CSEC 340
Project – Chicago Hospital
Project Description
The 500-bed Chicago Hospital has been hit by a ransomware attack that has encrypted entire hard-drives on computer systems across the network, including patient records and systems running medical equipment such as MRI, CAT and X-ray scanners. The IT staff are not sure what type of ransomware it is. After several unsuccessful attempts to restore the network, and with just two days before the deadline, the hospital has contacted the FBI and Delta Force Security Consultants, to help in dealing with the crisis. As the cybersecurity emergency response team from Delta Force, it is your job to come up with a plan of action. Over a period of three days, you will be expected to:
1. Contain and investigate the nature of the attack:
• What is the name of this ransomware?
• Are there any means of circumventing the ransomware?
• Would you advise the hospital to pay the ransom?
• What does USB Rubber Ducky do, and how does it affect your cybersecurity strategy?
• Do you believe Dave? What action would you take against Dave?
• Do you intend to press charges against Adam?
2. Return the hospital to full working order;
3. Propose and outline a cybersecurity framework to protect the hospital from future attacks:
• You may choose a standard cybersecurity framework (i.e. NIST) and adapt it to the context of this case.
4. Propose and outline a series of penetration tests.
Your report will provide a time-line narrative of what you did to contain and investigate the attack, the steps taken to return the hospital to full working order, as well as the steps required to implement a cybersecurity framework within the hospital (i.e., what needs to be done first, second, etc., etc.). The penetration tests you propose should demonstrate how the framework would have prevented the original ransomware attack.
• Due: Sunday Nov 3rd, 11:30 p.m.
• Maximum of five pages
• Font: Calibri, Font Size: 11, Line Space: 1.0
• APA Citation Format
Background
The hospital itself is a six-story building, including a basement level. Most diagnostic departments (X-ray, etc.) are in the basement. Emergency, and in-patient consult offices are on the first floor, while in-patient wards are on the second to fourth floors. The fifth (top) floor houses administration and the data center. Access to different parts of the hospital are by card swipe, with logs made of each swipe.
The network has been developed haphazardly over the years. A new fiber-optic backbone network connects each floor. Each department, however, has a range of devices. Some departments have their own file-servers. Some are completely wireless (e.g., the first floor), others completely wired (e.g., the basement), while others are a mix of wired and wireless. There is no backup strategy, and no cybersecurity framework in place, although patient records are encrypted.
The hospital has an IT staff of 10. There is an IT manager (Jennifer), who is effectively the CIO. Two people (Carl and Jim) run the IT Help Desk full time, while six others (Debbie, Jose, Kate, Pete, Sammy, and Vincent) deal with all aspects of the network and data center. Finally, Dave is assigned to cybersecurity and compliance. Because of limited resources, however, most of Dave’s time is split assisting the IT Help Desk or operations.
Morale in the IT department is low. Budget constraints has resulted in no cost of living adjustments for six years in a row. At the end of April, Adam, a CISSP-certified cybersecurity expert, quit after being passed over for promotion. Dave was moved from the IT Help Desk team to take his place, but is not certified.
Day 1
A meeting of all the IT staff is called. They explain what happened. At about 10am on Monday May 8th, a complaint was received by the IT Help Desk by an analyst in the HR department that said a webpage had appeared on their computer stating all their files had been encrypted. Within a few hours a flood of similar complaints was received from all departments in the hospital. Systems within the datacenter were also being affected, and the IT manager, Jennifer, ordered a shut-down of the entire network. Only a handful of computers remain unaffected. With no back-up procedure in place, all systems are currently unrecoverable. After several unsuccessful attempts to decrypt the machines, the hospital reverts to a back-up, paper-based system in order to keep operating.
After interviewing some of the first people to report the problem, the only consistent report of anything odd happening was that earlier in the day a pop-up kept appearing stating there was some sort of drive problem. Some had reported the problem to the IT Help Desk. Nothing else appeared to happen, until the webpage appeared.
Delta Force begins to scan hard-drives of infected computers to determine the nature of the ransomware. Unplugging one machine from the network, the machine is booted-up and the following pop-up appears:
Every few minutes the pop-up appears again, regardless of which button is clicked. After about an hour, however, a HTML page called “How to decrypt files” is displayed, with the banner ALL YOUR PERSONAL FILES ARE ENCRYPTED, as shown below
The rest of the page states payment in bitcoins is required, if payment isn’t made within four days the payment will increase by 5 bitcoins, and, after seven days the decryption key will be destroyed permanently, preventing recovery of any files. The ransom is 1.2 bitcoins (approximately $1400). A final warning is then shown stating that any attempt to decrypt files will result in the decryption key being destroyed. With over 100 infected computers, paying the ransom for each machine would cost the hospital $140,000.
Day 2 Notices
The hospital continues to be in disarray. Patients are being redirected to other area hospitals, while all electronic patient records (EPRs) are unavailable because of the attack. The FBI have begun their forensic analysis of computer hard-drives and network logs in an attempt to determine the origins of the attack. A preliminary report is expected at the end of the day. Meanwhile, as you are cleaning one of the computers you find a USB drive with the logo of a duck, as shown below:
One of the FBI agents tells you it’s called a USB Rubber Ducky.
Day 2 FBI Report
As each computer is cleaned, the FBI begins an historical trace of infections, which traces the spread of the attack back to a computer called ITHelpDesk-01. A forensic analysis suggests the ransomware installed itself on the computer at 7:57 pm, on Friday, May 5th. Keycard swipes put Dave as the only person in the vicinity at that time.
On questioning Dave, he initially denies being there, but when video surveillance shows him leaving the building at 8:09 pm, he admits he was there but says he was only browsing job websites. He then remembers he may have clicked on a job announcement sent to him by email, and that might have been how the ransomware was downloaded. He apologized for his stupidity, but reminded the FBI agents he hadn’t had a pay raise for six years, and none of this would have happened if the hospital had given his friend Adam the promotion he deserved, because he was the senior cybersecurity person at the hospital beforehand.
Day 3 Notices
Even with the help of Delta Force and the FBI, the IT staff are struggling to clean the computers in a timely manner. In particular, one of the servers that supported the HR system had its username and password changed recently, and you cannot access the hard-drive for cleaning. The hospital staff are getting nervous and suggest paying the ransom to save the data on the drive.
Furthermore, at about 9:30 am this morning a computer in the accounting department is reinfected with the ransomware. The machine had been cleaned but not re-connected to the network. The accounting clerk using the machine said all they did was back up some files to a USB drive.
Day 3 FBI Report
Adam (a disgruntled ex-employee) has been arrested and charged with orchestrating the attack on the hospital.
Further analysis by the FBI and Delta Force team had discovered the account used to login to an IT Help Desk computer and download the malware was not Dave’s account, but an internal hospital account called NaNa, which appears to no longer exist. A forensic examination of Adam’s old work station showed the NaNa account had been created at 9:04pm on Sunday, April 2nd. Further analysis showed that at 7:56 pm on Sunday April 30th, two days after Adam quit, someone remotely logged in to the ITHelpDesk-01 machine in the IT department using the NaNa account. The user logged into Gmail where an email was accessed and an attachment activated that contained the malware. Adam was arrested, and a search warrant of his computer discovered a copy of the same malware file.
Records show that Adam had spent eight consecutive days (Friday, March 31st to Friday, April 7th) in the hospital battling a malware attack, logging more than 100 hours during that period. Adam received the letter informing him of his denial of promotion on his return to work on Monday, April 10th.