Sirius Healthcare and Semperis help medical practice thwart devastating impacts, strengthen security stance

When a private orthopedic specialty medical practice was threatened with a healthcare ransomware attack, it took swift action to minimize the impact.

The medical practice’s complex and distributed Microsoft Active Directory (AD) environment included more than 130 servers and 25 domain controllers (DCs), making it vulnerable to a healthcare ransomware attack.

The large orthopedic, physical therapy, and sports medicine practice had 30 locations and more than 2,000 employees. Understandably, the organization’s distributed AD environment was complex, with more than 100 servers and dozens of DCs. This type of complex system is a dream come true for threat actors, who love to target AD vulnerabilities and configuration creep in healthcare ransomware attempts.

Phishing email leads to healthcare ransomware attack

In this case, attackers started with the exploitation of weaknesses, misconfigurations, and blind spots in the practice’s AD environment.

  • Through a successful phishing email, attackers gained initial access into the healthcare practice’s environment.
  • From there, the attackers made lateral movements, successfully compromising privileged accounts.
  • The threat actors established persistence for administrative access to many of the organization’s critical systems.

By the time the healthcare ransomware attack was discovered, the attackers had used lateral movement and privilege escalation to compromise multiple AD DCs and the enterprise forest and domain. Fortunately, the client had not yet suffered any data exfiltration or significant operational impacts.

We had what we thought to be a thoughtful network implementation. We applied a reasonable effort to bolster security, but there are always things you could do better—and that came back to bite us. We fell victim to a ransomware attack. It was pretty brutal, impacting most of our systems.

CTO, Orthopedic Healthcare Practice

Rapid response, detection, and remediation

The organization turned to Sirius Healthcare, a US integrator of technology-based business solutions, for help with incident response and remediation. Sirius reached out to Semperis for our expertise in defending hybrid and multicloud environments and providing purpose-built AD security solutions.

The team found a DC that was unimpacted by the attack, providing an aid to the recovery effort. Other key recovery aspects included the immediate shutdown of risky access and a thorough analysis and cleansing of the AD. For example, Semperis directed the practice to:

  • Reset its Kerberos ticket-granting ticket (KRBTGT), a three-way trust guarding the gates to the network
  • Reset account passwords twice
  • Disable print spooler services running on all DCs

We took a lot of immediate measures to fight the attack, including quarantining affected DCs, shutting down risky access, and finding clean DCs to aid our recovery.

CTO, Orthopedic Healthcare Practice

Defending against future healthcare ransomware attacks

“Once we were back on our feet, we needed to know that the bad guys were out of our environment,” the practice’s Chief Technology Officer (CTO) explained. “At this point, we did not know if we were still compromised. We had to operate under the assumption that they were everywhere, and we had to find them and root them out.”

Sirius and Semperis helped the practice monitor its environment to discern whether any lingering attacker reconnaissance was still taking place. Semperis’ AD-focused security tools, including the Directory Services Protector (DSP) threat detection and response solution, helped the organization gain an accurate and complete picture of the incident and its AD security stance.

The DSP tool delivered as promised, but I think the real value of bringing in Semperis was their people and their deep understanding of and insight into AD and AD-based attacks.

CTO, Orthopedic Healthcare Practice

Now, DSP constantly scans and monitors the orthopedic practice’s IT environment, looking for AD misconfigurations that attackers might exploit to gain access. In addition, DSP tracks changes made to AD and provides the ability to automatically roll back malicious activities, whether attacks by threat actors or innocent mistakes by internal IT team members.

Perhaps the greatest value of DSP is its ability to look at AD in a deeper way than traditional security tools. DSP tracks the AD replication stream, which detects sophisticated and previously invisible attacks such as a DC Shadow—a late-stage kill chain attack that enables attackers with privileged credentials to register rogue domain controllers. With healthcare ransomware attacks on the rise, such preventative steps are vital.

DSP controls are in place to constantly monitor the orthopedic practice’s hybrid AD environment. Indicators of exposure (IOEs) to healthcare ransomware or other attacks and suspicious changes are flagged for immediate attention.

“We’ve really started to take things to the next level,” said the CTO. “Now we use DSP to alert us on Group Policy changes. [Group policies, in part, control what users can and cannot do on a computer system.] It has allowed us to implement stronger [internal] change control and improvement processes to prevent rogue IT activities that might be convenient to us but are not secure.”

About Sirius Healthcare (a CDW Company)

At every step of the healthcare continuum, and throughout the entire technology life cycle, Sirius Healthcare provides best-of-breed multivendor technology solutions that help healthcare organizations improve quality of care, control costs, enhance security, comply with regulations and extend reach to communities. Learn more about Sirius Healthcare and call Sirius today at 800-460-1237 to schedule a discussion of your needs.