Ransomware attack timeline: Daniel Smith, CISO at Hearing Australia – Risk – Cybersecurity

According to Daniel Smith, CISO at Hearing Australia, it took a ransomware attacker just three hours to shut down 100% of a senior care company’s core systems.

Smith spoke at Gartner’s Security and Risk Management Summit in Sydney today, describing the experience of lending his expertise to an anonymous elderly care organization that was the target of a cyberattack .

According to Smith, it took only three hours from the first alert of ransomware detection in the company’s systems to the “worst case scenario” where 100% of its systems were down.

Timeline of the attack:

6:00 a.m.: Threat detected
6:30 a.m.: File encryption found
7:00 a.m.: Ransom note found
7:10 a.m.: Emergency response team meeting
07:33 Initial communication to staff of system outage – remote desktop environments unavailable
08:30: Second communication to personnel of the unavailability of systems – communication platforms cut
09:30: Catastrophic failure – complete system shutdown, nothing usable except Microsoft 365
12:00: Malware identified as REvil ransomware gang

“This is the phone call that no CIO wants to receive. It’s definitely the phone call no CIO wants to make to a CEO,” Smith said, of the conversation between the IT team and the CIO when the cyber threat was first detected.

The threat identification space lasted the first two days, during which only the most basic network services were available to the enterprise. Smith said the primary actions taken include notifying state and federal authorities, isolating the network, notifying stakeholders, contacting security partners, consulting services and onboarding services, and resetting words. password and keys.

Days three and four saw the company enter the triage phase and launch the Endpoint Detection and Response (EDR) investigation. It was around this time that the organization realized that the striker still kept one foot in his surroundings.

It took six days before the threat was contained and on the ninth day the company could begin the recovery phase. Recovery, in this case, lasted weeks, months and even up to a year, Smith said.

“Building and restoring the systems took a week, deep cleaning the directory took weeks, insurance and legal work took months, [engaging] stakeholders and partners took weeks,” he said.

Completing the data catalog and preparing the records took more than a year.

Key points to remember

To ensure businesses are prepared for an attack, Smith recommended a few key actions to build cyber resilience;

  • Deploy Multi-Factor Authentication
  • Determine board and management stance on ransom payment
  • Undertake fire drills
  • Create a data catalog