Which of the following retains the information it's storing when the system power is turned off?

Get answers from your peers along with millions of IT pros who visit Spiceworks.

Per Bleeping Computer: https://www.bleepingcomputer.com/news/security/hackers-breach-network-of-labcorp-us-biggest-blood-te...

LabCorp (which sounds like the name of a company from a Robocop movie) announced on Monday that hackers breached its network over the weekend. The company declined to share any details regarding the incident (attack vector, malware used, etc.), only stating that there was no evidence of unauthorized transfer or misuse of data.

As the Bleeping Computer article points out, what makes this incident especially concerning is that it highlights how interconnected the U.S. healthcare infrastructure is. Attacks on companies like LabCorp force us to consider the risk of hackers gaining access to a much larger network of hospitals, testing facilities, etc.

LabCorp apparently took that risk seriously and shut down its entire network to determine the extent of the breach. Hopefully it's able to determine the source of the infection and take proper steps to ensure it doesn't happen again.

UPDATE 7/19/18: Attack vector and ransomware confirmed

Surprise, surprise, according to Steve Ragan at CSO, this was a SamSam ransomware attack conducted via a brute-force RDP attack. The group behind SamSam have been incredibly active this year (they're the group that infected the City of Atlanta's network in March). To learn more about what makes SamSam dangerous and different see my blog post here: https://blog.barkly.com/what-is-samsam-ransomware-2018

The first encryption activity at LabCorp was detected at 6pm on Saturday, July 14. LabCorp's security operations center (SOC) team immediately took action and contained the infection in just under an hour. Unfortunately, in that time period 7,000 systems and 1,900 servers (350 of which were production servers) were affected.

Moral of the story: We all HAVE to secure that RDP, folks. Seriously. Don't expose it to the Internet. Put it behind a firewall. Use VPNs. A RD Gateway. Something. Use 2FA, implement an account lockout policy. We have to stop the madness.



PS: These obviously weren't a bunch of noobs running things at LabCorp. They had a SOC. This stuff just gets overlooked. But it can't afford to be.