Type of Attack: Ransomware
Company Size: 300 employees
Threat actors exploited existing vulnerabilities within Microsoft Exchange to gain network access and then compromised an ID to acquire domain credentials. After exfiltrating data from the client’s network, they deployed ransomware. Since the company’s network was relatively flat, everything got encrypted—including the company’s backups, even though it stored them on three different LUNs in its storage area network. Once the network was encrypted, the threat actors left a ransom note.
The client discovered the attack the following morning when employees could not log in, and its remote management software would not connect. At the site, the client learned that the entire company was down with zero access to any files, email, imaging software, or electronic medical records (EMR). It is important to note that the client did not have cyber insurance.
What We Did
Blue Team Alpha incident responders established containment by running our purpose-built detection and response tooling on machines that were not fully encrypted. Blue Team Alpha shut the internet off at the company’s firewall to prevent the threat actor from using their tools and to ensure they could not use their persistence mechanisms to regain network entry. Following that, we cleared all persistence mechanisms and located and removed any indicators of compromise (IOCs). Then we re-established the company’s core network, including domain controllers and Active Directory.
While onsite, we were able to identify limited access to backups of some data, including the company’s EMR. Unfortunately, all the medical imaging items were on an encrypted LUN that was not accessible due to the encryption event. This data was critical to the business’ survival. Because the client did not have valid backups for most of its data, Blue Team Alpha assisted the client with OFAC Sanctions clearance, ransom negotiation, and payment for the decryption key. Blue Team Alpha was able to negotiate the ransom down 75% from the initial ask. Once received, responders decrypted the remaining servers in the environment, threat hunted for any IOCs or persistence mechanisms, installed Carbon Black, and returned the client to the network. Next, we decrypted the imaging items, allowing the EMR and imaging software to communicate again. At this point, doctors and medical professionals had regained access to medical records and imaging.
Along the way, we ensured everything was up to date with all necessary patches. If there were any end-of-life (EOL) issues, we upgraded the EOL component to a supported version. Due to these EOL concerns, we upgraded several servers and put them on supportable operating systems and restored their business services. We also restored print servers and rotated the golden ticket for Active Directory several times to ensure the threat actor could no longer manipulate Active Directory. Since Microsoft Exchange was out of date and the client was planning on transitioning to O365, we migrated the client off Exchange and shut it down. Backups were re-established, and we ensured that two-factor authentication was working for email and EPN access.
Incident responders also communicated with the threat actor to determine what client information they had. Throughout the restoration, responders ran a forensic analysis on everything to determine the attacker’s point of entry. We ascertained the threat actor used the print server as a jump box after gaining initial access through the email environment.
The industry standard for restoring operations is 21 days. It took us five calendar days, with only three business days included, to get the EMR back online so the client could restore business operations and resume patients’ appointments. Because of this fact, the business was saved and both financial and reputational damage was controlled. Breach Counsel was retained by the client to address personal information notification responsibilities.
The organization’s network was down for three business days. It could not see patients during that time due to the lack of access to electronic medical records and scheduling information.
The ransom was paid in the six figures for the decryptor and data extortion containment.
Vulnerability management programs are crucial. It is imperative to ensure the timely patching and updating of all networking, servers, and desktop hardware to limit the amount of potentially exploitable vulnerabilities.
Network segmentation is the foundation of protection inside the network. Had proper network segmentation and firewall rules been implemented, the attack could have been limited to the initial attack vector of the email servers. Instead, due to a flat network, the attacker was able to move laterally with ease once in the environment. In this case, the organization should have separate, firewalled segments of its network for Active Directory, Exchange, EMR, Data, backups, office administration, medical devices, and patient room computing devices.
Cyber insurance is a must. Since the client did not have cyber insurance, it paid out of pocket for everything, increasing the overall cost to its business.
Organizations need secure offsite, air-gapped backups that threat actors cannot encrypt. The backups will be protected even if ransomware compromises a company’s admin passwords. Air-gapped backups should be able to restore a company’s entire network system if all else fails.