A Textbook Example As To Why You Need To Defend Yourself Against Cyber Threats – Part II

Earlier today I wrote about a company who’s less than optimal actions in response to a cyber attack left three hundred out of work. Today I am going to bring you a story from Brian Krebs on another cyber attack and how it was badly handled:

In mid-November 2019, Wisconsin-based Virtual Care Provider Inc. (VCPI) was hit by the Ryuk ransomware strain. VCPI manages the IT systems for some 110 clients that serve approximately 2,400 nursing homes in 45 U.S. states. VCPI declined to pay the multi-million dollar ransom demanded by their extortionists, and the attack cut off many of those elder care facilities from their patient records, email and telephone service for days or weeks while VCPI rebuilt its network.

Just hours after that story was published, VCPI chief executive and owner Karen Christianson reached out to say she hoped I would write a follow-up piece about how they recovered from the incident. My reply was that I’d consider doing so if there was something in their experience that I thought others could learn from their handling of the incident.

I had no inkling at the time of how much I would learn in the days ahead.

Now I will stop here. Clearly this CEO thought that they were going to recover their IT systems and get up and running in glorious fashion. Thus showing the world how brilliant they were and attract all sorts of positive press and make her look brilliant. Except that didn’t happen. It quickly became evident that the company had been further compromised. Here’s an example:

On December 3, I contacted Christianson to schedule a follow-up interview for the next day. On the morning of Dec. 4 (less than two hours before my scheduled call with VCPI and more than two weeks after the start of their ransomware attack) I heard via email from someone claiming to be part of the criminal group that launched the Ryuk ransomware inside VCPI.

That email was unsettling because its timing suggested that whoever sent it somehow knew I was going to speak with VCPI later that day. This person said they wanted me to reiterate a message they’d just sent to the owner of VCPI stating that their offer of a greatly reduced price for a digital key needed to unlock servers and workstations seized by the malware would expire soon if the company continued to ignore them.

“Maybe you chat to them lets see if that works,” the email suggested.

The anonymous individual behind that communication declined to provide proof that they were part of the group that held VPCI’s network for ransom, and after an increasingly combative and personally threatening exchange of messages soon stopped responding to requests for more information.

You can read the rest of the story for all the details. But what was clear was that the company had actually been pwned by hackers some 14 months earlier. And that the company had clearly been the victim of password theft. Which is how the hackers were able intercept these emails as they were still on the network.


The take home messages are as follows:

  1. When it comes to cybersecurity, you should start from a premise that the hackers are already in. As was the case here. And it is often the case in may cyberattacks. From there you can figure out how they got in, what they’ve touched, and how to get them out and keep them out. And you should do that long before something really bad happens.
  2. You should assume all passwords — not just endpoint/domain credentials — are compromised. This may mean changing/adding two factor authentication for hundreds or thousands of endpoints and servers. But doing that is better than getting pwned again.
  3. If you get pwned, get professional help. Fireeye / Mandiant is who I would recommend. They aren’t cheap, but they have a proven track record of responding to stuff like this.

The bottom line is that cybersecurity isn’t to be taken lightly. You need to do everything possible to defend yourself. Otherwise, bad things will happen to you.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: