Is ransomware unstoppable? No, it isn’t

ransomware 2321665 1280
This is stoppable

Chances are you’ve been hearing a lot about cyberattacks and specifically ransomware in healthcare lately. Attackers take over systems and encrypt files, demanding payment in Bitcoin. They often get away with it.

Attacks like the recent ones on Universal Health Services and ERT that make the papers are just the tip of the iceberg. No one wants to report that something like this happened to them.

Until recently, I had assumed that such attacks were really hard to stop. Some are. But it turns out there are often many ways to thwart ransomware, and often hours or even days in which to do so.

I asked security experts at Gamayan to analyze the UHS attack and was amazed that they found at least 28 ways it could be stopped. Check out the UHS ransomware case study that breaks down the attack and potential response step by step.

If you want to learn how to prevent such attacks at your organization, contact me.

Here’s the timeline of the attack:

Day 1

16:37 Bazar Malware Executed (Remote IP)

16:48 Domain discovery commands

17:06 Registry discovery commands

17:28 More domain discovery and network checks to domain controllers

17:41 AdFind used to map active directory

Day 2

18:49 checks again for domain trusts and AdFind using Bazar (FTP exfiltration to remote IP)

20:12 First lateral movement attempt with WMIC (SMB transfer, Multiple payloads tried)

20:23 P64.exe Cobalt Strike beacon run on beachhead host (Remote IP)

21:04 Second P64.exe Cobalt Strike beacon dropped on beachhead host (New remote IP)

21:09 Next lateral movement attempt via a service and PowerShell (First Successful Lateral Movement)

21:10-22:06 Continual lateral movement using Cobalt Strike beacons via SMB across the environment

21:43 Windows Defender begins to be disabled using Powershell commands

21:45 First RYUK ransomware executable transferred to the backup system (Ryuk Executed)

21:50-22:10 RYUK ransomware deployed enterprise-wide (Transferred via SMB, executed RDP commands)

—–

By healthcare business consultant David E. Williams, president of Health Business Group

October 28, 2020

Leave a Reply

Your email address will not be published. Required fields are marked *