LabCorp contained the attack within 50 minutes, says they’re at about 90-percent operational capacity
It’s all over the news. Steve Ragan at CSO has the best “executive summary”:
The Samsam ransomware attack on Labcorp, one of the largest clinical labs int he US, forced their systems offline, however they were able to contain the spread and prevent a data breech.
In between detection and mitigation, thousands of systems and several hundred production servers where encrypted by the the ransomware.
LabCorp disclosed the ransomware infection via an 8-K filing with the SEC, at which time the greater community began to hear about the infection on Monday. As recovery efforts continue, the company has said that they are 90 percent operational.
The Samsam attack at LabCorp started at midnight on July 13, according to investigators.
The LabCorp SOC (Security Operation Center) immediately took action after that first system was encrypted, alerting IR teams and severing various links and connections.
Before “the attack was fully contained, 7,000 systems and 1,900 servers were impacted. Of those 1,900 servers, 350 were production servers.” The quick action of the LabCorp SOC team ultimately helped the company contain the spread of the infection and neutralize the attack within 50 minutes
Five Things You Can Do About This Right Away:
1) Ensure that your backups are tested and operational. Test restoration initially, annually and when IT infrastructure changes.
2) Scan your network to identify any open RDP ports and ideally disable RDP completely on all Windows machines if possible. By default, the server listens on TCP port 3389 and UDP port 3389.
3) Best practice to protect a network from a brute force RDP attack is to apply strong RDP security settings, including limiting or disabling access to shared folders and clipboards from remote locations.
4) An RDP brute force approach does open the attacker’s information to the targeted network, so automate the process of parsing the Windows Event Viewer logs, find any compromised user accounts, identify the IP address of the attacker and block that.
5) If you haven’t done so already contact us to conduct a Free Phishing Security Test, and find out what percentage of your users is Phish-prone. Today’s IT professionals need an easy-to manage email security solution that protects against phishing, malware, and ransomware. Along with multi-layer email security, the Barracuda Email Security Service provides email continuity and data loss prevention. Contact us using the online form or on 1300 326 748 to discuss how the we can help you mitigate ransomware and malware infections.