Early this year, when an executive at a hospital called our Incident Response (IR) team, he had yet to realize that his organization was confronting an active ransomware attack. Symantec Endpoint Protection (SEP) and his internal team had flagged as suspicious some data that was marked with a four-letter file name, he explained, and multiple attempts to scrub it had failed.
He told me the file name and my heart sank. Less than a week earlier, I’d seen a half-dozen companies in different industries fall victim to ransomware files consisting of the same four letters. In this instance, however—and in large part because the executive reached out to our incident response team right away—we succeeded in thwarting the attack while it was underway.
I advised a temporary Internet shutdown and deployed Symantec Endpoint Protection 15 to locate the threat actors’ command and control servers. They were unknown ransomware actors, operating out of South America, and we had them roped off before they could access or encrypt any of the hospital’s files or backups. Had the executive hesitated in alerting us, the consequences for his company might have been devastating, especially considering that ransomware is considered a HIPAA violation and companies are fined heavily for such violations.