Chances are you’ve been hearing a lot about cyberattacks and specifically ransomware in healthcare lately. Attackers take over systems and encrypt files, demanding payment in Bitcoin. They often get away with it.
Until recently, I had assumed that such attacks were really hard to stop. Some are. But it turns out there are often many ways to thwart ransomware, and often hours or even days in which to do so.
I asked security experts at Gamayan to analyze the UHS attack and was amazed that they found at least 28 ways it could be stopped. Check out the UHS ransomware case study that breaks down the attack and potential response step by step.
If you want to learn how to prevent such attacks at your organization, contact me.
Here’s the timeline of the attack:
16:37 Bazar Malware Executed (Remote IP)
16:48 Domain discovery commands
17:06 Registry discovery commands
17:28 More domain discovery and network checks to domain controllers
17:41 AdFind used to map active directory
18:49 checks again for domain trusts and AdFind using Bazar (FTP exfiltration to remote IP)
20:12 First lateral movement attempt with WMIC (SMB transfer, Multiple payloads tried)
20:23 P64.exe Cobalt Strike beacon run on beachhead host (Remote IP)
21:04 Second P64.exe Cobalt Strike beacon dropped on beachhead host (New remote IP)
21:09 Next lateral movement attempt via a service and PowerShell (First Successful Lateral Movement)
21:10-22:06 Continual lateral movement using Cobalt Strike beacons via SMB across the environment
21:43 Windows Defender begins to be disabled using Powershell commands
21:45 First RYUK ransomware executable transferred to the backup system (Ryuk Executed)
21:50-22:10 RYUK ransomware deployed enterprise-wide (Transferred via SMB, executed RDP commands)
—–October 28, 2020