In brief
Healthcare provider
Healthcare
United States
Unit 42™ Incident Response services
CHALLENGE
A healthcare provider’s security team found a suspicious file on one of its servers. After further investigation revealed that the same file was on several other servers, the team realized that they had a serious problem.
As the incident progressed, the threat actor deployed a ransomware payload and locked the organization out of its systems. The security team recognized that they needed the help of knowledgeable and experienced experts who could investigate the problem, assist in negotiations with the threat actor, and get the client’s environment back online.
SOLUTION
The client decided to bring in Palo Alto Networks Unit 42 Incident Response team. Unit 42 brings together world- renowned threat researchers with an elite team of incident responders and security consultants to create an intelligence-driven, response-ready organization.
Unit 42 put almost 40 people on the investigation team. Investigators quickly realized that the threat actors were using BlackCat ransomware, which, at the time, was a newly emerging threat.
The Unit 42 Threat Intel team, embedded in the client’s security organization, was very effective at obtaining information available about BlackCat and putting it in the hands of Unit 42 investigators. This allowed investigators to learn as much as possible about what the threat actor was doing, how they operated, what they had accessed, and what they had taken.
The Unit 42 team provided continuous updates to the client, keeping everyone up to date on the status of the investigation.
Part of Unit 42’s process included reaching out to the threat actor. Early in the exchange, the threat actor recited parts of the client’s insurance policy indicating that they had been in the environment long enough to understand the client’s business and what it might be capable of paying in ransom.
With Unit 42’s help, the client negotiated with the threat actor and made a payment.
Unit 42 advised the client to deploy Cortex XDR® throughout its entire environment to provide the visibility necessary to understand whether the threat actor was still in the environment and what they were doing.After the client regained access to its systems, Unit 42 investigators found a suspicious binary in a Windows directory. A malware analysis quickly determined that it was a keylogger, evidence that the threat actor had stolen credentials in a more systematic way than the initial analysis suggested.
When Unit 42 presented these findings to the client’s leadership, one executive asked, “How are we ever going to trust our environment again?” Unit 42’s answer was that, indeed, the organization could not regain full trust in the existing environment; the entire environment needed to be rebuilt from the ground up.
Although a difficult decision for the client to make, this action ultimately resulted in a much stronger, more secure system.
RESULTS
In addition to responding quickly to the ransomware attack and restoring the organization’s access to its systems, Unit 42’s Cyber Risk Management team helped the client identify vulnerabilities and gaps in its policies and processes. The team helped the client redesign their security program and posture entirely, making them much more resilient to future attacks.
For the client, working with Unit 42 brought industry-leading strengths in three areas:
Palo Alto Networks Unit 42 brings together world-renowned threat researchers, elite incident responders, and expert security consultants to create an intelligence-driven, response-ready organization that’s passionate about helping you proactively manage cyber risk. Our team serves as your trusted advisor to help assess and test your security controls against the right threats, transform your security strategy with a threat-informed approach, and respond to incidents in record time so that you get back to business faster.
If you’d like to learn more about how Unit 42 can help your organization defend against and respond to severe cyberthreats, visit start.paloaltonetworks.com/contact-unit42.html to connect with a team member.
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team at start.paloaltonetworks.com/contact-unit42.html or call North America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, UK: +44.20.3743.3660, APAC: +65.6983.8730, or Japan: +81.50.1790.0200.