Setting the Scene
It was a normal week in late October for a New York-based BlackHawk Data client. With more than 4,000 remote employees, the healthcare organization was functioning out-of-office.
Everything appeared to be business as usual until several alerts were triggered in their Cisco Umbrella dashboard early Thursday morning. There had been numerous attempts to access a malicious domain known to be used in an ongoing ransomware attack against healthcare providers.
The organization was new to Cisco Umbrella, and it had only been deployed to guard the known networks and resolve traffic from the internal DNS servers. The infected hosts couldn’t be determined, but the response team was able to see that there were only a few requests coming through per hour. There were no other indicators from internal tools of the infection within the network.
Identification and Response
On Friday, BlackHawk requested that all remote users connect to the VPN to allow all domain requests to be pushed through Cisco Umbrella. This would let us determine the scope of the problem and identify machines attempting the connection to the domains posted in the CISA advisory (AA20-302A).
The requests soared to more than 20,000 per hour, prompting the immediate deployment of Umbrella roaming clients to all machines. The deployment of the roaming client was able to quickly identify which hosts were infected, allowing the machines to be quarantined for remediation.
Continued Security and Prevention
Although the Cisco Umbrella deployment was in its early stages, it was able to alert and block this threat, stopping the payload from being downloaded and deployed within the network. Without Umbrella, the threat would have gone unnoticed and the infection would have been widespread, most likely ending in a ransomware negotiation.
A week out from the incident, BlackHawk continued to work with the client to identify infected machines and remediate. We determined that without Umbrella’s protection, the organization would have been compromised, leaving thousands of employees without a way to serve their patients.
Our Takeaway
Witnessing and working as a response team against this attack has left BlackHawk with more confidence than ever in this product. We have deployed free POCs for all of our healthcare customers as a result of this very incident.
How to Protect Your Organization
You can try this security solution completely free for 21 days when you sign up with BlackHawk Data, a certified Minority or Women Owned Business (MWBE). We will work with you to set up this non-intrusive basic protection in less than an hour. We understand how important our healthcare system is; we consider it a duty to help protect those organizations and their patients from cyber attacks.