I am not a file system expert, (IANAFSE) but I thought that most large
NAS's these days employ some sort of copy-on-write technology so that
any changes are written to a different disk sector preserving the
original content, so you can just roll back any file changes. Or would
that not be HIPA compliant, leaving the old file out there.
Or do the Ransomware encrypters account for this by just doing enough
writes to fill all the available disk forcing old data to be overwritten.
On 10/1/2019 5:26 PM, CBB - Jay Fuller wrote:
ewww. lets go even deeper. can the ISP be held for damages because
they were used in the attack??
----- Original Message -----
*From:* CBB - Jay Fuller <mailto:par...@cyberbroadband.net>
*To:* af@af.afmug.com <mailto:af@af.afmug.com>
*Sent:* Tuesday, October 1, 2019 5:25 PM
*Subject:* [AFMUG] Ransomware - ewww
Big report in the news here today, one of our largest regional
hospitals (DCH Medical in Tuscaloosa AL) had to cease operations
today due to being compromised with Ransomware.
https://www.al.com/news/2019/10/dch-health-system-closed-to-all-but-most-critical-new-patients-due-to-ransomware-attack.html
Man, I wouldn't want to be their CTO.
Question, how would you respond to something like this? Hope you
have backups! And sure, I've dealt with this at least once in my
computer consulting business. Client got hit and everything from
the offending desktop to the network attached storage got
encrypted. Took 18 hours or so to back everything up (incase they
ever broke the encryption) and restore about 6 tb of data. Fun
times. (not)
If you see this has happened or you are responding and you have
over 100 computers / devices on the network do you look for large
bursts
of network traffic? Isolate and shut down segments until you find
the offending switch the device is on?
I read some comments on a facebook group "IT Stories and
Nightmares" or something like that - - that they've responded to
similar situations
and as soon as you clear a computer it gets reinfected because the
ransomware is still on the network. That must suck....
The case I saw got everything that was network connected - - that
had a share. If something wasn't shared it was OK. The computer got
infected and the network attached storage got infected but the
individual pcs did not (cause they were not shared on the network)
I guess it has gotten worse now since that happened (i think that
was back in March)
How do you actively try to prevent against this moving forward? I
can see a case for totally using vlans to isolate entire departments.
Lets say you're a bank. Create a vlan for the tellers, for the
administrators, for the loan officers, for the loan department.
None of them
talk to one another. Use a router on each segment of the network
and none of them talk to each other. They only access what they need
and nothing more. The days of the "large network share drive" are
done with.
Lets say you're a private school. Maybe the high school is on one
vlan. The middle school is on another. The dorms are on another.
The computer labs are on another. The public wifi is on yet
another. None of them talk to one another. If one gets infected
it doesn't
get outside of the vlan?
Interested in thoughts on this.
------------------------------------------------------------------------
--
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
--
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
