Case Study #1: A Medical Practice is Hit with Ransomware

Medical practices are a prime target for ransomware attacks due to the amount of valuable data they hold. In addition to a potential ransom payment, personal data and credit card information can be sold by cybercriminals on dark web marketplace forums. Small individual and group practices may also lack comprehensive cybersecurity, making them an easy target for malicious attacks.

Ransomware frequently enters your system via a virus on an email attachment. It searches on the computer for data to encrypt and then spreads to other computers and files on your network. The virus encrypts your data, making it unreadable and unusable. The attacker then demands an untraceable digital payment in exchange for a decryption key. The data may or may not be released after payment.

The Cybersecurity Challenge

The billing department of a medical practice received a ransomware demand on their desktop screen. The practice manager contacted their IT support person. IT shut down the network and began investigating. The practice had no access to anything on their network and switched to handwritten paper records for scheduling, clinical notes and prescription writing.

The IT support provider was not able to solve the issue, and needed cybersecurity expertise to investigate and halt the attack. Cybersecurity experts determined that the virus had entered the system as an email attachment that resembled an invoice. Once it was on the computer, the virus searched for data to encrypt and then spread to the rest of the network.

Fortunately, the practice had offsite physical backup of most of the records and did not need to pay the requested ransom. The backup data was requested from storage, shipped, cleared of any remnants of the virus and then reloaded back onto the network. Unfortunately, recovery took more than a week due to the method of backup and created unexpected additional charges for recovery services.

Recovery Solutions and Lessons Learned

This practice averted devastating failure by having backup data available to reload. The cybersecurity team provided disaster response, mitigation and recovery services and then implemented updates and additional protections to lessen the risk of cyberattacks and data breaches. Many of the security products in use at the practice were unpatched and outdated and had not been reviewed for years. The team conducted a full assessment and submitted a comprehensive plan. Here are some of the changes, updates and improvements put in place:

Technical Controls:

• Email filters
• Antivirus software update
• Local and cloud data backup
• Firewall updates
• Administrative access restrictions
• HIPAA policy and procedure controls addressed

Employee Awareness Training:

• Recognizing suspicious emails
• Downloading from unfamiliar websites
• Recognizing phishing attempts
• Using approved portable storage devices
• New employee HIPAA security and privacy training
• Physical safeguards for data
• Updated policies and procedures enacted

Disaster Response and Business Continuity Planning:

• Data backup plan
• Backup testing
• Disaster recovery plan

Monitor Staff Usage and Practices:

• Phishing assessments
• User activity monitoring
• Security assessments
• Compliance requirement adherence
• Verify cybersecurity capability and knowledge of IT employees

Insurance review:

• Update professional liability insurance for data breaches
• Review cyber insurance for coverage for data breaches and response

DIGIGUARD provides comprehensive cybersecurity services and management for small and mid-sized businesses. Contact us today for more information on business protection and disaster recovery services.

Case Study #2: Phishing Attack and Employee Password Compromise

Phishing attacks are a type of social engineering attack designed to steal data, login credentials and credit card numbers. Cybercriminals masquerade as a fellow employee or other trusted entity and trick users with a malicious link. The link may be used to spread ransomware in the system or get information such as passwords and logins or credit card numbers. These attacks can have devastating results, including financial loss and damage to credit and reputation, and can also be part of a scheme to gain access to a larger partner company’s data.

The Cybersecurity Attack Challenge

An employee at a regional grocery retailer received an email from his coworker, informing him that she was sharing a document with him. He had received documents from her before, but wasn’t expecting one that day. The email was vague and had no project details, which was unusual. He clicked the link, and it opened to what looked like the usual file-sharing site the company typically uses. He was asked to enter his login and password, then got an error message. He tried again and got another error message.

The employee contacted his manager to request a password reset and report trouble downloading a shared document. He also mentioned that he called the coworker, and she said she had not sent him anything. The manager was suspicious that this was likely a hacking incident.

Remediation, Recovery and Awareness Training

The cybersecurity team was contacted and immediately reset everyone’s passwords. They verified that the email was a phishing attempt using a fake site. They also checked security settings for any suspicious rule changes, and informed everyone at the company about the incident. Two-factor authentication for signing into accounts was implemented to alert users to any new sign-ins from their account. The security team also scheduled security awareness training and testing for this company. Employees who receive comprehensive training are better able to spot phishing attempts by learning techniques such as checking the URLs of any suspicious emails and verifying with the sender directly about anything that appears unusual.

Thankfully, the employees alerted management right away, which helped prevent data theft and compromise. Management made the decision to engage the cybersecurity team to respond quickly, halt the attack and verify no other systems were compromised. The phishing attack alerted upper management to the need for additional security training to educate and reduce cyber risk in this area.

DIGIGUARD is a full-service cybersecurity firm offering services from incident response to employee security assessment, training and more. Contact us today to schedule testing and training.

Case Study #3: Infrastructure Monitoring and Weak Passwords

An industrial thermostat manufacturer noticed unusual activity on the network. The cybersecurity team examined logs that indicated someone was logging in to networks and servers at unusual times using company credentials. No evidence of malware or Trojans was found. The cybercriminal logged in at will using a very weak, common password. After changing the password, the team investigated to determine whether anything was stolen and whether the attacker was still getting into the system.

The cybersecurity experts were able to remotely image the servers and preserve the forensic data of the incident and remediation for reporting and insurance purposes. The investigation revealed that the cybercriminals stole a large amount of data by converting it into an image and hiding it on the website. They could revisit at any time to retrieve the image without logging in.

Incident Response and Recovery Objectives

The data stolen was not considered confidential or protected by regulations, so no customers or regulators had to be notified. The incident did serve to highlight cyber defense weaknesses in the company’s daily practices and infrastructure monitoring. A remediation plan was put in place by the cybersecurity consultants that included these items:

• Update security policy and regularly test for compliance
• Conduct regular employee security awareness training
• Regularly change strong passwords
• Monitor administrative accounts for unusual usage
• Monitor network traffic and data access
• Protect and monitor infrastructure security

DIGIGUARD can manage cybersecurity incident response, comprehensive solutions and security policy development for SMBs. Contact DIGIGUARD today to schedule a consultation.