GOHSEP and ESF17 held a conference call at 2pm on Wednesday, August 7, 2019.
Ransomware attack in schools – Morehouse, Sabine, Tangipahoa, E. Carroll.
“ESF17” is a newly created ESF to coordinate actions and communications with parishes and state agencies related to cyber-attacks.
LSP Cyber Crime Unit (CCU) – collected evidence from 28 computers in last 96 hours; identified 8 networks that have been infected. Will continue to extract Indicators of Compromise.
DOE – all schools still scheduled to open on time. Map on slide 6 identifies which parishes have completed assessments. State Assistance allocated in the following parishes: Morehouse, Ouachita, Tangipahoa, and Sabine. Sabine has been completed. The end-game is to get folks to the purple (issues resolved).
There are 6 phases identified as a Critical IT Task List for school districts (slide 7) 47 schools have completed all phases receiving “Carbon Black” = finished. 14 schools are in various phases of 2-5. There are a total of 69 Parish School districts.
Indicators of Compromise include the following:
· Traffic to or from Pastebin.com (18.104.22.168) in the previous two weeks
· Any Anti-Virus hits for either Trickbot or Emotet
· New Accounts created with elevated privileges
· Outbound web traffic to ports 445, 447, 449, or 8082
· Outbound and Inbound traffic to ports 5985 or 16993
· Unusual remote connections either through RDP, LogMeIn, or TeamViewer
· Installed services with unusual names/created scheduled tasks with unusual names or paths
· Unusual files in user’s roaming directories
· Advapi32.dll process being used as a hook for Explorer.exe
· The presence of ad_driver.sys in \\C\Users\ADMINI~1\AppData\Local\Temp\1\
· Creation of new user accounts with broad privileges
· Odd processes such as svchost.exe tied to open ports, including port 80
ASPR TRACIE has identified resources for Cybersecurity Checklists for Healthcare Facilities:
- Resources: ASPR TRACIE
- Data Breach Investigation and Mitigation Checklist
- Best Practices for Victim Response and Reporting of Cyber Incidents
View the Update:
Infected organizations are encouraged to not pay a ransom to criminal actors. Organizations who believe they have observed the following Indicators of Compromise should contact the fusion center at 1-800-434-8007 or firstname.lastname@example.org.
About the Louisiana Ambulance Alliance
The Louisiana Ambulance Alliance (LAA) is a diverse group of EMS providers who promote emergency medical transport as a distinct concern in Louisiana; serve as a forum for a unified voice for healthcare providers, public officials, healthcare workers, educators and consumers working to improve emergency medical transport in Louisiana; provide a forum for the exchange and distribution of ideas and information related to the improvement of emergency medical transport; serve as an advocate for emergency medical transport, promoting improved health status and improvements to the health system for residents of Louisiana; and encourage the development of appropriate health resources for Louisiana.