Ransomware Attack i...
 
Notifications
Clear all

Ransomware Attack in Hospital

23 Posts
10 Users
0 Likes
1,461 Views
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

FWIW, In certain cases, some of the 'encrypted' data can be recovered with a carving tool.

https://www.scmagazineuk.com/file-carving-can-reverse-wannacry-ransomware-encryption-says-mcafee/article/662661/

Some more details are given here
https://www.scmagazineuk.com/wannacry-mcafee-outlines-recovery-technique-for-when-the-worst-happens/article/662657/

BUT it won't happen in the real world (not for any sensible amount of data). (

The ransomware in order to encrypt a file, needs of course to have the "source" file until the encryption process of the file has completed, i.e. it creates a new encrypted file and as soon as its creation is completed, deletes the "source" one.

This deletion is a "plain" deletion (not a "wipe") so right after the encryption of a single file the original file extents are added to the "unallocated" area and can be carved back to life (losing path, filename and all file system metadata BTW).

Then the malware goes to the next file to encrypt.

On a volume with lots of free space it is likely that the extents of the original file are not immediately overwritten but on any volume where free space is "tight" or anyway once the malware looped through the encryption process thousands or ten of thousands of times, only the few last files that were encrypted may be - at the most - recovered by carving.

This technique may provide some (anyway very partial) success only in a teeny-tiny number of cases, namely where the user by pure chance immediately noticed that the ransomware was running and encrypting files and had the promptness of "pulling the plug".

jaclaz

 
Posted : 26/05/2017 3:20 pm
(@emyliana)
Posts: 4
New Member
Topic starter
 

I expect a response from all of you

Wow, i had no idea i was getting paid to give support to a hospital in Indonesia. Wait - i'm not.
oh..sorry. I have just noticed that. It was misstyping error..I just need a response from all of you regarding this issues

1.how to trace the evidence of ransomware?
2. Where to get the evidence and information about the sender?
3. Is it we can trace with the IP address?
4.How to decrypt the data without exchange of bitcoin from the attacker?
5.What is the prevention steps can be applied towards this ransomware attack?

Going give a limited response to the points that matters

1-3. Going to skip these since you probably don't have any incident response, logs, forensics people - or any security since you're asking about it here. Treat it like a virus infection of the human body, cure the symptoms and learn from this experience to grow so you won't be hit again in the future.

4. You don't. You restore the systems and the data from a backup solution, which you apparently do not have.

5. Get proper security - not stupid infosec paperwork - malware don't give a crap about your certification/accreditation, backup data, harden clients, secure your network and do some user training.

 
Posted : 26/05/2017 5:28 pm
(@emyliana)
Posts: 4
New Member
Topic starter
 

Hi, I have got some trouble in my workplace right now and the IT department also is investigating to solve this issues. I am one of the medical record officers at one of the private hospital in my country. The ransomware encrypts the data of several patient records on hospital computers, and only in exchange with 100 bitcoins the attackers decrypt the data again. This is critical for hospitals due to there are deal with very sensitive patient data.

Therefore, I would like to ask the solution on
1.how to trace the evidence of ransomware?
2. Where to get the evidence and information about the sender?
3. Is it we can trace with the IP address?
4.How to decrypt the data without exchange of bitcoin from the attacker?
5.What is the prevention steps can be applied towards this ransomware attack?

I hope a response from all of you regarding this issues and maybe with your ideas/comments and solution can solve my cases.
Thank you

Is there any other opinions and solution from others?

 
Posted : 30/05/2017 7:46 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

Listen,

It sounds unpolite still asking for more solutions as in the previous posts you got professional help and enough solutions to decide on!

All solutions are on the table! Its your task to act.

 
Posted : 30/05/2017 12:23 pm
(@emyliana)
Posts: 4
New Member
Topic starter
 

I am really sorry..all of others solution and recommendations are very helpful and I have so appreciated it..Thank you so much.Just in case if there is another solution from different professional and perspectives.
Thank you

 
Posted : 30/05/2017 12:49 pm
(@mobileforensicswales)
Posts: 274
Reputable Member
 

I havn't read the full thread as I'm afraid I don't have the time right now. Is this wannacry? There are decryptors avaliable now if you give it a google

Just throwing it out there, sorry if this has already been covered

 
Posted : 30/05/2017 1:28 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

…..Just in case if there is another solution from different professional and perspectives.
Thank you

Yes. Pay the ransom. Paying approx. ~ 300 USD for an encrypted client might be the most sucessful way to get the encrypted data back. There are a lot of articles stating that the authors of WannaCry gave the decrypting code after they were paid in Bitcoin. But paying the ransom is NOT a guarantee to receive the decrypting code. If i where you, i would pay for the client with the most important data on it. After this was successful, you might consider paying for other clients, too.

If you decided not to pay and realize the loss of data, reinstall the Windows OS on another (new) hard drive. Do not overwrite the encrypted content of the original drive! FBI or other agencies might publish a freely available decryption tool in near future, once they caught the criminals behind WannaCry.

Good luck!

 
Posted : 30/05/2017 1:52 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

I really dont want to be unpolite.

But undecisiveness is the real problem here. There are no more ideas or solutions. You have them all
in the previous posts.

Its your obligation and part of a collaboration process to feedback what you or your organization is going to do. Just asking all the time is not fair.

Sorry for clear text.

 
Posted : 30/05/2017 2:30 pm
(@mobileforensicswales)
Posts: 274
Reputable Member
 

…..Just in case if there is another solution from different professional and perspectives.
Thank you

Yes. Pay the ransom. Paying approx. ~ 300 USD

No… as stated, google is your friend. Sorry to pooh pooh

https://www.helpnetsecurity.com/2017/05/20/wannacry-decryptor-wanakiwi/

 
Posted : 31/05/2017 3:25 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

…..Just in case if there is another solution from different professional and perspectives.
Thank you

Yes. Pay the ransom. Paying approx. ~ 300 USD

No… as stated, google is your friend. Sorry to pooh pooh

https://www.helpnetsecurity.com/2017/05/20/wannacry-decryptor-wanakiwi/

All existing decryption tools only work if the Windows OS was not booted and is still running for the last two weeks. The vast majority of users has switched their devices off or rebooted.

 
Posted : 31/05/2017 8:02 pm
Page 2 / 3
Share: