|
Sickening posted:You should have sued them. Easy wrongful termination in there somewhere. Suing requires resources. I was in my mid twenties with ongoing health issues, massive medical and student debt, and no family ties to anyone with lawyer powers. It was easier to cut my losses and find a new job. Which is unfortunate, because I also had good cause on a sexual harassment complaint, too. But again, no resources to drag them into court with.
|
#
?
Jul 25, 2019 19:50
|
|
|
|
| # ? Apr 19, 2024 09:49 |
|
|
Sickening posted:You should have sued them. Easy wrongful termination in there somewhere.
|
|
#
?
Jul 25, 2019 21:37
|
|
|
Thanatosian posted:Given that this is in Portland, OR... not really, no. You're lucky to get unemployment in the U.S. for something like that. Even worse, it was Montana. And I worked for a civil engineering firm that mostly worked off of public contracts during the "shovel ready" years of government grants. You tell me who's gonna win that fight, the people who build roads and bridges for the state, or the woman claiming she was hard done by her boss and/or the co-worker who slopped his dick all over her leg at a Christmas party and then told her platonic male friend to gently caress her and report back because his wife wouldn't let him?
|
|
#
?
Jul 25, 2019 22:24
|
|
|
The woman would probably win?
|
|
#
?
Jul 25, 2019 22:26
|
|
|
Bigass Moth posted:The woman would probably win?  The coworker would be nominated for Chief Justice of the Supreme Court.
|
|
#
?
Jul 26, 2019 00:24
|
|
|
Since we've now sent public notices to our clients, I guess I can safely post about the fact that our primary SQL server got hosed by ransomware, resulting in a three day product outage (so far). Law enforcement and outside security specialists are involved in rectifying the issue. As a software provider to the healthcare industry, our databases are stuffed full of PHI, so this has been an ugly few days for our ops team. The one team lead has been working virtually non-stop since Tuesday night at 10:15pm, and another of our guys has been camped out in a data center two hours from the main office. I'm lower down the totem pole AND my role is internal-only, so none of this really touches me. The worst I've had to deal with is everyone in the company speculating about what the gently caress happened. I've known since Tuesday that it was a ransomware incident, but I wasn't allowed to say jack poo poo until last night's communication. Everyone's basically in meltdown mode. I'm sitting here wondering how hosed the company is at large. They SAY nothing happened to the PHI data, but I don't think I'll really know more until a formal postmortem is issued.
|
|
#
?
Jul 26, 2019 14:11
|
|
|
The good news for the company is that if it was just a ransomware attack they're probably correct in saying none of the PHI was compromised. Still sucks though, and good luck getting any of that data unencrypted. Hope they had good backups!
|
|
#
?
Jul 26, 2019 15:41
|
|
|
my cat is norris posted:primary SQL server got hosed by ransomware 
|
|
#
?
Jul 26, 2019 15:48
|
|
|
PremiumSupport posted:The good news for the company is that if it was just a ransomware attack they're probably correct in saying none of the PHI was compromised. Still sucks though, and good luck getting any of that data unencrypted. Hope they had good backups! I don't know a hell of a lot about SQL's built-in data encryption or whatever disk encryption our company is using, but it sounds like everything was encrypted to hell and back, so even if the ransomware thieves made off with anything, they'd have to figure out how to decrypt the protected data. There's going to be a formal case study in about 30 days. It'll be conducted by an outside firm. If that gets posted somewhere, I'll be sure to share it. It sounds like the whole mess is pretty interesting even if it is pretty hosed.
|
|
#
?
Jul 26, 2019 15:56
|
|
|
No one has asked the backups question yet...?
|
|
#
?
Jul 26, 2019 16:07
|
|
|
Heners_UK posted:No one has asked the backups question yet...? https://gfycat.com/uniformspecificharvestmouse-john-mcginley-zach-braff-scrubs
|
|
#
?
Jul 26, 2019 16:10
|
|
|
Heners_UK posted:No one has asked the backups question yet...? The DR connection was shut off to prevent propagation of the ransomware. We're apparently loading other back-ups into a whole new server; that was one of the first processes really started.
|
|
#
?
Jul 26, 2019 16:12
|
|
|
my cat is norris posted:our primary SQL server got hosed by ransomware  this weekend is raised in your honour.
|
|
#
?
Jul 26, 2019 16:12
|
|
|
PremiumSupport posted:The good news for the company is that if it was just a ransomware attack they're probably correct in saying none of the PHI was compromised. Still sucks though, and good luck getting any of that data unencrypted. Hope they had good backups! There's really no good news when an incident involving patient data makes it to the press.
|
|
#
?
Jul 26, 2019 16:15
|
|
|
my cat is norris posted:The DR connection was shut off to prevent propagation of the ransomware. We're apparently loading other back-ups into a whole new server; that was one of the first processes really started. Gold star!
|
|
#
?
Jul 26, 2019 16:16
|
|
|
Heners_UK posted:No one has asked the backups question yet...? We don't need no stinkin backups
|
|
#
?
Jul 26, 2019 16:17
|
|
|
This person is a sysadmin: I tell them that the reason their system is down is that the drive it’s installed on is not appearing on the server. “That’s nearly impossible, it’s in a RAID. I mean I had some disk issues this morning but it should be fine.” He shows me the raid controller software displaying a big red FAILED for one of the logical disks.
|
|
#
?
Jul 26, 2019 18:04
|
|
|
Have they figured out what they attack vector was? Because either there's something unpatched or someone's really for the high-jump with unacceptable internet usage on the network. gently caress you for reminding me of that episode  .
|
|
#
?
Jul 26, 2019 18:24
|
|
|
Neddy Seagoon posted:Have they figured out what they attack vector was? Because either there's something unpatched or someone's really for the high-jump with unacceptable internet usage on the network. Not to my knowledge. If they know, they're keeping it quiet for now. Only a handful of domain admins exist, and only domain admins can log into the server for anything more advanced than running queries against the database, so if someone hosed up they really have no excuse. At least an everyday end user can be like "idk wtf I'm doing lol."
|
|
#
?
Jul 26, 2019 20:45
|
|
|
More information was released about the ransomware. It targets Windows servers only and runs through PowerShell. It encrypts data, but doesn't capture it, read it, or send it off to anyone. The only file that remains accessible on the machine is a readme with instructions for responding to the ransom. Still nothing on how it actually got onto the server, but it sounds like we're making a full recovery. On the downside, one of our ops members got like stupid sick with stress and exhaustion!  I think everyone on the team is going to be super well-comped and given some days to recuperate once this is over, though.This is kinda drifting outside the purposes of this thread but we're all familiar enough with scope creep that I think you'll be able to forgive me.
|
|
#
?
Jul 26, 2019 22:30
|
|
|
my cat is norris posted:This is kinda drifting outside the purposes of this thread but we're all familiar enough with scope creep that I think you'll be able to forgive me. Honestly I think we're just all kinda invested in knowing what happens at this point.
|
|
#
?
Jul 27, 2019 00:19
|
|
|
my cat is norris posted:It targets Windows servers only and runs through PowerShell.  Need to know more intensifies.
|
|
#
?
Jul 27, 2019 00:48
|
|
|
Sounds like MegaCortex that popped up earlier this year.
|
|
#
?
Jul 27, 2019 01:21
|
|
|
Kyrosiris posted:Honestly I think we're just all kinda invested in knowing what happens at this point.  I don't even work in this field and I want to know how everything works out. We're rooting for you!
|
|
#
?
Jul 27, 2019 06:03
|
|
|
my cat is norris posted:This is kinda drifting outside the purposes of this thread 
|
|
#
?
Jul 27, 2019 12:11
|
|
|
Malachite_Dragon posted:We're rooting for you! I'm not  I just like seeing how bad things can get. Honestly, I think it's just the natural progression for working in a position that deals specifically with outages. It's like when a weatherman gets super excited over a giant hurricane or tornado that does a gazillion dollars in damage and makes thousands of people flee in fear. On Tuesday, our biggest data center got struck by lightning. The equipment was fine, but the resulting power surge caused every AC unit to shut down, and we couldn't get them to start up again until a bunch of safety features were bypassed. Within 30 minutes, the entire building was hotter than the surface of the sun and everything shut down. I'm unreasonably disappointed that I wasn't there when it happened, because I get this weird giddy feeling during major service outages. The bigger, the better. My exciting role the next day was fixing the terribly documented ticket, figuring specific customer impacts, nailing down the timeline, and otherwise assisting the RCA. BOOOOORING
|
|
#
?
Jul 27, 2019 13:12
|
|
|
Neddy Seagoon posted:gently caress you for reminding me of that episode This. Wasn't prepared for being punched directly in the feels this morning. That loving ep.
|
|
#
?
Jul 27, 2019 15:41
|
|
|
Mustache Ride posted:Sounds like MegaCortex that popped up earlier this year. I'd think so, too, but the ransom note is missing any dumb Matrix references. One created process was cipher.exe, if that points anyone in the right direction. There was also no solution available through https://www.nomoreransom.org/en/decryption-tools.html but I'm not sure how unusual that is. my cat is norris fucked around with this message at 16:47 on Jul 27, 2019 |
|
#
?
Jul 27, 2019 16:43
|
|
|
Oh okay according to an email that went out an hour ago the ransomware variant is "Readme." Identified "malicious IPs" are based in Chicago, Frankfurt, Chicago again, Montreal, and Gdansk. Probably all VPN fuckery. my cat is norris fucked around with this message at 16:54 on Jul 27, 2019 |
|
#
?
Jul 27, 2019 16:50
|
|
|
my cat is norris posted:Oh okay according to an email that went out an hour ago the ransomware variant is "Readme." Rackspace, Hetzner, OVH probably. Don't know the Gdansk one.
|
|
#
?
Jul 27, 2019 17:25
|
|
|
Everything is due to be online again tomorrow at 6 AM. Today was spent bringing SQL and other servers back to the internet at large. I think we're through this? I hope so! Quoting some stuff from the client-facing posting, most of which makes no sense to me but I hope some of you'll find interesting: quote:The variant of ransomware is Readme. Per our forensics, as we have performed our kill chain analysis, we have observed the following indicators within the environment that we believe that the threat actor has mainly used: Sysfile64, rundll32.exe, powershell.exe.
|
|
#
?
Jul 28, 2019 23:12
|
|
|
I'm not seeing the phrase "complete wipe of all affected systems" which isn't reassuring.
|
|
#
?
Jul 28, 2019 23:27
|
|
|
Why did the kind of person to click bad email attachments have account permissions to execute anything on a database.
|
|
#
?
Jul 28, 2019 23:31
|
|
|
Methanar posted:Why did the kind of person to click bad email attachments have account permissions to execute anything on a database. C-Level and sales.
|
|
#
?
Jul 28, 2019 23:33
|
|
|
Javid posted:I'm not seeing the phrase "complete wipe of all affected systems" which isn't reassuring. Oh the affected server(s) went into the hands of forensics and security specialists. They're no longer part of our environment. Anything we've kept that had even the slightest risk of exposure has indeed been thoroughly scrubbed. Carbon Black is being installed onto everyone's machines as part of a new set of "preventative measures" or something.
|
|
#
?
Jul 29, 2019 00:45
|
|
|
my cat is norris posted:Oh the affected server(s) went into the hands of forensics and security specialists. They're no longer part of our environment. Anything we've kept that had even the slightest risk of exposure has indeed been thoroughly scrubbed. Carbon Black is pretty great for keeping 99% of the poo poo from not running. Malware infections went from 'a few per day' to 'maybe two a month' once we got it rolled out.
|
|
#
?
Jul 29, 2019 01:31
|
|
|
Depends on which carbon black they're talking about. Defense (previously known as Confer) is probably what they're talking about. Protect (previously Bit9) is the one that kills everything. The original Carbon Black is the endpoint forensics tool with the Postgres backend that doesn't scale. Ditch it all and install CrowdStrike.
|
|
#
?
Jul 29, 2019 01:53
|
|
|
Mustache Ride posted:Ditch it all and install CrowdStrike.
|
|
#
?
Jul 29, 2019 02:01
|
|
|
Mustache Ride posted:Depends on which carbon black they're talking about. Defense (previously known as Confer) is probably what they're talking about. Protect (previously Bit9) is the one that kills everything. The original Carbon Black is the endpoint forensics tool with the Postgres backend that doesn't scale. Yeah, we had bit9, and it worked pretty great.
|
|
#
?
Jul 29, 2019 02:04
|
|
|
|
| # ? Apr 19, 2024 09:49 |
|
|
my cat is norris posted:They're no longer part of our environment. I hope you're not suggesting the front fell off.
|
|
#
?
Jul 29, 2019 02:07
|
|
