A Kentucky hospital says it is operating in an “internal state of emergency” after a ransomware attack rattled around inside its networks, encrypting files on computer systems and holding the data on them hostage unless and until the hospital pays up.
A streaming red banner on Methodisthospital.net warns that a computer virus infection has limited the hospital’s use of electronic web-based services. Click to enlarge.
Henderson, Ky.-based Methodist Hospital placed a scrolling red alert on its homepage this week, stating that “Methodist Hospital is currently working in an Internal State of Emergency due to a Computer Virus that has limited our use of electronic web based services. We are currently working to resolve this issue, until then we will have limited access to web based services and electronic communications.”
Jamie Reid, information systems director at the hospital, said malware involved is known as the “Locky” strain of ransomware, a contagion that encrypts all of the important files, documents and images on an infected host, and then deletes the originals. Victims can regain access to their files only by paying the ransom, or by restoring from a backup that is hopefully not on a network which is freely accessible to the compromised computer.
In the case of Methodist Hospital, the ransomware tried to spread from the initial infection to the entire internal network, and succeeded in compromising several other systems, Reid said. That prompted the hospital to shut down all of the hospital’s desktop computers, bringing systems back online one by one only after scanning each for signs of the infection.
“We have a pretty robust emergency response system that we developed quite a few years ago, and it struck us that as everyone’s talking about the computer problem at the hospital maybe we ought to just treat this like a tornado hit, because we essentially shut our system down and reopened on a computer-by-computer basis,” said David Park, an attorney for the Kentucky healthcare center.
The attackers are demanding a mere four bitcoins in exchange for a key to unlock the encrypted files; that’s a little more than USD $1,600 at today’s exchange rate.
Park said the administration hasn’t ruled out paying the ransom.
“We haven’t yet made decision on that, we’re working through the process,” with the FBI, he said. “I think it’s our position that we’re not going to pay it unless we absolutely have to.”
The attack on Methodist comes just weeks after it was revealed that a California hospital that was similarly besieged with ransomware paid a $17,000 ransom to get its files back.
Park said the main effect of the infection has been downtime, which forced the hospital to process everything by hand on paper. He declined to say which systems were infected, but said no patient data was impacted.
“We have downtime procedures to going to paper system anyway, so we went to that paper system, he said. “But we don’t feel like it negatively impacted patient care. They didn’t get any patient information ”
Ransomware infections are largely opportunistic attacks that mainly prey on people who browse the Web with outdated Web browsers and/or browser plugins like Java and Adobe Flash and Reader. Most ransomware attacks take advantage of exploit kits, malicious code that when stitched into a hacked site probe visiting browsers for the the presence of these vulnerabilities.
The attack on Methodist Hospital was another form of opportunistic attack that came in via spam email, in messages stating something about invoices and that recipients needed to open an attached (booby-trapped) file.
It’s a fair bet that as ransomware attacks and attackers mature, these schemes will slowly become more targeted. I also worry that these more deliberate attackers will take a bit more time to discern how much the data they’ve encrypted is really worth, and precisely how much the victim might be willing to pay to get it back.
All the more reason to not use Flash or Java. I know there are some applications which unfortunately require one or the other to be installed.
I have never cared much for Adobe Reader either. The fact that you can embed javascript or even code to launch an executable in the pdf file makes the thing a nightmare. I wish there were such a thing as a PDF reader that disabled all of these capabilities. And then I suppose there would be howls of protest from people who think those “features” are neat.
Have you taken a look at Foxit Reader?
https://www.foxitsoftware.com/products/pdf-reader/
I don’t think Foxit is any better. Do a google search for a blog by Didier Stevens titled “Escape from PDF”. The guy came up with a proof of concept with a pdf file that would open the Windows calculator. At the time, Foxit was worse than straight Adobe in that there was no warning popup at all.
Now this was about 6 years ago – maybe things have improved since then. But I will make another observation – it has been reported that Foxit sends telemetry data to servers in China.
What I yearn for is a pdf reader that has no javascript capabilities at all by default and doesn’t try and send telemetry data.
How about Sumatra PDF? It even has a “View in Adobe Reader” button for when you’re viewing fillable forms etc. so yuo can easily make it default.
Sumatra PDF has no javascript support. Other vulns and setting options to reduce risk were discussed earlier this month in the maker’s forums:
http://forums.fofou.org/sumatrapdf/topic?id=3185091
Code is tight, fast, lightweight and supports a long list of formats. I use the portable version.
You can turn off Javascript in Foxit Reader, as well as turn off clickable URLs. You can turn off Javascript in Adobe Reader, also.
It is much harder to compromise a user’s operating system via a PDF document if you cannot use a scripting language or induce a user to click a link.
Foxit Reader > File tab > Preferences > General > Create links from URLs = OFF
Foxit Reader > File tab > Preferences > Trust Manager > Enable JavaScript Actions = OFF.
And while you’re there, Enable Safe Reading Mode = ON.
I don’t have Adobe Reader or Acrobat installed, but my notes say these are the general instructions after opening the Preferences menu:
Documents
Allow docs to hide menu… = OFF
JavaScript
Enable Acrobat JavaScript = OFF
Security (enhanced)
Auto trust sites Win OS = OFF
Trust Manager
Allow opening non-PDF attachments = OFF
That’s true, but my experience has been that whenever you update to a new version of Acrobat Reader that it erases your preferences settings and re-enables javascript, and this is simply unacceptable.
Once I saw that Foxit was sending telemetry data to China, I uninstalled.
I haven’t tried any of the others.
Firefox (the browser) has a built in open source PDF reader and since Mozilla constantly updates Firefox for any security issues, it stays up to date. Not a bad option and you get quick security updates.
You could use the Acrobat Customization Wizard to make those settings (among others) default for an installer, then deploy it across your organization.
I use Foxit and do have the other features turned off for security purposes. That blog post is 6 years old, the state of PDF security is a little better now.
At this point, most browsers can natively render PDFs.
Firefox uses pdf.js (probably the best sandbox).
Chrome has its own renderer.
Safari has its own (well, it really uses OS X’s native PDF handling)
Edge has its own (this is basically Windows 10’s system).
In general, I’d trust Chrome/Edge’s handling the most, followed by Firefox — not because I don’t trust pdf.js (it’s actually probably the safest design), but because last I checked Firefox hadn’t added a couple of process isolation features that have been added to Chrome/Edge.
And yes, there will be exploits of these (there was one recently of Edge). But browser vendors are much better at shipping updates than anyone else.
So do you save it, and read it later with the browser? I’ve never tried that, and I’m not sure if my light duty PDF reader can avoid the functions we are complaining about here or not. I doubt it, because Sumatra PDF is included with a lot of printer drivers, so I’d imagine it is vulnerable as well. I don’t have much luck printing with my browser either lately; but then I need to upgrade to Windows 7 at least.
It’ll open a PDF like a new webpage and you can save it from there to your hard-drive for later viewing if you like. On my machine Firefox is my default PDF viewer, so when I double click on a PDF in Windows Explorer it launches Firefox and opens the PDF in it.
These holes and flaws can be exploited from inside many applications, they don’t unnecessarily need to run java-script or any other scripting language to be able to be exploited. E.g Stagefright (integer overflow) hack on Android.
I suggest running applications like web browsers and opening attachments in a sandbox environment. This prevents anything malicious being able to modify your personal data. Try “sandboxie”.
FireFox has a native pdf-reader. FireFox is open source software.
Eric,
it’s not java or flash or pdf files that are the problem. it’s the lack of knowledgeable IT and Security people these places hire as well as an Upper Management in these org’s that don’t spend the $’s needed to hire the knowledgeable IT and Security people they should be hiring and buying adequate equipment, software and support services needed to keep the ‘riff-raff’ out of their systems.
and also training and reprimanding those that use their medical workstations to troll the internet for friggin cat videos.
we’ve never had these issues where i work at, and i’ve been doing this stuff since computers first became available to the general public circa. pre 1975.
also if you know how to drive a car, then you don’t get into accidents.
Riff-Raff
Just a matter of time before these attacks morph to extortion in the form of ‘pay us or we release everything to the public,’ and restoring from backups will be the least of our worries.
Not really. for all ransomwares I’ve seen so far the files are all kept local. The malware server generates a pair of keys, keep the private fon their db and only transmit the public key to the infected machine… Only the encryption key is in transit.
“Jamie Reid, information systems director” should not be an “information systems director”. He obviously doesn’t belong in that position.
Agree to your statement, this seems to be jumping the gun on alerting. These actions shed a light to the general population that some should not need to know, this is typically day-t0-day operations that IT Security professional deal with on a daily basis.
I’d say the exact opposite, if they can recover fully without having to pay the ransom then the disaster-management process he’s put in place (if it was him) has done a pretty good job. There are way too many places where, if this happened, they’d just collapse in disorder.
We have no idea what management restraints Jamie Reid may have been under. How many IT Director’s have had their budget requests fall on unhearing ears because it doesn’t appear cost-effective? The new medical scanner technology looks more promising than that Intrusion Prevention System that just has pretty blinking lights.
And don’t forget the machine that goes, “PIIIING!”
Websitr security is fast becoming a vector for penetrating networks. I’d be willing to bet that an employee visited a premium website and was infected without knowing it.
Locky recently has been distibuted in phishing emails with a word document and disabling Macros is sometimes something that can’t be done in a health environment. Patching and user awarness and backups are they only thing that can help with this.
Mike – Macros no longer required.
3/10/2016 Locky Update
Locky has evolved and that is bad for us. SpiderLabs (part of TrustWave) reported 3/8/2016 that of the 4 million spam messages it collected last week 18% were ransomware related and many linked back to Locky making for a huge growth spurt. Originally Locky was delivered via infected Microsoft Word documents, but this version has a JavaScript file hidden in the spam. Just as bad, the volume appears to be driven by the same large network of compromised computers (botnet) used to send the Dridex banking malware back in January 2015. More at PCWorld
see below for links
http://nc3.mobi/16info/#0310locky
Hospital in WV was hit by a similar ransomware http://wvmetronews.com/2016/03/22/data-safe-after-computer-issues-at-ruby-memorial/
Luckily, they were able to restore systems without paying the ransom. http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of-emergency-after-ransomware-infection/
Your link is to the same article in which you’ve commented with the link. I see this all the time. What use is that?
I don’t know, but if there’s anything I learned from Brian, its not to click on strange links.
Varonis could have prevented the spread of this crypto~malware infection by locking down out of control access controls and monitoring the file system for operations performed by ransomware.
https://blog.varonis.com/locky-encrypts-data-on-local-drives-and-unmapped-network-shares/
Disclosure: I am a Varonis Systems Engineer
That link isn’t very helpful.
These two articles:
* User Behavior Analytics (UBA) [1]
* Why UBA Will Catch the Zero-Day Ransomware Attacks (That Endpoint Protection Can’t) [2]
Are much more interesting/useful.
FWIW, I’m not associated with Varonis. (I was once involved in a hardening project for a very short interval.)
In terms of design, I’m actually quite intrigued by Varonis and am thankful that you mentioned it.
[1] https://blog.varonis.com/what-is-user-behavior-analytics/
[2] https://blog.varonis.com/why-uba-will-catch-the-zero-day-ransomware-attacks-that-endpoint-protection-cant/
Wouldn’t Cryptoprevent by FoolisIT do the same thing? I think you can get that for free over at bleepingcomputer(dot)com by a link to the same website. They also show you how to do it using software restriction policies – mostly by links to Microsoft articles.
Looks sort of interesting, but you are still stuck in a cat and mouse game with ransomware developers designing new strains and relying on regular updates to prevent infection.
Most of these email attachments are zipped javascript files that execute a URL to an EXE file. At least from what I’ve seen. I’m sure it’s being distributed through Flash/Java too.
Why can’t employees be trained to hover their mouse over a link without clicking to determine if it is what is supposed to be. Why can’t they also be trained to download (not execute) a file and then scan it on Virus Total to see if it is infected?
Regards,
Have you met people? Many of them simply can not be trained to operate securely. I have seen dismal results even from the best training. Part of it is the culture of the organization and whether management really tries to make security important.
Also, health care providers have a LOT of other work related training that they consider far more important. But you would think that with all the emphasis on privacy due to HIPPA, that they would be at least a little more aware.
If you’re using an out of date browser/plugin, then for some attacks you won’t see any links to odd things. The attack can come in through a script tag/image link (e.g. from an ad network), exploit a bug in your browser/browser plugin, and immediately run code w/o you being aware of a problem (you might notice your browser crash if the exploit isn’t perfectly clean).
If you’re using a desktop mail client, and haven’t disabled the preview feature for attachments/messages, then you could easily be attacked w/o seeing anything. Or if the mail client is out of date, an attack could exploit it.
It’s true that some attacks do involve social engineering, but not all.
The right fix at the end of the day is a mix of things — append-only-files/disks/backups (this prevents destruction of your data/allows recovery — but it can’t really be something local, since an attacker could defeat it), some behavioral analysis to detect data exfiltration (what happens when an attacker gains access to PII and starts sending it out of the local network), and monitoring to detect software that doesn’t belong.
The trouble is that doesn’t work anymore. The legit URIs often contain so much tracking code and bounce through several email campaign tracking websites that they look just as suspicious as the bad URIs.
When will we treat this sort of behavior as terrorism, and deploy the Internet equivalent of drone strikes (ie cut off the Internet access of any countries permitting these acts to go unpunished) ? If I had my way these idiots would be locked up for 30,000 years, in Gitmo and waterboarded hourly.
“The United States continues to host more malware and botnets than any other country, including Russia and China, which are often viewed as the biggest sources for cybercrime campaigns worldwide.” [1]
We can’t cut countries off, it’s pretty ineffective. (And the US would be the first to be cut off by your metric).
It’s not just botnets, the US has lots of open proxies [2].
I can’t find a good article covering VPN distribution, so instead, here’s a poor page showing that most countries have VPNs [3]: “We have 929 VPN servers in 353 locations in 190+ countries around the world – offering faster connections and wider access to restricted sites around the world than other VPN providers. And we offer over 125688 IP addresses – the codes from which internet snoopers can deduce a computer’s geographical location. …”
Probably the best approach is to deal with Autonomous Systems [4], [5], an article about Brian’s work which led to the downfall of McColo [6]. Basically the Internet is composed of neighborhoods (for routing purposes), large “blocks” of addresses. In theory countries have ranges, but there are too many good+bad kids in a country to work at that level (although you could decide that you should never have any customers from a country and shut the door individually). Typically a hosting provider will end up with its own ASN (AS Number), for routing purposes. And routes are more or less established between these. If everyone (or the only others) reachable from an ASN decides to stop routing traffic, it will fall off the Internet. It hasn’t happened often, but when it does, the results are impressive. The problem is that typically companies have legal contracts establishing these connections, so in order to stop carrying traffic w/o losing a corporate lawsuit, they need to have lawyers figure out a way for them to — essentially break that contract without penalty and thus — stop carrying that traffic.
Also, while this approach (Internet Death Penalty for ASNs) works great when a bad guy/bad neighborhood exists in hosting environments, it doesn’t work well when bad guys use distributed (typically “peer-to-peer”) systems (botnets+data via DNS/blockchains). In those cases, essentially your neighbor (who is “good”) could be “infected” and thus (unknowingly) attacking you. The best approach is for ISPs to cut individual customers off until they’re fixed, but that’s only used in incredibly rare instances (DNSChanger [7] is one such instance, Brian has articles about it too). This approach is unfortunately fairly resource intensive (and requires a lot of humans to answer phones and troubleshoot).
[1] https://securityintelligence.com/news/us-tops-list-of-countries-hosting-malware-and-botnets/
[2] http://www.samair.ru/proxy/type-01.htm
[3] https://www.hidemyass.com/servers
[4] https://www.google.com/transparencyreport/safebrowsing/malware/?hl=en#region=ALL&period=90&size=LARGEST&compromised&attack
[5] https://www.stopthehacker.com/2010/01/01/profiling-autonomous-systems-hosting-blacklisted-websites/
[6] http://garwarner.blogspot.ca/2008/11/internet-landfill-mccolo-corporation.html
[7] http://www.dcwg.org/detect/
I think the difficult part with your plan is catching the miscreants in the first place. However, once/if they are caught, it may very well be that the felony murder rule will apply (if it can be proven that anyone died as a result of the malware causing a computer to be unavailable).
So in other words cut off every country in the world including the US?
Brian it looks like you lost an `h`, a `”`. and probably a `.`:
> “We ave [?] downtime procedures to going to paper system anyway, so we went to that paper system, [?] he said. “But we don’t feel like it negatively impacted patient care. They didn’t get any patient information [?]”
A good reminder why decades old information security fundamentals are still more important that the current shiny technology. The number of entry points we have will continue to expand, complexiy will continue to increase and users will continue to be tricked into downloading/activating bad software and the threat actors will be able to change forms/hashes etc. faster than any signature based AV product can keep up with. Infections are inevitable. That said, good fundamentals can help as long as we stay focused on them as a profession and stop chasing the shiny marketing thing of the day. Use advanced endpoint protection capabilities, integrate network IDS/IPS, scramble admin passwords, use host firewalls, protect admin credentials like your life depends on it, segment your accounts and systems (email enabled desktop accounts and systems should NEVER have access to production systems by default). If there are access points, applications etc. use jump boxes, remoteapp capabilities, multi-factor authentication additions etc. to limit credential theft and lateral movement. In other words, do the things we’ve needed to be doing since the late 90′;s to help mitigate the risks here -malware isn’t and it isn’t even necessarily more complex, most still exploit poor fundamentals…
Pay the ransom now before they know what they (attackers) have. Install FireEye NX appliances and install Malwarebytes Anti-Exploit to stop Flash/Java/Acrobat etc.. zerodays. Simple ways to stop locky and 99.9% of ransomware.
An ironic coincidence: today I received an email from Chase with “Let’s team up against fraud” in the subject line. There were nine clickable links in the email, all of which could lead to an infected web site. There was no statement that best practices would be to log in separately to the Chase site to follow up on whichever link topic appealed to you. With modification, the same sort of phishing email can be used (and obviously is being used) with hospitals or other malware targets. Chase and its brethren in the commercial world still haven’t gotten the message about how to reduce the consequences of malware phishing attacks. A good start would be to eliminate entirely clickable links in emails.
I got that same email and laughed.
They wouldn’t be able to track your response to the email if you went direct to the website, and thus would not be able to judge the effectiveness of their email campaign. So you now know which one is the more important between metrics and customer security.
—–
“As we consider the pursuit of cybersecurity … we are now faced with ‘freedom, security, convenience: choose two.’”
— Daniel E. Geer, Jr., Sc.D.
— Harvard National Security Journal
Brian you nailed Th3 Pr0 perfectly as part of the SEA. Can you do a follow-up now https://news.vice.com/article/the-us-has-indicted-three-alleged-syrian-electronic-army-hackers-for-cyber-crimes?utm_source=vicenewstwitter
Disclaimer: I work at Comodo
I’m not aware of Methodist Hospital’s internal security setup and architecture, but this is most likely another example of traditional signature based detection and a default-allow architecture proving that it’s totally ineffective against ransomware attacks. The attackers just need to go to the trivial effort of creating a new strain and it can totally evade detection by a supposedly up to date and “protected” endpoint!
The technology most organizations use today is basically comparable to installing a home security system that alerts you to a break-in weeks after the criminals have already stolen everything and vandalized the house. By then, it’s simply too late.
Here at Comodo we decided to solve the malware problem by developing a run-time automatic containment solution that zero’s in on what truly matters in protection, the “unknown” files that no one can identify. If a file can’t be determined to be “good” or “bad” we simply put it into a jail that has limited access to a virtual file system/registry/network/etc. At the same time the “unknown” file gets sent to our cloud based verdict platform that uses static and dynamic analysis to return a verdict of “good” or “bad” within about 40 seconds, so that the next time the file runs it doesn’t need to be put back into containment. If we can’t obtain an machine based verdict then it’s analyzed in detail by experts from our threat research team.
For example: Even a cryptolocker strain that is undetected by all AV vendors is still totally ineffective as it runs inside the container and can only encrypt the shadow file system inside the jail. There is no chance of infection unless the malware can escape containment…and that hasn’t happened to this day.
Interesting….. but what about virus using a trusted framework ? Like this one: http://arstechnica.com/security/2016/01/researchers-uncover-javascript-based-ransomware-as-service/ . This is an example, but the point is: signature based are not good, and behave analysis on the cloud may be too late… hard to solve this problem.
Hi Mario,
In that particular example the payload is an executable that will be contained and can only run inside of what you could consider a virtual jail. This holds true for malware delivered through browser exploits, java, macros, etc.
Once an “unknown” file is detected it is automatically contained and allowed to run so that there is no business disruption. It would have absolutely zero effect on the real file system on the endpoint, and would only be able to encrypt files within the container itself which is totally harmless.
In parallel the file is also sent to the our cloud based file verdict system called Valkyrie for detailed analysis. This ensures that the 2nd time the file is executed there is already a verdict regarding whether it is “good” or “bad”.
You are welcome to sign up for a free account and do some malware analysis of your own.
Could not tell if you were legit or not. Googled your name.
Don’t you make a free AV too?
Hi Ryan,
We do make a range of free products including AV and Personal firewalls, but that is just the tip of the iceberg and we have a full range of enterprise solutions.
You are welcome to grab a free version of our AV product and test our automatic containment of unknown files. It’s a radically different approach to fighting malware and I’d love to get some feedback once you’ve seen it work in person.
secure file transfer is one solution.
Block all inbound attachments with an auto-reply that gives the sender a method to upload files, and block outbound attachments.
I’ve used two products: Accellion and MOVEit DMZ, and they can both be configured to run integrated AV. Neither are cheap, but neither is an infection like this.
I got shouted down when I tried to point out the evil of Bitcoin when they were first offered as tender. Now see
what has happened – none of the randsomware exploits could exist without this form of payment.
I got shouted down when I tried to point out the evil of Bitcoin as tender – now see what as happened – none of the ransom exploits could exist without this form of payment.
On the contrary, in the past there has been ransomware that asked for prepaid debit card sorts of things like MoneyPak, Ukash, or Greendot cards.
http://krebsonsecurity.com/2013/06/cashout-service-for-ransomware-scammers/
But Bitcoin does simplify things for ransomware, I agree.
I wonder – since the Bitcoin blockchain is published, would it be possible to “blacklist” any payments downstream of a ransomware payment address?
Good points Gnecht. BaliRob, you could make the same case for cash or money in general.
Just like when the U.S. got rid of some of our larger cash bills, crime didn’t drop a bit. Things like this are incidental to the crime (extortion) – they’ll just get money some other way.
Having some experience with hospital IT, I have a couple of observations.
First, hospital IT governance is change-averse. Nobody in IT wants to be on the wrong side of an update rollout which broke something the chief of surgery likes and uses. So the path of least fear is to hold back on updates.
Second, some hospital systems rely on old versions of system software. There’s a radiology image viewer in some hospitals that only works on Internet Explorer version 6, for example. (Some long and boring story about ActiveX controls…)
Third, patient confidentiality is another source of fear. The ARRA-2009 extension to the HIPAA law made people personally liable for data breaches. “Piercing the corporate veil” served to crank up the risk-aversion in IT people.
The stock answer to these problems is to outsource all IT to a big vendor with a deep enough pocket to catch the trouble. But that’s really expensive. It may be too expensive for a community hospital founded by church folks and run as a labor of love for the community.
An intermediate step might be to convert to private-labelled cloud email with a big smart provider like Gmail, ban in-house email infrastructure, and disable thumb-drive ports on public-area computers. That would slow down the cybercriminals.
What really slows them down is a high degree of attention to cyberhygiene by everybody using computers. But most hospitals have a hard time getting people to wash their hands before touching patients, so cyberhygiene isn’t out there in front.
Every hospital regularly practices their ‘offline’ operations that might be needed in the event of a disaster, things like using paper forms, etc. The hospital might be looking at the silver lining here that their emergency procedures are getting a good test.
This is an email issue. These invoice spams are not that difficult to block before they reach the end-user’s inbox.
Sounds like a million dollar idea to me.
Million dollar idea? Not really. Features exist to block this crap. Most companies have the features turned off because they do not want to inconvenience their end users.
Unfortunately blocking spam and specific malware emails is similar to relying on antivirus signatures for protection. You are in a constant arms race that you will eventually lose because no matter how good your detection policies are there is going to be something that eventually gets through. This is the biggest inherent problem with a default-allow architecture.
I’m not saying it’s totally ineffective and it is definitely an important defensive layer, just as using AV signatures catches the majority of threats, but it’s not enough to ensure total protection.
We need a major shift in our approach to fighting malware!
what are you talking about? Antivirus signatures have nothing to do with blocking email before it is delivered to the user’s inbox.
There are many things you can do that do not involve antivirus.
The best solution for ransomware is is an up to date drive image (which I don’t currently have), but I have installed an anti-ransome program. Hopefully it will never need to be tested.
Just spent the weekend exploring solutions for a ransomware attack on my smartphone, reading that android users must always assent to any downloads (false, see Stagefright) and that android is completely sandboxed (not true, LG still hasn’t released the update for my phone). Fortunately, I found the offending app (it could have been hidden), uninstalled it (option could have been missing) and got my phone back (as nothing was encrypted). My hunch is that I won’t be so lucky next time!
“… The attack on Methodist Hospital was another form of opportunistic attack that came in -via-spam-email- in messages stating something about invoices and that recipients needed to open an attached (booby-trapped) file…”
The -users- need RULES:
• DO NOT follow the advice they give to enable macros or enable editing to see the content…
• The basic rule is NEVER open any attachment to an email, unless you are expecting it. Just -delete- it.
//
Unfortunately I think the reality in most workplaces will be that the end user will never be educated enough to avoid all social engineering attacks and various methods of infection.
There are far better technical solutions to what is always going to be a human problem
I have to thank you for the efforts you’ve put in writing this
website. I’m hoping to view the same high-grade content from you later
on as well. In truth, your creative writing abilities has encouraged me to get my very own website now 😉
Adobe reader unfortunately is what many medial and banking software is written to use. Other PDF readers won’t work at all with the software. Adobe needs to make a secure version and stop giving us exploits/features.
I rember 90 s was racket you needed to pay in order to continue with your business ,same thing but new way
Lots of great comments here about stopping these infections. I just posted an article about how to prevent some spreading to file shares on servers if a client PC does happen to get infected. Built-in file screens on windows server configured as a whitelist instead of a blacklist. I hope this helps someone.
https://dconsec.wordpress.com/2016/03/24/use-file-screen-to-stop-ransomware-on-file-servers/
Let me guess, they were using Windows.