How To Respond To A Cyber Attack

Ryan Klund
| Business Development Associate

TWO MAJOR ATTACKS IN 10 DAYS – HOW EACH TARGET RESPONDED

Thousands of ransomware attacks happened in August 2019 across the United States but two attacks, only 10 days apart from one another, stand out above the rest.

22 Texas towns were upended on August 20th when a coordinated attack crippled their infrastructure and soon after, on August 29thhundreds of Dental offices were unable to access patient data when a ransomware attack disabled integral software used across the United States.

These two ransom attacks carried out by different threat actors differ in many ways, but both share a core similarity. Each end-user organization was compromised by an attack– not pointed at them but pointed at a central point that accesses all the end-users. The 22 Texas towns were compromised by the Managed Service Provider (MSP) that had access to data for all the towns. The dental offices were attacked through a medical records company that houses the data for each of the offices.

This is a growing trend we’ve seen across the United States in recent years. Higher target organizations are being sought out and attacked by cybercriminals. In most cases these ‘central hub’ organizations have better security and are more difficult to penetrate, but when they are hacked the payouts are higher.

In this article, we’ll explore both attacks, what was done correctly in both responses and how each attack could have been prevented. In the interest of complete transparency, SWICKtech is a Managed Service Provider ensuring security to hundreds of businesses in Milwaukee and Chicagoland. We write this article to share our knowledge as a member of the community battling and preventing cyber-attacks every day.

RESPONSE #1 – THE TEXAS ATTACK

Texas Emergency Responders

Cities being compromised is not unusual, in fact, ransomware attacks have become quite common since municipalities have fewer resources to protect from an attack. This incident was highly publicized for the sheer number of towns attacked at one time. The Governor of Texas ordered a state-wide emergency. This was the largest coordinated attack on municipalities in the United States.

How it happened:

As we mentioned earlier in the article, a Managed Service Provider was compromised, and each town was accessed through that initial penetration. A system the MSP used to access the clients called ConnectWise was hacked.

How it could have been prevented:

Patches weren’t up to date for ConnectWise and multi-factor authentication was not in use at the municipalities to access their data. Had these systems been in place this attack could have been prevented.

What the response to the cyber attack was:

Under the direction of the state government, none of the municipalities paid the ransom and they all restored from backup. Reports were that 3 days went by with all computer systems down and after one month only half the towns resumed normal operations.

What they did right:

Not pay the ransom. The federal government recommends that ransom is not paid to the threat actors. The towns all had backups and, albeit painful, they were able to restore computer systems after some time. The software, ConnectWise, had a multi-factor authentication option available but did not require it. They’ve since required it for users which is the right move.

RESPONSE #2 – THE DENTAL SOFTWARE ATTACK

Ransomware Hits Dental Data Backup Service

This attack might have affected one or several of the dentist’s offices in your community. 400 dental offices had computers infected with ransomware through this attack. A Wisconsin-based medical records company, Digital Dental Record, was compromised. Ironically, the company claimed to offer its service to safeguard files from ransomware.

How it happened:

According to reports, a phishing email was sent to an employee at Digital Dental Record that looked like it was from the President of the American Dental Association. The email included his name, signature, and logo.

How it could have been prevented:

Although the phishing email was disguised quite well, advanced email technologies such as SPF, DKIM, and DMARC might have prevented this email from getting into an inbox at the software company. Proper cybersecurity training for employees might also have helped the employee identify the spoof.

What the response to the cyber attack was:

The ransom demand was paid in this case. Three days went by without doctors seeing patient information. According to some doctors, the decryptor from the hackers either didn’t work or didn’t recover all the patient data.

What they did right:

Less is known about the exact response to this attack. It was good that Digital Dental Record had some plan in place to deal with it when an attack happened. They either had enough Bitcoin built up to pay the ransom or had an insurance company able to pay off the criminals.

BOTH RANSOMWARE ATTACKS COULD HAVE BEEN PREVENTED

Both of these attacks could have been prevented with the proper use of the aforementioned security tools. We’re continuing to learn more each day at SWICKtech about strategies used to hack into organizations by cybercriminals. As a community, we continue to improve our security and methods to penetrate our defenses improve also.

If you’re looking to improve your security position or understand your vulnerability – we, at SWICKtech, can provide a free assessment for your organization today.

CONTACT US TODAY!

Stop potential hackers in their tracks.

Related Blogs

Payroll Diversion Fraud Is Targeting Employees

Payroll Diversion Fraud Is Targeting Employees

Costly direct deposit theft scams are on the rise How does it work? Cyber criminals are after employee paychecks that ... Read More >
SWICKtech’s New Cybersecurity Agreement Makes Implementing New Cyber Insurance Requirements Easy

SWICKtech’s New Cybersecurity Agreement Makes Implementing New Cyber Insurance Requirements Easy

You may not know your business is at risk until it's too late The landscape of Information Technology (I.T.) has ... Read More >
What Is the Log4J Vulnerability?

What Is the Log4J Vulnerability?

Log4J is a free and open-source logging library widely used by companies large and small. Officially designated CVE-2021-44228, the 0-day ... Read More >