I don't think it's so much an attack as somebody clicked on something.
And suing the ISP would be like suing Ford because you used your car to go buy some tainted vapes that made you sick. That said, it is pretty common to have something in your TOS saying you just connect the customer to the Internet and are not liable for any spam, scams, and offensive or malicious content they might find there. Also, from what I've heard, by the time they see the ransom notice on the screen, all the data has already been encrypted and they're screwed. It's also amazing how many companies have backups but they're just different drives on the same computer or they are on the same network so the backups are also encrypted. From: AF <af-boun...@af.afmug.com> On Behalf Of CBB - Jay Fuller Sent: Tuesday, October 1, 2019 5:27 PM To: AnimalFarm Microwave Users Group <af@af.afmug.com> Subject: Re: [AFMUG] Ransomware - ewww ewww. lets go even deeper. can the ISP be held for damages because they were used in the attack?? ----- Original Message ----- From: CBB - Jay Fuller <mailto:par...@cyberbroadband.net> To: af@af.afmug.com <mailto:af@af.afmug.com> Sent: Tuesday, October 1, 2019 5:25 PM Subject: [AFMUG] Ransomware - ewww Big report in the news here today, one of our largest regional hospitals (DCH Medical in Tuscaloosa AL) had to cease operations today due to being compromised with Ransomware. https://www.al.com/news/2019/10/dch-health-system-closed-to-all-but-most-cri tical-new-patients-due-to-ransomware-attack.html Man, I wouldn't want to be their CTO. Question, how would you respond to something like this? Hope you have backups! And sure, I've dealt with this at least once in my computer consulting business. Client got hit and everything from the offending desktop to the network attached storage got encrypted. Took 18 hours or so to back everything up (incase they ever broke the encryption) and restore about 6 tb of data. Fun times. (not) If you see this has happened or you are responding and you have over 100 computers / devices on the network do you look for large bursts of network traffic? Isolate and shut down segments until you find the offending switch the device is on? I read some comments on a facebook group "IT Stories and Nightmares" or something like that - - that they've responded to similar situations and as soon as you clear a computer it gets reinfected because the ransomware is still on the network. That must suck.... The case I saw got everything that was network connected - - that had a share. If something wasn't shared it was OK. The computer got infected and the network attached storage got infected but the individual pcs did not (cause they were not shared on the network) I guess it has gotten worse now since that happened (i think that was back in March) How do you actively try to prevent against this moving forward? I can see a case for totally using vlans to isolate entire departments. Lets say you're a bank. Create a vlan for the tellers, for the administrators, for the loan officers, for the loan department. None of them talk to one another. Use a router on each segment of the network and none of them talk to each other. They only access what they need and nothing more. The days of the "large network share drive" are done with. Lets say you're a private school. Maybe the high school is on one vlan. The middle school is on another. The dorms are on another. The computer labs are on another. The public wifi is on yet another. None of them talk to one another. If one gets infected it doesn't get outside of the vlan? Interested in thoughts on this. _____ -- AF mailing list AF@af.afmug.com <mailto:AF@af.afmug.com> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
