The Anatomy of an Attack

The anatomy of an attack

Many times in this space we have discussed the results of an organization suffering a breach. These have included the fines an organization receives due to lackluster security practices, or the long-term damage a breach could potentially inflict on an organization’s reputation.

Today, we’re going to move our gaze from the aftermath of an attack to it’s beginnings. What does a breach in real time look like, and what are the immediate steps an organization can take to remedy this attack?

Meet the Attacker

Since the summer of 2016, a hacking group known as “TheDarkOverlord” has been attacking businesses in the healthcare and financial sectors, grabbing private information and using it as a means of extortion.

For example, in September of last year, the group attacked an investment bank in California, stealing valuable customer data. They then released 20 files online that included customer background checks and social security numbers, before demanding a ransom be paid or else more files would be released.

Recently, this group has struck again, attacking a healthcare provider, Little Red Door Cancer Services of East Central Indiana.

The Attack

Healthcare Info Security reported the attack occurring as follows:

  • Board members received playful text messages from an unidentified source, encouraging them to check their emails.
  • The organization soon realized their servers and physical backups were completely wiped, with a few exceptions. The information the attackers made out with included donor names and contact information, employee data including social security numbers and grant documents for Little Red Door itself.
  • TheDarkOverlord demanded a ransom to return the data.
  • The ransom was originally set at 50 bitcoins, or $43,000, but soon dropped to $12,000
  • Little Red Door was cautioned by the FBI not to pay the funds and will comply.

The Solution

After looking over their data, Little Red Door recognized they had only lost around a day’s worth of data that was not backed up prior to the attack. Since the attack, they’ve been working with a cloud services provider to retrieve their information and get them back up and running, while also deciding to move on from their compromised servers. Rather than replacing the servers, they’ve decided to keep their data, “more remote, more secure,” according to Aimee Fant, Little Red Door’s Executive Director.

Though the information that was stolen was put on the black market for bid by the hacker, fortunately most of their patients’ information was protected. Little Red Door had previously made the wise decision to keep all of their client information on paper, including patients’ charts and private information. This negates one of the main draws for attackers like TheDarkOverlord, which primarily focuses its attacks on the healthcare sector due to the abundance of digital record keeping.

Little Red Door took some important steps that all business would do well to follow. Specifically of note:

  • The speed at which the organization determined what had been stolen
  • The immediate remediation steps taken to replace the lost data
  • The decision to not pay the attacker’s demands
  • The foresight to keep their most precious information on paper, which is an excellent backup for any organization
Posted in BAI Security Blog and tagged , , , , , , .