Large hospital suffers crippling ransomware attack

02 December 2016 by Michael Nuncic

Ransomware is quickly becoming one of the most talked-about topics in the technology industry today. That is because the number of these blackmailing computer virus attacks has increased dramatically this year, with cyber criminals targeting everyone from individuals to companies and government organisations. According to the Internet security provider Kaspersky, the total number of ransomware attack victims rose between April 2015 and March 2016 by almost 18 percent. It is also noteworthy that ransomware viruses that use encryption techniques have increased by 25%, therefore it’s no wonder some experts are already naming 2016 as the "Ransomware Year".

Someone call a data doctor

In this post we’ll look at a particular case - a large hospital in Germany was hit with a ransomware attack. The ‘Locky’ virus involved had violent effects and many servers were rendered out of action. In addition, core hospital operations became severely limited as the non-infected servers were powered down by the IT staff to prevent further infection. This is a significant problem with highly complex virtualised storage systems, as shutting off the power can cause unexpected problems to occur.

This was unfortunately the case with a Dell EqualLogic PS6500ES storage array used by the hospital, which contained a total of 148 professional hard disks with 100 gigabytes of space each. When the array was started again, the employees noticed that a LUN with two important Oracle databases was no longer displayed by the system and was therefore no longer available. After the hospital's IT staff and the Dell support team were both unable to solve this complex problem, the specialists at Kroll Ontrack were called into action.

Dealing with corruption

Firstly a bit of background on the situation; a Dell EqualLogic PS6500ES system includes several hard disks, usually 16 or 48 HDD shelves, which are connected to RAID 5 or RAID 50 systems (subarrays). LUNs are created by the system and fragmented (i.e. distributed) over all subarrays. The analysis of the system revealed that out of the 7 shelves with 148 hard disks in total, 3 shelves consisting of 80 hard disks contained the required LUN and the missing Oracle databases. However, many of the mappings of the data fragments distributed over all of the disks were either corrupted or no longer available, so assigning the fragments was very challenging. Mapping with an EqualLogic PS system is also coded in a special logic, so the links are not easy to locate.

In order to find the mapping links, Kroll Ontrack called in specialists from the USA participate in the project and also developed new software tools that would ultimately solve the linking and corruption problems in both RAID and LUN addressing. With the help of the new tools, the expert data recovery engineers were finally able to correctly reconstruct the RAID 5 and RAID 50 systems and display the LUN. Within this LUN was a virtual HDD (a VMDK file) which again contained two Oracle databases in its NTFS file system. Thus, two additional file layers had to be identified and restored within the LUN before the databases could be exported.

Back up and running

In the end the engineers were able to successfully extract, restore the second Oracle database before delivering everything to the customer by courier. With the data from Kroll Ontrack, the Dell system was finally ‘fed’ by the IT staff and brought back to the original state, so that the important hospital systems could be brought back online again.

This data recovery project shows very clearly that when struck by a ransomware attack it is imperative to know exactly how to react. For this reason, it’s advisable to adapt your disaster recovery and business continuity plans to the respective server and storage infrastructure so you are well-prepared if a ransomware attack occurs. Whilst taking systems off the grid as quickly as possible can stop the spread of a virus, it can also have severe consequences and should be carefully considered first - without the help of Kroll Ontrack’s data recovery engineers in this case the databases could have been lost completely. If systems have already been infected it is always a wise decision to contact a data recovery specialist like Kroll Ontrack to seek professional advice.

Have you been affected by a ransomware attack before? Let us know what happened in the comments below or tweet us @DrDataRecovery