Maybe this story is familiar to you (or more likely someone on your team)…
I was working with a hospital IT to clean up a ransomware event a couple of years ago that led to 237 computers and 23 servers completely infected by the WannaCry virus.
The cleanup was difficult—it took nearly a month to prove to the EHR (electronic medical record) vendor that everything was clean on the hospital end to open the connection again back to their cloud platform. The hospital was working with paper charts for nearly a month! They were not able to view or evaluate a full medical record for 30 days, meaning doctors and nurses were working with – in some cases—missing information.
I don’t want to dwell on all of the implications of this specific ransomware attack. What I want to talk about today is that this specific ransomware attack is like many others I’ve seen recently. This particular attack was rooted in one technician misidentifying the problem and opening up the entire network to a full-blown ransomware attack.
The 237-computer infection started with just one. One user called the IT department complaining about a virus on their machine.
IT sent one of their technicians down to remove the virus (what seemed like a simple open and shut case).
When the tech got to the infected workstation, he logged in with his admin credentials and removed the virus. I’ve seen techs at my MSP do this countless times (back when I ran an MSP). They had documentation as to how to remove the virus and ended up getting rid of what probably everyone in that IT department regarded as a harmless infection.
The tech at the hospital proceeded to logged off the machine and go about his routine.
Within the hour, came others complaining of viruses on their machines. Dozens of reports of virus infections popped up. At the time, one of my clients contracted services with this hospital and we started seeing indications of an infection from the hospital network at our client’s firewall.
When my team first alerted the hospital, they assured us that everything was being handled.
After nearly 3 days of a complete computer system shut down, I got a call on the phone in my office that only rang in emergencies. It was the IT director—he had given up. Every computer and server connected to the network had been infected at that point with WannaCry.
And when digging into the forensics, we were able to pinpoint—as you probably are thinking—back to that very first virus call.
When I work with MSPs and IT departments on remediation of infected networks, there are a lot of steps that go undocumented.
When viruses pop up on a network—likely because of user error—it’s often hard to distinguish what will proliferate into a major ransomware attack and what might just be a harmless worm. At face value a lot of ransomware attacks appear to be relatively benign.
That is what I want you to get your techs to think about.
My big challenge for all of you technicians (and MSP owners) is to figure out a strategy to remove viruses WITHOUT putting your network at risk.
(Hint: I will be covering this topic in detail this week in our Security Operations call.)
But I want you to really think about how to communicate, document and practice virus removal steps that will eliminate—or at least reduce—the risk you or someone on your team may bring when removing viruses from computers on your network or one of your client-supported networks.
My story about that hospital is getting far too common now. I refer to this story often in my presentations and what’s surprised me is how many others have experienced the very same thing within their MSPs.
Come up with a strategy now and get your team on board with it. Otherwise, when a harmless-looking virus rears its head for one of your techs to handle, they’ll recognize the risks in dealing with a virus and understand why it’s important to take necessary precautions.
Let’s all be safe out there!