Posted: 3 Min ReadExpert Perspectives

How a Rapid Response Helped Thwart an Active Ransomware Attack

A ransomware attack reminded me of very valuable lessons that every organization needs to incorporate into its security DNA

Early this year, when an executive at a hospital called our Incident Response (IR) team, he had yet to realize that his organization was confronting an active ransomware attack. Symantec Endpoint Protection (SEP) and his internal team had flagged as suspicious some data that was marked with a four-letter file name, he explained, and multiple attempts to scrub it had failed.

He told me the file name and my heart sank. Less than a week earlier, I’d seen a half-dozen companies in different industries fall victim to ransomware files consisting of the same four letters. In this instance, however—and in large part because the executive reached out to our incident response team right away—we succeeded in thwarting the attack while it was underway.

I advised a temporary Internet shutdown and deployed Symantec’s cloud-based, AI-enhanced Symantec Endpoint Protection 15, which quickly and easily located the threat actors’ command and control servers. They were unknown ransomware actors, operating out of South America, and we had them roped off before they could access or encrypt any of the hospital’s files or backups. Had the executive hesitated in alerting us, the consequences for his company might have been devastating, especially considering that ransomware is considered a HIPAA violation and companies are fined heavily for such violations.

Indeed, even after our team had tested and rolled out a new endpoint protection system for the hospital, compliance with HIPAA required its lawyers to run full-disk forensics on dozens of hospital workstations, consuming essentially 9 months of work. Such inconveniences aside, for the hospital preventing the ransomware infection was much preferable to having to recover from one. I know of a similarly situated company that failed to survive an undeterred cyber attack.

It’s been close to three months since this incident played out, and as I reflect on it now, I’m struck by how well it proves three of Symantec’s best practices for cyber security, all familiar refrains that nonetheless bear repeating:

  1. Have a detailed incident response plan and be proactive in testing it.
    Less than two weeks before the attempted ransomware attack, the hospital had drilled through its incident response plan in a tabletop exercise. I’m confident that explains in part why the executive I dealt with was both swift and fluent in responding to the threat.

    Also, ensure that your business has multiple hard copies of your response plan on hand, as well as updated backups of all data, stored offline.
     
  2. Invest in best-of-breed defense tools.
    As clients of Symantec’s industry leading Managed Security Services, the hospital and its parent benefited from the seamless engagement of both a threat-monitoring team and incident response team. As Symantec observed in its 2019 Internet Threat Security Report, fragmented tools no longer suffice, and integrated platforms are the future.

    Granted, unlike commonly distributed software designed to detect cyber vulnerabilities, our suite of supported products and services isn’t free, but this case study illustrates the tremendous value enterprises gain when they partner with us. In my five years as a Symantec lead incident responder, I’ve seen countless other examples of how the protections we afford our clients far exceed the costs.
     
  3. When the alarm bells start ringing, don’t be afraid to call for help.
    Given that cyber crime is highly stigmatized (and ransomware especially so), it’s perfectly understandable that brand-conscious businesses often downplay their exposure to online intrusions. But in 20-plus years in the security sector, I’ve learned it’s always better to be safe than sorry.

    A seasoned incident responder will have neither time nor interest in criticizing your business for falling victim to an attack. Our job is to talk you through the situation, fend off the attack, and support you in getting the business back on track.

A final note here on trends we’re seeing in ransomware: Up until 2017, consumers were the hardest hit, but the balance has since tipped toward businesses. According to our most recent ISTR, “in 2018, that shift accelerated, and enterprises accounted for 81 percent of all ransomware infections.”

In response, Symantec has achieved improved efficiencies in blocking ransomware infections, both through enhanced email protections and behavioral analysis and machine learning tools. These are substantial advances, some of which I deployed in thwarting the threat against the hospital. It’s a genuine success story, and one that proves the value of reaching out to Incident Response teams like ours early on.

You might also enjoy
Video
Expert Perspectives6 Min Read

7 Items You Must Add to Any Incident Response Plan

How to create one today

You might also enjoy
Video
Expert Perspectives3 Min Read

Sometimes Threat Hunting Isn’t Enough

Proactively searching for threats is critical, but organizations trying to stop advanced threats need to understand that threat hunting is only one piece of the protection profile

About the Author

Jamie Porter

Senior Lead Investigator, Americas Incident Response, Symantec Cyber Security Services

As a lead incident response investigator, Jamie works directly with Symantec clients to help identify, contain, and eradicate increasingly sophisticated cyber threats.