Bitcoin Ransomware – How to Respond After a Breach

Just picture you are a physician and own a practice you built from the ground up. One day when attempting to log into your computer system, which houses various documents ranging from financials to client information regulated by HIPPA, you are unable to access your files and it appears as though there is an extension added. You reach out to the third party individual who runs your IT to help fix the issue. After about an hour of nervous anticipation and mounting appointment cancellations, you get a call back from the IT individual. The call goes something like this, “I tried to investigate and troubleshoot, but was not able to resolve the issue. Your system seems to be completely encrypted. I think you may have been breached.” Your mind starts to race with a thousand different thoughts and questions, but the one which makes it out of your mouth is, ‘What do we do next?’

Capsicum deals with ransomware cases just like this. This specific case began with a bad actor (hacker) encrypting a physician’s database and requesting $10,000+ in Bitcoin to provide the decryption keys. The attorney for the victim (a victim’s insurance company can contact as well) contacted Capsicum and we began to set the strategy on how to approach this breach. Considerations included, identifying backups, communicating with the bad actor, requesting approval from the insurance company, purchasing of cryptocurrency, incident response to include assessment of the potential damages, and securing the system. Fortunately, many victims have insurance covering such breaches, as was the case for the physician, but it would not be as simple as just paying the bad actor and having the ransomware disappear.

After the approval of the insurance company to pay the ransom, Capsicum acquired the Bitcoin. While there are several methods of acquisition (some being faster than others), this is generally a several day process which includes creating accounts, transferring funds, and receiving approvals (from the exchange you are using) to transfer such funds. During this time, there is an opportunity to “test” that the bad actor will be able to decrypt one of the victim’s encrypted files. This sign of “good faith” by the bad actor brought some assurance that decryption could be attained. At this point in the process communication is key, making sure that all parties (attorneys, clients, insurance providers, bad actors, and others) are in the loop and appropriate expectations set. One of the biggest expectations to set is the fact that there are no guarantees! After all we are dealing with criminals.

Once the Bitcoin cleared the approval process, the transfer was made to the bad actor. Next the bad actor sent instructions about scanning the encrypted files and reporting the results. Ultimately (and hopefully) the bad actor will produce the decryption keys. Next was confirming the decryption keys worked. Fortunately, we were dealing with an honest criminal and the bad actor kept their word. The keys worked and the decryption process went smoothly.

Further risk analysis was undertaken upon decryption and it was determined that some elements of the data had been compromised. This evidence of exfiltration required a report documenting what took place within the database due to the fact it had elements of HIPPA data. Capsicum provided additional security recommendations/practices to prevent future loss, which were adopted by the physician. As well we made a copy of the environment, performed security enhancements and are now monitoring the security of the environment. While ideally no data would have been compromised, an overwhelming majority of the data was preserved.

While this process may seem as though it should be quick and easy, it is important to keep in mind that this process can take several days if not weeks. There are numerous intricate details to each step and we at Capsicum are more than happy to explain in further detail, just give us a call.

At the end of the day we understand that not all cyber-attacks can be avoided, but it is imperative that the correct actions are taken in advance to mitigate risk.