Now the red team has gained access (read Part 1 to find out how), it’s time for them to collect information and live off the land. One of their first calls was to identify email servers and misconfigured service accounts.
“From this, we’ve also managed to get into the accounts of the other users. We will also set up new accounts if we gain permissions which will allow us to move around the network,” explains Tomer Nahum, an MVR who is leading the red team of hackers during this Semperis-hosted tabletop.
Often configured and then forgotten, service accounts are used to manage and update servers. Because they are designed to perform automated tasks, and often come with elevated privileges, service accounts have become attractive targets for hackers looking to compromise networks and move around laterally.
The hackers are also starting to sniff around for financial information across the network. While it’s of lower priority than patient data in healthcare, it can still help hackers decide how much to ask for during ransom negotiations.
“For defence evasion, we’re trying to stay within the boundaries of normal activity — we don’t want to draw attention to ourselves, so, to do this, we need to understand what normal activity looks like,” adds Nahum.
For the purple team charged with leading the hospital’s defences, the goal is threat detection with customer rules that they’ve built. They use tools designed to examine user behaviour and have a network detection and response (NDR) system set up that feeds into a security information and event management (SIEM) tool. This allows IR to monitor anomalies in terms of traffic, file transfers, access controls and “anything that looks like it’s leaving the organisation but shouldn’t.”
In terms of moving the data out of the network, the Red Raccoons decide to move the data laterally rather than vertically through soft targets such as the university and research groups as well as acquired companies with lesser managed networks.
For good measure, they’ve also orchestrated a disinformation campaign online that has resulted in a physical protest outside one of the main hospital buildings, maximising chaos, to distract senior management.
Ransomware has also been scheduled to go off at certain points, encrypting documents that can only be released with a key.
Momdjian notes that one trick attackers have gone for recently is not going for full encryption but going for just part of a file: “just enough to damage it so you can’t use the whole file.”
On the other hand, he adds that if you detect a change in file size or any change to the file itself, your security systems should alert you.
The Purple Knights, meanwhile, have been refining their detection capabilities and noticing some of Red Raccoons’ tactics. Their IR is now focussed on containment: lockouts, isolation, and segmentation of the network and critical hosts.
The question is, will they pull the plug on all the connected devices — including connected beds and live saving machines — that exist within the hospital’s IoT ecosystem?
“We’ve been isolating a lot of our IoT devices and bio-med devices just to make sure they are on a safe network – so if we get hit by a ransomware load, it would be contained within a certain segment,” explains Jeff Wichman, purple team lead and Semperis director of incident response.
“In the meantime, we will try and transition physically all beds that can be moved. And, of course, decisions must be made for critical patients,” he adds.
The red team has an idea of the amount they want Sunshine Health to pay out. “They probably already know what their target is going to pay and what the cyber security insurance payout will likely be if policy documents have been kept anywhere on the network,” Momdjian adds.
Back to the hack, and the Raccoons are ramping up the pressure with threats of leaking information to the media if the Purple Knights don’t pay up.
“Little by little, we will leak data until it’s too much for them to take,” says one team member, a little too gleefully.
The purple team, meanwhile, have brought in several third parties to aid with containment and negotiations. “We’ve brought in the FBI as well a Computer Security Incident Response Teams (CSIRT),” Wichman reports. “Communications about the attack are also going on at a stakeholder level, and we’ve activated our disaster recovery plan.”
The team is hopeful that they will receive customised indicators of compromise (IOCs) from some of these partners that will help them to detect and prevent attacks, or limit the damage done by stopping attacks early.
From a recovery perspective, Wichman — a former ransomware negotiator at Palo Alto’s Unit 42 division — explains that the purple team is negotiating to stall: “That gives the third-party time to investigate and time to understand the full scope and additional monitoring in place.
He adds: “We’re also starting with a full reset of every account — which is very painful but better than building the Active Directory (AD) from scratch.”
Semperis’s 2024 Ransomware Risk Report reveals that only one-quarter of respondents maintain a dedicated AD backup system. Yet, Gartner notes that adding dedicated tools for backup and recovery of AD can accelerate and simplify recovery from cyberattacks.
The Knights added that they also aimed to compromise the attack infrastructure and encrypt all their files before the hackers could access them.
The IR team has decided that there will be no comment to the press while they were still investigating the attack. “That would be more of a stakeholder decision – it’s executives that should make those calls, which should be controlled by legal and PR,” says Wichman.
Cyber healthcare expert Marty Momdjian, who has been leading the exercise, adds that every healthcare system currently has its legal teams and third-party council on speed dial.
Momdjian says that the big question that always comes up is whether to pay the ransom.
“The straightforward answer is “No, never.” But there are situations where firms have had to pay the ransom because it’s really the only way out.
It’s lucrative for threat actors at the end of the day,” he admits.
According to Seperis’ latest ransomware risk report, around 66% of all healthcare companies end up paying the ransom, with 16% admitting that payout was a matter of life and death.
While these figures seem high, Healthcare is one of the sectors least likely to pay, with Education paying up in 70% of cases, Travel paying up in 85% of cases, and Finance paying up in 80% of cases.
According to Wichman, each organisation has its own risk tolerance on whether it is willing or not willing to pay. “It comes down to a couple of factors of what data the attackers have; in a healthcare situation, someone’s life is on the line. The attackers know that and will use it to their advantage.”
Wichman advises using third party services when entering negotiations with attackers. “I do not recommend any organisation communicate with an attacker directly,” he stresses.
He adds that the person shouldn’t be someone from the internal IR team, especially not someone who is solely focussed on IT. They tend to only look at things from the point of view of their own department and might not grasp the repercussions or the bigger picture.
“They also tend to be more emotionally involved in what should be conducted as a business transaction,” he says.
According to Wichman, it’s also becoming increasingly common for cyber insurers to become involved during the negotiation stage, although this can also complicate things.
The negotiator has had incidents in the past where he hasn’t been able to seek the required approval of a cyber insurer because the person responsible had clocked off for the weekend and wasn’t available until the Monday. “Hackers don’t work to that 9 to 5 timetable,” he warns.
We wrap with takeout pizza — the incident response room’s meal of choice “because it allows you to keep one hand free to do something else,” Momdjian adds.
During a controlled environment like a tabletop, the whole team is together — but Momdjian warns that in the real world, this experience would be “far harder and more chaotic.”
“For healthcare, when there is an adversary in the network, decisions have to be made instantly, but they can’t be executed instantly because of the level of approval needed from clinicians,” he says.
According to Momdjian, during a real-life incident, there would be a different roster of people working rotating shifts, as it’s not possible for people to manage incidents like this effectively if they’ve been working around the clock for days on end.
One of TechInformed’s key takeaways was just how pervasive, successful, and lucrative the ‘business’ of ransomware is. According to Semperis’ 2024 risk report, 74% of respondents who were victimised by ransomware within the past 12 months were attacked multiple times, many in the span of a week.
In total, 78% of the targeted organisations surveyed paid the ransom, with 72% paying out multiple times.
This last stat suggests that paying attackers does not solve the larger problem. According to Semperis, more than a third of organisations that paid the ransom failed to receive decryption keys or were unable to recover their files.
So, while planning, contingency, and backup — as well as tabletops like this one — might not prevent hospitals from paying up in life-or-death situations, having the right tech and knowledge at their disposal certainly increases their bargaining power and limits their chances of subsequent attacks.
And kudos to the Purple Knights — the Red Raccoons really did have the easier job in this exercise. As Wichman says: “Detecting everything is the tough job — because all attackers need to do is find one hole.”
Did you miss Part 1 of this healthcare attack scenario? Click here.
Subscribe to our Editor's weekly newsletter
Newsletter
Share
