Early in 2016, an employee with a large health services provider was experiencing performance problems with his client machine. He opened a ticket with the organization's IT department. What they found came as a surprise – and a wake-up call – to everyone involved.
The slowness and performance problems that seemed innocuous turned out to be much more insidious. The client machine had been infected with ransomware, and it was already working to capture files and systems to which the employee had access.
In order to prevent a large-scale data hostage situation like that experienced at Hollywood Presbyterian the same week, the IT and security teams at the health services provider needed a way to determine how and when the employee's machine had become infected with ransomware, determine which files and systems had been impacted, and quickly alert on any activity associated with the malicious file. In this case, the file used an extension that had no business on the organizations NAS at all, so they created an alert for all files of that type to serve as an early warning against this type of ransomware.
In order to gain real-time insight into what the ransomware was doing in their network-attached storage (NAS), the health services provider turned to ExtraHop.
Visibility from the Network to the Client Machine
Because ransomware relies on the permissions of the infected user or machine to access and encrypt files on any shared volumes on the NAS, the IT team first needed to understand what was happening on the employee's machine.
Using ExtraHop to monitor and analyze East-West traffic, they were able to monitor the client machine and watch, in real-time, each file that the ransomware was reading. In turn, they were able to quickly isolate impacted assets and stop the attack from progressing.
While the most critical step in thwarting a ransomware attack is blocking its access to NAS resources, it's also crucial to understand when and how the client machine or user was infected in the first place.
Using the look-back functionality in the ExtraHop Discover appliance, the security team for the health services provider was able to investigate the employee's activity on his machine, looking specifically at the 10 minutes leading up to when the attack started.
In this particular case, the IT and security teams were able to use ExtraHop to determine that the ransomware came not from a PDF or executable file the user had intentionally downloaded, but from a URI on which the employee had clicked.
Security Beyond the Perimeter
Ransomware attacks are yet another example of why traditional perimeter-based security solutions are no longer sufficient to address today's increasingly sophisticated threats.
ExtraHop provides real-time visibility into all East-West traffic, empowering IT and security teams to detect anomalous behavior – such as irregular NAS activity – and track that behavior from the client machine or user through the entire application delivery chain. With that insight, IT and security teams can spot potential breaches early, and proactively block off sensitive assets before they are attacked.
Fast Quarantine + Proactive Alerting
For the health services provider, one of the most critical steps in curtailing the ransomware attack was quarantining systems to prevent further spread. Using the ExtraHop ransomware bundle, the organization's information security team was able to identify that the malicious file had an unexpected extension and search for it across the entire infrastructure. This allowed them to quickly identify and isolate compromised systems, as well as create alerts for instances of that file extension moving forward.