Go Back  The Hull Truth - Boating and Fishing Forum > BOATING FORUMS > Dockside Chat
Reload this Page >

Help! Ransom virus on office network

Notices

Help! Ransom virus on office network

Old 09-02-2015, 09:55 AM
  #1  
Senior Member
Thread Starter
 
Join Date: Oct 2014
Posts: 152
Received 4 Likes on 4 Posts
Default Help! Ransom virus on office network

One of my office staff was on the computer doing personal business and introduced a virus into the network. It has locked the "photos and documents " on the whole dang system. It seems even to be on the server. My IT guy said he has never seen it on a network before. Thankfully, I can still access my patients charts, and he assures me that they haven't "hacked" into the system enabling them steal any info.. His plan is to backup the entire system and then remove the virus from the backup . Then he will back up from the back up.....is this the correct course of action?

Last edited by Incisor1; 09-02-2015 at 11:17 AM.
Old 09-02-2015, 10:01 AM
  #2  
Senior MemberCaptains Club Member
 
Join Date: Jun 2004
Location: Poquoson, VA - Pirates Cove, NC
Posts: 869
Received 126 Likes on 85 Posts
Default

Had the same thing happen to us.

Had to restore our overnight backup. Only lost the days work.

You do back up your network don't you? We do it every night.
Old 09-02-2015, 10:06 AM
  #3  
Senior MemberCaptains Club Member
 
Join Date: Mar 2007
Location: pascagoula,ms
Posts: 9,506
Received 1,987 Likes on 986 Posts
Default

couldnt you just restore the computer that runs the server to a previous date?
Old 09-02-2015, 10:08 AM
  #4  
Senior Member
 
Join Date: Aug 2014
Location: Hanahan, SC
Posts: 8,428
Received 1,582 Likes on 1,006 Posts
Default

uh oh....That can't be good assuming by "patients" you adhere to HIPAA...
Old 09-02-2015, 10:09 AM
  #5  
Senior Member
 
Join Date: Jun 2011
Location: Marshfield
Posts: 1,610
Received 592 Likes on 266 Posts
Default

Patients charts? I'd be worried if I were you. It sounds to me that you have patient data on your system and your system has been compromised. Do you really think your IT guy, who's never seen this before on a network, is qualified to make the statement that you haven't been hacked? All I can say is wow.
Old 09-02-2015, 10:14 AM
  #6  
Senior Member
 
Join Date: Dec 2009
Posts: 1,009
Received 483 Likes on 292 Posts
Default

The way I believe these things work is all your documents are encrypted and you need the encryption key. Cleaning off the virus from a backup you take now will not decrypt the files, and may make it impossible to decrypt them even if you did pay and get the key from the crooks. From what I've read, the malware they use isn't that hard to get rid of though.

As others have suggested, I hope you have backup somewhere that is prior to the infection.

This is where a backup service that saves multiple generations of files is nice.
Old 09-02-2015, 10:26 AM
  #7  
Senior Member
Thread Starter
 
Join Date: Oct 2014
Posts: 152
Received 4 Likes on 4 Posts
Default

We backup the system regularly, so I have a recent copy. I am a bit nervous in my IT guys knowledge of the subject tho. I pay him well to make sure that we are up to date with our Hippa compliance, security, etc...I just wonder If I need someone who specializes in this type of issue..... I will be the first to admit that I'm no computer genius. I thought that is what I pay him for..... Feeling frustrated to say the least.
Old 09-02-2015, 11:05 AM
  #8  
Senior Member
 
DJWILLIAMS's Avatar
 
Join Date: Feb 2008
Location: Eastern, NC
Posts: 5,123
Likes: 0
Received 1 Like on 1 Post
Default

It's not too bad to remove, you will probably have to isolate each machine and remove it from each one.
Once up and running do a backup.

Also your charts and such should not be compromised, as I am sure there is security embedded into the program. Also one would need this program to access the info.

Now if you have any excel documents, ect... with patient info that could easily be compromised. My recommendation would be to disconnect the internet immediatly until this is fixed.

David
Old 09-02-2015, 11:13 AM
  #9  
Admirals Club Admiral's Club Member
 
Join Date: Jan 2011
Posts: 848
Received 61 Likes on 50 Posts
Default

U need to restore from last back up and re-image,,,

Going forward augment A/V (which is virtually useless by the way) with a trusted application control solution like Bit9 or u will keep getting hit,,,
Old 09-02-2015, 11:20 AM
  #10  
Senior MemberCaptains Club Member
 
Join Date: Sep 2005
Location: CT
Posts: 3,289
Received 230 Likes on 139 Posts
Default

We had it touch our network and cause some damage a year ago. Restoring from last night's backup is really your only option.
In each infected folder, you will find a file with payment recovery instructions. Go to properties and find the owner of that file and DENY permission (NTFS and SHARE) to all network resources from that user until everything is cleaned. The virus probably came through via email attachment.
The BEST security measure these days is user education.
Old 09-02-2015, 11:21 AM
  #11  
Senior Member
 
Join Date: Jul 2015
Posts: 133
Likes: 0
Received 0 Likes on 0 Posts
Default

Who ever initiated the virus to begin with needs their house burned down!
Old 09-02-2015, 11:56 AM
  #12  
Senior MemberCaptains Club Member
 
Join Date: Sep 2004
Location: Virginia Beach
Posts: 148
Likes: 0
Received 2 Likes on 1 Post
Default

Majority of all ransomeware malware does not harvest or exfiltrate your data. They simply make your data unavailable until you pay for the decryption key/program. Surprisingly I have had over 95% success in receiving the decryption key/program when paying the ransom on behalf of customers.

Steps to Recover
1. If you have backups that are current you will not need to pay the ransom.
2. Reload the affected workstation with clean trusted media, patch and update software as needed and then recover from backups.
3. If no backups then begin thinking about paying the ransom. I advise that the decision to pay the ransom needs to be quick as the ransom increases significantly after a determined about of time. The timer for the ransom starts soon as you see the notification on your infected workstation.

#1 reason why this malware gets onto computers = Sysadmin NOT routinely and systematically patching software. Having Windows Update enabled is not the answer. Windows update does not patch adobe products, and in particular the Adobe Flash video player.

I am 90%+ confident that the employees computer was not vaccinated (patched) properly and thus visited a poisoned or infected website which delivered the malicious payload.

The take away here is that if the workstation was patched properly than this virus most likely would have never found its way to your computer.
Old 09-02-2015, 02:06 PM
  #13  
Senior Member
 
Join Date: Apr 2012
Location: Cape Coral, Fl
Posts: 1,312
Likes: 0
Received 21 Likes on 10 Posts
Default

My suggestion is to call Sunera or similar company before coming back online. If Ransomware made it onto your network and you run your own servers without a firewall between the internal clients and your server(s), anything could be compromised.

https://sunera.com/

These guys aren't cheap but WAY cheaper than a HIPAA breach and the fees associated with that. For future reference your servers should have a physical and software barrier between them and the client network. If you are running a SQL server of some sort, the same should be true there as well. I would not run a piece of medical software that wasn't at least three tier for this reason. In any case the guys at Sunera will be able to provide you with a security audit so you know your IT people are implementing proper procedures. Be prepared for an ugly report though.
Old 09-02-2015, 03:36 PM
  #14  
Admirals Club Admiral's Club Member
 
Join Date: May 2014
Location: Where the sun don't shine
Posts: 568
Likes: 0
Received 116 Likes on 84 Posts
Default

Curious as to how much money these crooks are usually demanding?
Old 09-02-2015, 04:09 PM
  #15  
Senior Member
 
Join Date: Feb 2013
Location: Eastern NC
Posts: 1,406
Received 347 Likes on 230 Posts
Default

We had it get into a file folder from a users laptop. She opened an email and clicked on a link. The one we had attacked not only document files and photos, it was also written to
encrypt database files so your EMR is not safe from the virus.
Delete all affected folders ( and the files inside) and replace from backups.
I agree with mrdabbs that your system is not patched up to date. Our antivirus came out with a patch about a week after we had the attack but that was 2 years ago.
Old 09-02-2015, 05:32 PM
  #16  
Senior Member
Thread Starter
 
Join Date: Oct 2014
Posts: 152
Received 4 Likes on 4 Posts
Default

Thanks everyone!
Old 09-02-2015, 05:56 PM
  #17  
Senior Member
 
DJWILLIAMS's Avatar
 
Join Date: Feb 2008
Location: Eastern, NC
Posts: 5,123
Likes: 0
Received 1 Like on 1 Post
Default

Originally Posted by Straegen View Post
My suggestion is to call Sunera or similar company before coming back online. If Ransomware made it onto your network and you run your own servers without a firewall between the internal clients and your server(s), anything could be compromised. https://sunera.com/ These guys aren't cheap but WAY cheaper than a HIPAA breach and the fees associated with that. For future reference your servers should have a physical and software barrier between them and the client network. If you are running a SQL server of some sort, the same should be true there as well. I would not run a piece of medical software that wasn't at least three tier for this reason. In any case the guys at Sunera will be able to provide you with a security audit so you know your IT people are implementing proper procedures. Be prepared for an ugly report though.
Agreed!
Old 09-02-2015, 06:31 PM
  #18  
Senior Member
 
Join Date: Sep 2007
Location: Deltona FL, Penrod KY
Posts: 2,196
Received 483 Likes on 284 Posts
Default

Originally Posted by lagarto View Post
U need to restore from last back up and re-image,,,

Going forward augment A/V (which is virtually useless by the way) with a trusted application control solution like Bit9 or u will keep getting hit,,,
Nope.... The best chance to "keep from getting hit" is keeping everything up to date and patched. Java and Silverlight are the two biggest holes now.

AV is useless in blocking these advanced threats. The latest threat is a link to an infected site. The site contains a script that is run in memory that exploits a know vulnerability (un-patched app or OS) and inserts code in a good process.

The ransom-ware is easy to remove but depending on the variant getting the files back is slim. Even if you pay the odds are 50-50.

1. Make sure the uses are not running with administrator privileges.
2. Make sure all the hosts don't have the same administrator password.
3. Limit mapped drives to needed access. Someone gets hit with full network access it is not good.
4. Patch Patch Patch
5. Back up and test backups.

Unauthorized access to sensitive data is a compromise.

I am getting ready to take the SANS incident response certification test this month.

Doug
Old 09-02-2015, 06:42 PM
  #19  
Senior Member
 
Join Date: Sep 2007
Location: Deltona FL, Penrod KY
Posts: 2,196
Received 483 Likes on 284 Posts
Default

Originally Posted by turquoiseblue View Post
Curious as to how much money these crooks are usually demanding?

Well, that is the issue.. Most start at $500-$1000 in Bit coins then go up as time goes on. Problem is only about 50% of them have the capability up un-encrypting your files. The other half just take the money and are gone. They are surviving off the ones that can get your files back.

The guys and Gal at Sunera are good ( I know most of them )

Some others are:

Verizon
Mandiant
Fishnet Security

They are not cheep, but like I said before you need to get legal involved this is a breach.

Doug

Feel free to PM me if you need more info.
Old 09-02-2015, 07:32 PM
  #20  
Admirals Club Admiral's Club Member
 
Join Date: Nov 2009
Location: Tarpon Springs, FL
Posts: 8,809
Received 4,113 Likes on 2,342 Posts
Default

Day late but all of our server systems have multiple back-ups which are isolated from the servers and computers on the network. Some of the programs back-up changes to the data hourly. Individual computer files are backed up daily using Acronis software and Seagate USB harddrives. Plus our firewalls block access to unapproved sites.

Depending on what ransomware was used a good IT guy may be able to break the encryption but like mentioned above the long you wait the more the ransom becomes.

Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information -

Copyright © 2021 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.