Freely subscribe to our NEWSLETTER

Yesterday’s global seizure of the assets and infrastructure of the notorious LockBit ransomware gang gave many global law enforcement agencies a reason to celebrate a job well done. But make no mistake that while law enforcement agencies are hunting for ransomware actors daily, there are still multiple ransomware and other cybercriminal gangs out there. That requires organisations to have an operational resiliency mindset to prepare for inevitable attacks.

Now with reports surfacing that Change Healthcare has experienced an outage due to a likely ransomware attack, and pharmacies are experiencing delays in processing prescriptions, we’re reminded of the challenges healthcare providers face daily to ensure business continuity and patient care. While it is too early to tell if the suspected ransomware attack on Change will affect the lives of patients in need of medications, they do reportedly process 15 billion transactions annually. This attack comes after numerous recent ransomware attacks on hospitals such as Lurie Children’s Hospital in Chicago and medical supply operator Henry Schein.
Overall, healthcare organisations should operate in the assume breach mindset. From Semperis’ incident response experiences with hospitals across the globe, state-sponsored actors are steely eyed and determined to compromise any organisation be it hospital or other, including pediatric hospitals if they see fit. In some notorious cases recently, cybercriminals announced that they will not attack hospitals while executing an attack on a hospital shortly after.
Organisations should fight back and first assess what their critical systems are, including infrastructure such as Active Directory (AD), because nine out of 10 cyberattacks target it. And by operating in the assume breach mindset, if you find one compromised environment or one malicious malware (such as password interception) assume that there are others that you have not discovered.
Companies should also monitor for unauthorised changes occurring in their AD infrastructure and have real time visibility to changes to elevated network accounts and groups, as well as fast means of performing a clean recovery so they can get back on their feet as soon as possible.
Also, it is critical for organisations to back up their systems and then perform a clean recovery of their environment, where forensics and deep inspections take place to clean the environment. Then organisations can transition their systems and users to work in that environment. And make sure to save the compromised environment to perform a full forensics investigation.