Sky Lakes Medical: A First-Hand Look at Fall Ransomware Attack, Recovery
Sky Lakes Medical Center was among the dozen healthcare providers caught up in the wave of ransomware attacks last fall. Its analyst shares a first-hand account of the incident and recovery.
By - The FBI began investigating a wave of targeted ransomware attacks against at least a dozen US hospitals, health systems, and healthcare providers in October 2020. Sky Lakes Medical Center in Oregon was among the victims driven into EHR downtime procedures.
The attack against Sky Lakes Medical was claimed by Ryuk ransomware threat actors: a group notorious for effectively and continuously evolving their attack methods to ensure the greatest impact.
The group launched the massive attack on Universal Health Services, which struck around the same period as the Sky Lakes Medical incident.
From worming capabilities to exploiting vulnerable remote desktop protocols (RDPs), Ryuk is among the most destructive ransomware variants that has relentlessly targeted healthcare providers despite the ongoing pandemic.
The Sky Lakes Medical incident lasted for more than three weeks, as the attack led to the provider upgrading its enterprise enterprise system, including 2,000 computers to ensure the hardware was clean and the software up-to-date.
READ MORE: Ransomware Attacks: CISA Shares Operational Tech Asset Security Guide
As the healthcare system and other critical infrastructure entities are again amid another surge of cyberattacks, understanding the brevity and long-lasting impact of ransomware on healthcare networks is crucial to finally thwarting attackers.
In a rare move, Sky Lakes Medical Network Systems Analyst Sam Stewart, recently shared a first-hand account into the Fall 2020 cyberattack and the subsequent recovery efforts, which allowed the provider to get back online more efficiently than other entities impacted during the same timeframe.
“Being at the forefront of a ransomware attack is never a good thing, but we learned a great deal and are happy to be on the other side of it, sharing what we've learned with others and hopefully helping them understand just how real these risks are,” said Stewart.
What Happened?
On October 26, 2020, an employee opened an email and clicked a link to Google Drive and downloaded a file the individual thought was related to a company bonus, as they were coming to the end of their employment with Sky Lakes, explained Stewart.
READ MORE: What Happens After a Ransomware Attack in the Health IT Environment?
In doing so, the PC “blipped,” leading the employee to restart the computer. However, the incident was not reported to the security department. Sky Lakes did not learn about the specific incident until follow-up conversations with the employee at a later date.
"Our leadership made it clear from the beginning that we had no intention of paying the ransom and funding their efforts further."
Instead, the incident was discovered by the after-hours support team, after they received a phone call that the IT systems and computers were running slowly. Other systems were completely offline.
“It was at that point that we first discovered the first instances of the Ryuk ransomware on various servers and PCs,” said Stewart. “Unfortunately, we were in the middle of rolling out a new endpoint protection service that wasn't quite configured properly to isolate PCs when compromised incidents such as this are detected.”
Within a day, the leadership team advised the workforce to shut down all PCs and servers, about 2,500 devices and more than 600 servers, to limit the spread, if possible. Stewart explained that by that time, the entire organization was operating in full EHR downtime mode.
READ MORE: FBI: Conti Ransomware Actors Exploit Healthcare, First Responder Networks
All business and clinical applications were also offline. Stewart explained that once ransomware was confirmed as the culprit, the team contacted Sky Lakes Medical’s insurance company to engage a third-party team.
Stewart’s team also contacted Cisco Talos through a relationship with Cisco.
“Both Talos and Kivu Consulting were brought in to assist with analysis and recovery efforts,” he explained. “At no point during our recovery were the threat actors contacted to negotiate the ransom.”
“Our leadership made it clear from the beginning that we had no intention of paying the ransom and funding their efforts further,” Stewart added.
Recovery Efforts
As recommended by security leaders, the Department of Health and Human Services, and other industry stakeholders, a crucial part of responding to ransomware is an established, well-practiced disaster recovery plan.
Sky Lakes Medical heeded those recommendations and had previously established downtime procedures. Stewart explained it was those policies that made a huge difference in how the care team was able to maintain patient care during the attack, network outage, and recovery.
“During the entire process we found a few lapses in our communication lines and have since made necessary adjustments, but otherwise everyone knew where to get information when needed,” said Stewart.
“We had granular backups of our file servers as well as our Active Directory, which allowed us to recover those quicker,” he added. “We perform regular pen tests via third-party vendors and security audits. These help identify gaps and take action when needed.”
Sky Lakes Medical had also previously enrolled in cyber-protection with its insurance policy, which brought in the outside security team to help with the response. In addition, its previously implemented security tech provided visibility into specific events and its devices.
“While we ultimately didn't have everything deployed that we wanted, this at least helped us with the initial analysis and discovery,” he added.
Overall, the success of its recovery efforts and ability to maintain effective, safe patient care was largely attributed to the workforce in the IT department and throughout the hospital, Stewart explained.
Some staff members stepped up to perform roles outside of their job description, including supporting the installation of new PCS and hand-delivering downtime information throughout the departments, all with patience and understanding, Stewart mused.
In terms of technology, the success and speed of systems recovery was attributed to its immutable backups that were not impacted by the ransomware. The use allowed the IT team to identify a point in time to which the systems could be recovered through “clean backups.”
As a result, the system recovery efforts began almost immediately after the attack was discovered. The immutable backups in use at Sky Lakes Medical are provided by Cohesity, which operate on Cisco’s hardware.
Backup solutions are also offered by a number of other security companies, such as Barracuda, Commvault, Druva, and Arcserve, just to name a few.
Lessons Learned
The ransomware incident and recovery process highlighted several lessons and elements for Stewart’s team to build upon, including the realization that the backups weren’t configured to the precise setup they would have liked, which caused a slight delay in how quickly the team recovered those systems.
But in the end, the backup solution performed as it should and allowed Sky Lakes Medical to “stand everything back up in a timely manner and restore access to our clinical applications.”
To Stewart, a good backup solution is crucial within the healthcare environment. Those backups and the recovery process should be routinely tested to ensure the copies are valid.
“I think the biggest thing we took away from all of this is security and data protection, specifically cybersecurity, has to be at the forefront of everything we do,” said Stewart. “Any new project or application that gets started has to have security as a top priority.”
“If you're thinking about implementing better firewall policies, stricter email processes, or anything in that same vein, don't hesitate and start that work now,” he added. “The longer you wait to implement some of that, the greater your risk is of being compromised.”
Though Stewart would not wish the event on anyone, except perhaps the threat actors, the team is grateful for the lessons imparted by cyberattack and outages. The team has provided the means to strengthen the overall cybersecurity posture and the ability to prevent further attacks, such as completing a few long-hanging projects.
