As some have heard, several hospitals have recently been impacted by malicious software that have locked out thousands of files with ransomware. The State of Texas Department of Information Resources recently provided an update. They indicated that both nationally and in Texas, the ransomware has been identified as locky. Hospitals are specifically vulnerable as they use many distributed apps accessing network file shares and clients that leverage the malware vector. The primary vector has been identified as email attachments. In many cases, the malware is targeting Administrative and HR staff with email attachments that would appear to be relevant to their roles (such as application for employment or invoices).
Risk Mitigation actions –
If someone in your organization receives such content, they should attempt to verify the origin before opening the attachment. If they have not recently been in communication with the sender and are not expecting the content, they should not open the attachment.
If someone does open an attachment and the expected action does not occur, they should notify someone immediately. The sooner the encryption process is able to be disrupted, the higher the probability the scope can be minimized.
For those of you that run your own file systems, the worst case scenario is that you are not able to identify the workstation that is initiating the process and the file shares just begin randomly changing names and become inaccessible. In that instance your best action is to disconnect all network shares as rapidly as possible. That will limit the malware’s ability to impact all network shares and hopefully reduce the recovery.
But, make no mistake, once the process is triggered, data restoration is the only option. The probability that you will be successful in obtaining the decryption keys (after paying a ransom of varying amounts) from those that operate the Command and Control Servers is not high and is not recommended to be considered part of the risk mitigation process.