Estes Park Health (EPH) located in Colorado was attacked by ransomware, which extensively encrypted files all across its network.
EPH discovered the ransomware attack on June 2, 2019 when employees noticed and reported the computers’ weird actions. An IT professional signed into the system and noticed the same issues due to the ransomware’s system-wide file encryption. An Estes Park Trail Gazette report stated that EPH’s Chief Information Officer Gary Hall identified the ransomware that was encrypting files and controlling the applications installed in his computer.
The IT team responded to the breach quickly and locked down systems. But, the system-wide file encryption could not be stopped. Various software applications were taken down which include the program used in the clinic and the digital imaging application utilized for storing all X-rays and other medical related images. The ransomware attack destroyed the network plus the telephone facility.
EPH directed its incident response center to execute emergency mode measures while its computer system was down. EPH employs software program that consistently monitors the network and recognizes any attempts to exfiltrate data. In the period covering the attack up to the time access was terminated, no attempt of data exfiltration was recorded in the event logs. EPH is certain that the attackers blocked access to crucial files so that they could extort money from the company.
EPH has a cybersecurity insurance policy that pays for this sort of attacks. EPH hired a cyber security firm that was referred by the insurance provider. The cybersecurity provider assisted in file recovery and response management.
The IT company got in touch with the attackers and paid the ransom. EPH obtained the file decryption keys but soon discovered that the keys did not decrypt all locked files. Therefore, EPH paid another ransom and got the keys to decrypt all files.
There is no disclosure regarding the amount of ransom paid. EPH ought to pay $10,000 deductible. The investigators are continuing their efforts to determine how the attackers were able to access the network.