Texas Hospital Disrupted by Ransomware Attack
Shortly after Labor Day, OakBend Medical Center, a not-for-profit hospital in Houston, Texas, made an official announcement to inform the public about a ransomware attack that occurred on September 1st, 2022. Daixin, a ransomware group, has taken credit for the attack. This incursion is at least the fourth attack attributed to the group since June of 2022. In addition to taking the target systems offline, Daixin says it exfiltrated more than 3.5 GB of data which includes over one million records containing both patient and employee data. Daixin’s exfiltration includes Personally Identifiable Information (PII) containing Social Security numbers (SSN) and Personal Healthcare Information (PHI). The group also claims to have shared a sample of the exfiltrated data with hospital management to prove their assertions. On September 16th, hospital representatives confirmed that an unauthorized party had stolen sensitive patient and employee data. Daixin gang threatened to release all the captured data if their ransom demands are not met.
|IDENTIFY INDICATORS OF COMPROMISE (IOC)
OakBend states that the attack was uncovered on September 1st when it discovered encrypted files throughout its network. IT personnel immediately took all systems offline to contain the attack. Hospital management stated that patient safety has never been at risk, and that the hospital has managed to provide basic operations despite the disruption challenges.
|CONTAINMENT (If IoCs are identified)
After bringing all its systems down, Oakbend operated under lockdown procedures and sought the help of law enforcement and outside technical assistance. The FBI, the Cyber-Defense Campus (CYD), and the local county government cyberteam have been involved in the investigation. Cybersecurity experts from Microsoft, Dell and a team of malware experts were brought in to conduct their own investigations and clean the affected systems. Once the hospital attained clearance from the experts, internal IT teams began bringing systems back online. An Oakbend spokesperson announced on September 13th that its voicemail services were still down but that its email systems were back online.
Ransomware attacks move laterally across your network, seeking out systems to target and infect. Therefore, segmentation is critical. This includes not only utilizing multiple VLANs but integrating next generation firewalls which can filter out malicious and suspicious code moving between segments. One option for organizations not burdened with on-prem legacy systems is to migrate their local AD infrastructure to the cloud. While the cloud is still vulnerable to cyberattacks, it has proven itself to be resilient against ransomware attacks. There are many protectionary steps to prevent ransomware. Keeping your operating systems and software up to date with the latest patches is one of the most effective steps that you can take to protect your systems from attack. Regular systems patching also reduces the number of exploitable vulnerabilities for an attacker.
You can proactively strengthen your Incident Response Readiness (IRR) in preparation of cybersecurity events by conducting a security risk assessment. Risk Assessments help identify areas of risk and point out opportunities for improvement to prevent or limit the impact of malware attacks.