Case Studies Deception Technology Derails Ransomware Attack on Regional Healthcare Provider

Edit This Case Study Record

	Deception Technology Derails Ransomware Attack on Regional Healthcare Provider

Deception Technology Derails Ransomware Attack on Regional Healthcare Provider

Technology Category	Cybersecurity & Privacy - Malware Protection Cybersecurity & Privacy - Network Security Cybersecurity & Privacy - Security Compliance
Applicable Industries	Healthcare & Hospitals
Applicable Functions	Business Operation
Use Cases	Intrusion Detection Systems Predictive Maintenance Remote Asset Management
Services	Cybersecurity Services System Integration
Challenge	The hospital’s existing security controls did not provide enough actionable intelligence or alerts to mitigate current and future attacks. The security team learned of attacks from end users or by seeing ransomware encrypting critical data on their network shares. Responding to this particular attack was very resource intensive as the team was forced to manually quarantine and remediate the individual endpoints and then check the local network shares for encrypted files. The team did not obtain the attack forensic information they needed to quickly analyze the malware and deal with its polymorphic nature. The security team found manual remediation extremely problematic because it required significant time to gather attack information and respond to the infected systems. The incident response approach was resource intensive and reactive, as opposed to a proactive response to an attack. The security team lacked confidence that when they mitigated an attack, it would not reoccur – they did not know if they had truly stopped it. Read More
About Customer	The customer is a regional healthcare provider based in New England, United States. Like many healthcare organizations, they have experienced numerous ransomware attacks. The organization is responsible for managing sensitive patient data and ensuring the continuous operation of their healthcare services. Given the critical nature of their operations, any disruption caused by ransomware can have severe consequences, including the potential loss of critical data and damage to their brand reputation. The healthcare provider has a large network infrastructure that includes multiple endpoints and servers, making it a prime target for cyberattacks. The security team at the healthcare provider is tasked with protecting this infrastructure and ensuring that any threats are quickly identified and mitigated to prevent operational disruptions. Read More
Solution	To resolve this challenge, the healthcare provider chose a new approach that provided early attack warning and intelligence on the polymorphic ransomware’s different attack methods, including the method of mutation, what C&C hosts the ransomware was contacting, and its lateral movement mechanisms. The customer used the Attivo BOTsink solution’s malware analysis engine to run extensive attack analysis and forensics to understand how the attack was propagating, communicating, and mutating. To gain this information, the security team loaded the malware onto the BOTsink solution’s attack analysis engine, which unpacked and detonated the sample inside its secure sandbox. The security team saw the processes the malware dropped, the C&C hosts it contacted, and the methods of lateral movement it used. The team safely and confidently conducted this analysis because the malware analysis sandbox isolated all outbound traffic to a dedicated connection, preventing samples from infecting other machines in the customer’s infrastructure. Additionally, since the malware analysis sandbox recorded all network traffic, the security team captured the polymorphic instructions the malware used to change its signature every few hours, using the information to update prevention systems to block infections from occurring within other parts of the network. Read More Log in to view content
Contents

Technology Category

Cybersecurity & Privacy - Malware Protection

Cybersecurity & Privacy - Network Security

Cybersecurity & Privacy - Security Compliance

Applicable Industries

Healthcare & Hospitals

Applicable Functions

Business Operation

Use Cases

Intrusion Detection Systems

Predictive Maintenance

Remote Asset Management

Services

Cybersecurity Services

System Integration

Challenge

The hospital’s existing security controls did not provide enough actionable intelligence or alerts to mitigate current and future attacks. The security team learned of attacks from end users or by seeing ransomware encrypting critical data on their network shares. Responding to this particular attack was very resource intensive as the team was forced to manually quarantine and remediate the individual endpoints and then check the local network shares for encrypted files. The team did not obtain the attack forensic information they needed to quickly analyze the malware and deal with its polymorphic nature. The security team found manual remediation extremely problematic because it required significant time to gather attack information and respond to the infected systems. The incident response approach was resource intensive and reactive, as opposed to a proactive response to an attack. The security team lacked confidence that when they mitigated an attack, it would not reoccur – they did not know if they had truly stopped it.

About Customer

The customer is a regional healthcare provider based in New England, United States. Like many healthcare organizations, they have experienced numerous ransomware attacks. The organization is responsible for managing sensitive patient data and ensuring the continuous operation of their healthcare services. Given the critical nature of their operations, any disruption caused by ransomware can have severe consequences, including the potential loss of critical data and damage to their brand reputation. The healthcare provider has a large network infrastructure that includes multiple endpoints and servers, making it a prime target for cyberattacks. The security team at the healthcare provider is tasked with protecting this infrastructure and ensuring that any threats are quickly identified and mitigated to prevent operational disruptions.

Solution

To resolve this challenge, the healthcare provider chose a new approach that provided early attack warning and intelligence on the polymorphic ransomware’s different attack methods, including the method of mutation, what C&C hosts the ransomware was contacting, and its lateral movement mechanisms. The customer used the Attivo BOTsink solution’s malware analysis engine to run extensive attack analysis and forensics to understand how the attack was propagating, communicating, and mutating. To gain this information, the security team loaded the malware onto the BOTsink solution’s attack analysis engine, which unpacked and detonated the sample inside its secure sandbox. The security team saw the processes the malware dropped, the C&C hosts it contacted, and the methods of lateral movement it used. The team safely and confidently conducted this analysis because the malware analysis sandbox isolated all outbound traffic to a dedicated connection, preventing samples from infecting other machines in the customer’s infrastructure. Additionally, since the malware analysis sandbox recorded all network traffic, the security team captured the polymorphic instructions the malware used to change its signature every few hours, using the information to update prevention systems to block infections from occurring within other parts of the network.

Impact #1	The Attivo ThreatDefend™ Platform provided information that security devices could not.
Impact #2	The Attivo BOTsink solution’s analysis engine provided detailed attack forensics and substantiated, actionable alerts that allowed the customer to secure their enterprise by blocking the C&C IPs and applying group policies to shut down the malware’s method of east-west movement.
Impact #3	They also flagged the files hashes of the original and subsequent mutated files in their endpoint solution, preventing a wide-scale ransomware attack.

Impact #1

The Attivo ThreatDefend™ Platform provided information that security devices could not.

Impact #2

The Attivo BOTsink solution’s analysis engine provided detailed attack forensics and substantiated, actionable alerts that allowed the customer to secure their enterprise by blocking the C&C IPs and applying group policies to shut down the malware’s method of east-west movement.

Impact #3

They also flagged the files hashes of the original and subsequent mutated files in their endpoint solution, preventing a wide-scale ransomware attack.

Benefit #1	The security team drastically reduced their incident response time.
Benefit #2	The healthcare organization saved the ransom they would have needed to pay to recover their critical data.

Benefit #1

The security team drastically reduced their incident response time.

Benefit #2

The healthcare organization saved the ransom they would have needed to pay to recover their critical data.

Download PDF Version

Overview

Deception Technology Derails Ransomware Attack on Regional Healthcare Provider

Operational Impact

Quantitative Benefit