Medical center grapples with outdated tech, cryptolocker virus

Started by denishverma, Mar 14, 2023, 07:00 AM

Previous topic - Next topic

denishvermaTopic starter

In Asia (China), there is a very large LAN network in a medical center, consisting of approximately 7000 computers spread over four different buildings. This network is a distributed optical network without separation into VLANs, and it was designed a long time ago before modern switches were available. Due to the amount of work involved in updating the network, the peer-to-peer network was left as is.

The majority of the computers in the network have Windows XP or Windows 98 operating systems. Unfortunately, these cannot be changed because the laboratory and diagnostic programs require the older systems to function properly. Additionally, there are approximately 500 medical devices connected to the network that use the SMB protocol to send diagnostic information.

Although there are over 40 IT personnel employed by the medical center, the situation becomes complicated because some workstations are not domain members, some do not have antivirus protection, and some are not used for Internet access. If the network goes down for even one day, this could potentially result in millions of dollars in losses.

Recently, a former employee with malicious intent introduced a game server on the network, which in turn allowed a cryptolocker virus to infect the network through shared mobile LTE Internet connections. The virus has spread rapidly through the network encrypting data on both local computers and shared resources. The medical center is willing to pay the ransom requested by the hаckers but has been unable to negotiate a feasible way to decrypt files daily. Unfortunately, the hаckers themselves aren't able to offer much assistance in this matter either.

Overall, the situation seems bleak, with no clear solution readily apparent. It would be advisable to seek outside aid from specialized cybersecurity firms that can offer expertise and solutions, even if the cost is high. In any case, it is important to stay vigilant and maintain cybersecurity protocols to prevent further breaches.


It's not necessary for all computers in an organization to communicate with each other. Instead, proper network infrastructure should be put in place, such as routers and VLANs, in order to segregate the network and ensure that only relevant devices can communicate with each other.

Old operating systems can still be run in virtual machines, with no connection to the network. Upgrading to a modern OS on the hardware itself is also an option.

In some cases, diagnostic equipment computers may not need to connect to the network at all, and can instead operate independently. It's important to consider cybersecurity risks and take steps to mitigate them by properly segmenting and securing the network to prevent unauthorized access and potential data breaches.


Network segmentation is crucial for both tactical and strategic reasons, as it helps limit malware spread and solves the problem in the long-term.

To segment your network, replace switches with managed ones that have vlan functionality, acl, dhcp snooping, and loopback detection. In case of a downtime, purchasing ~6000 ports worth of switches (around 120 access switches) would be less expensive than dealing with financial and image losses.

Location determines the best way to segment the network. Certain segments that are not operational can be cut off immediately, while others may need additional resources to clean out with antivirus software. The remaining 5 admins can focus on communication, with one admin directing another to check certain IP addresses and MAC addresses.

Proper network segmentation should be a priority for any organization, particularly those that deal with sensitive data and systems. This approach can help minimize the impact of potential attacks and prevent costly downtime.


The main priority in combating a cybersecurity threat is to take immediate action and remove the threat as quickly as possible. While there may be some loss of profit, the risk of direct loss increases with every passing hour.

One possible solution is to pay the hаckers and acquire their tool for treating malware, or at least gain access to documentation that identifies where the "infection" is located and how to detect it. A PX server could then be built with a Linux image capable of detecting infected machines and sending reports to a head server. Rebooting all possible machines from RE or flash drives can help eliminate the malware quickly.

For machines that are infected but contain needed information, they should be treated individually by disconnecting them from the network and refreshing them with the same PX server images. Communication with the hаckers can also help develop a management tool for encryption.

It may be tempting to seek the services of a cheap integrator, but this option often yields subpar results. It's important to prioritize expertise and finding experienced professionals who are capable of handling the situation effectively.

Regardless of which approach is taken, it's important to act swiftly and decisively, even if it means shutting down the entire network temporarily. Taking proactive measures is crucial for preventing potential data breaches and minimizing the long-term impact of an attack.


In the event of a possible infection, it's important to disconnect the network wire or disable the Wi-Fi module for wireless networks since modern viruses are designed to work within networks. While a network may be required for "treatment," it's important to avoid accessing confidential data and instead download antivirus software on a separate device before transferring it to an infected computer via a USB flash drive or CD-ROM.

It's crucial to recognize that the presence of an active virus in the operating memory can complicate treatment since the virus can block antivirus websites or disguise itself from specific antivirus programs. In such cases, an additional "clean" system may be required, either by booting the system from a CD-ROM or by connecting the infected hard disk to a "clean" computer.

There are different ways to rid a computer of malware, including using ready-made antivirus tools offered by developers, such as Dr.Web CureIt!, Kaspersky Virus Removal Tool, or Microsoft Safety Scanner. However, it's important to note that even if an antivirus program is installed, it may still miss a particular virus. Thus, it's possible that treatment may require using several utilities from different manufacturers.

Overall, it's recommended to contact specialists for "treatment" in case of an infection, but it's also helpful to know how to recognize an infection and fix it oneself or reduce the risk of harm before professional help arrives.