Setting the Scene

It was a normal week in late October for a New York-based BlackHawk Data client. With more than 4,000 remote employees, the healthcare organization was functioning out-of-office.

Everything appeared to be business as usual until several alerts were triggered in their Cisco Umbrella dashboard early Thursday morning. There had been numerous attempts to access a malicious domain known to be used in an ongoing ransomware attack against healthcare providers.

The organization was new to Cisco Umbrella, and it had only been deployed to guard the known networks and resolve traffic from the internal DNS servers. The infected hosts couldn’t be determined, but the response team was able to see that there were only a few requests coming through per hour. There were no other indicators from internal tools of the infection within the network.

Identification and Response

On Friday, BlackHawk requested that all remote users connect to the VPN to allow all domain requests to be pushed through Cisco Umbrella. This would let us determine the scope of the problem and identify machines attempting the connection to the domains posted in the CISA advisory (AA20-302A).

The requests soared to more than 20,000 per hour, prompting the immediate deployment of Umbrella roaming clients to all machines. The deployment of the roaming client was able to quickly identify which hosts were infected, allowing the machines to be quarantined for remediation.

Continued Security and Prevention

Although the Cisco Umbrella deployment was in its early stages, it was able to alert and block this threat, stopping the payload from being downloaded and deployed within the network. Without Umbrella, the threat would have gone unnoticed and the infection would have been widespread, most likely ending in a ransomware negotiation.

A week out from the incident, BlackHawk continued to work with the client to identify infected machines and remediate. We determined that without Umbrella’s protection, the organization would have been compromised, leaving thousands of employees without a way to serve their patients.

Our Takeaway

Witnessing and working as a response team against this attack has left BlackHawk with more confidence than ever in this product. We have deployed free POCs for all of our healthcare customers as a result of this very incident.

How to Protect Your Organization

You can try this security solution completely free for 21 days when you sign up with BlackHawk Data. We will work with you to set up this non-intrusive basic protection in less than an hour. We understand how important our healthcare system is; we consider it a duty to help protect those organizations and their patients from cyber attacks.

Recent Posts

Fueling the Economy Through Diversity

Fueling the Economy Through Diversity

BlackHawk Data recently received several diversity-promoting certifications, enabling us to further expand our services to public and private sector clients, and be a key player in fueling the economy. For those that don’t know, this is big news.The rise of...

Modest Beginnings and Bold Results

Modest Beginnings and Bold Results

Like most entrepreneurs, Maryann Pagano and Jason Caparoso looked forward to when they could take their years of technology experience and turn it into their dream of having their own company. It was a pretty big leap since: Statistics say that most start-ups fail...