues and maybe with your ideas/comments and solution can solve my cases.
Thank you

Is there any other opinions and solution from others?

ReplyQuote
Posted : 30/05/2017 8:46 am
RolfGutmann
(@rolfgutmann)
Community Legend

Listen,

It sounds unpolite still asking for more solutions as in the previous posts you got professional help and enough solutions to decide on!

All solutions are on the table! Its your task to act.

ReplyQuote
Posted : 30/05/2017 1:23 pm
Emyliana
(@emyliana)
New Member

I am really sorry..all of others solution and recommendations are very helpful and I have so appreciated it..Thank you so much.Just in case if there is another solution from different professional and perspectives.
Thank you

ReplyQuote
Posted : 30/05/2017 1:49 pm
Page 1 / 2
Share: