Rapidly isolated the source of the malicious code
Quickly and efficiently quarantined impacted resources and stopped the spread of the ransomware
Created alerts on the malicious file extension to rapidly detect and prevent future attacks
Early in 2016, an employee with a large health services provider was experiencing performance problems with his client machine. He opened a ticket with the organization's IT department. What they found came as a surprise – and a wake-up call – to everyone involved.
The slowness and performance problems that seemed innocuous turned out to be much more insidious. The client machine had been infected with ransomware, and it was already working to capture files and systems to which the employee had access.
In order to prevent a large-scale data hostage situation like that experienced at Hollywood Presbyterian the same week, the IT and security teams at the health services provider needed a way to determine how and when the employee's machine had become infected with ransomware, determine which files and systems had been impacted, and quickly alert on any activity associated with the malicious file. In this case, the file used an extension that had no business on the organizations NAS at all, so they created an alert for all files of that type to serve as an early warning against this type of ransomware.
Today's threat actors are taking advantage of vast attack surfaces that extend across every endpoint from the branch office to the datacenter or the cloud and too often they operate unnoticed. At ExtraHop we've spent years developing technology that can analyze the entire network in real time – every critical asset and every transaction - so that there are no blind spots.
CTO and co-founder, ExtraHop
In order to gain real-time insight into what the ransomware was doing in their network-attached storage (NAS), the health services provider turned to ExtraHop.
Visibility from the Network to the Client Machine
Because ransomware relies on the permissions of the infected user or machine to access and encrypt files on any shared volumes on the NAS, the IT team first needed to understand what was happening on the employee's machine.
Using ExtraHop to monitor and analyze East-West traffic, they were able to monitor the client machine and watch, in real-time, each file that the ransomware was reading. In turn, they were able to quickly isolate impacted assets and stop the attack from progressing.
While the most critical step in thwarting a ransomware attack is blocking its access to NAS resources, it's also crucial to understand when and how the client machine or user was infected in the first place.
Using the look-back functionality in the ExtraHop Discover appliance, the security team for the health services provider was able to investigate the employee's activity on his machine, looking specifically at the 10 minutes leading up to when the attack started.
In this particular case, the IT and security teams were able to use ExtraHop to determine that the ransomware came not from a PDF or executable file the user had intentionally downloaded, but from a URI on which the employee had clicked.