A potential threat in the cyber landscape requires a rapid incident response, and Pondurance was ready. One of the first challenges for the Pondurance team was making sure that the hospital could continue functioning with minimal disruption as the team worked to contain the incident.
“We found ourselves walking a tightrope,” said the Pondurance consultant. “We were balancing patient needs, electronic patient health records and system needs while still making sure we didn’t let this ransomware actor — or what we believed to be a ransomware actor — get any further into the network and potentially encrypt or disrupt the environment.” The hospital experienced a bit of an outage, a workstation was taken offline and had to be reimagined, and connections were taken down between certain groups, but overall, the disruption was kept to a minimum.
The Pondurance team gathered a copy of the various malicious payloads and sent it to the EDR vendor. The vendor also worked on the incident.
“From our perspective, we now had a really valuable piece of intelligence here, much the same way that an intelligence service conducts intelligence collection through all of the different channels that it uses,” said the Pondurance consultant. With that intelligence, the team entered the backdoor, did some reverse engineering on the malware, and built that logic within the Pondurance EDR console to automatically detect similar activity and alert on it moving forward.
The team added the signature to the blacklist and rescanned its systems. Because the hospital belongs to a larger professional group that shares information and threat intelligence, many of which are Pondurance clients, Pondurance put out a communication to inform the entire group about the incident. The clients were pleased to hear that Pondurance had taken measures to contain the threat and improved its detection for the future.