2 minute read
Case study: Prevent, detect, respond and recover
Being called up in the weekend is always an alarming thing in the cyber world. A large medical practice had just lost all their workstations to ransomware. The malware spread through the workstations within minutes, locking all the computers up rendering them unusable. The RSM cyber team was called to respond.
Notification – The decision was made to not pay the ransom. The first item of discussion was whether the client had cyber insurance (no in this case) and to notify the Australian Cyber Security Centre (ACSC).
Advertisement
Quarantine – While this was happening, the RSM team got onsite to quarantine the infection. Fortunately, the workstations were in an isolated network which protected the critical servers in the cloud and the operational network that was running key medical equipment. This meant that critical functions could still be performed, be it at a slower speed.
Recovery – All workstation data was backed up to the cloud and unaffected. The RSM team worked with the medical practice’s IT staff to help rebuild and restore the workstations. Any workstation that was still functional was wiped clean and restored as a proactive measure from further infection.
Remediate – Once all the workstations were rebuilt and restored, the attention turned to remediation to stop a repeat of the incident. All workstations had an advanced anti-malware End Point Detection and Response (EDR) solution installed to pick up any further infections and stop it in its tracks. Backups were further protected with passwords and further network segmentation was put in place to reduce the ‘blast radius’ in the case of future infection. A user education program was also put in place. Once the immediate remediation was taken care of, the RSM team turned their attention to a cyber uplift program. This started with a gap analysis to the Essential 8 and NIST-CSF frameworks. The client is currently working with RSM and our partners to implement controls to further strengthen measures to prevent, detect, respond and recover from similar incidents in the future.
