Ransomware attack timeline: Daniel Smith, CISO at Hearing Australia

It took just three hours for a ransomware attacker to shut down 100 percent of an aged care company’s core systems, according to Daniel Smith, CISO at Hearing Australia.

Smith spoke at Gartner’s Security and Risk Management Summit in Sydney today, describing the experience of lending his expertise to an unnamed organisation in aged care that was the target of a cyber attack.

According to Smith, it took just three hours from the first alert that ransomware was detected in the company’s systems, to the 'worst-case scenario' where 100 percent of its systems were not functional.

Timeline of the attack:

6.00 am: Threat detected
6.30 am: File encryption found
7.00 am: Ransom note found
7.10 am: Emergency response team meeting
7.33 am: First communications to staff of system outage – remote desktop environments unavailable
8.30 am: Second communications to staff of systems outage – communication platforms shut off
9:30 am: Catastrophic failure – complete system shut down, nothing usable except for Microsoft 365
12:00 pm: Malware identified as REvil ransomware gang

“It's the phone call that no CIO wants to receive. It's certainly the phone call that no CIO wants to make to a CEO,” Smith said, of the conversation between the IT team and the CIO when the cyber threat was first detected.

The threat identification space lasted for the first two days, where only the most basic of network services were available to the business. Smith said that the key actions taken were to notify both state and federal authorities, isolate the network, notify stakeholders, contact security partners, consulting services and integration services and reset passwords and keys.

Day three and four saw the business enter the triage stage and start the endpoint detection and response (EDR) investigation. It was during this time that the organisation realised that the attacker still retained a foothold within its environment.

It took six days before the threat was contained and by day nine the business could commence the recovery phase. Recovery, in this case, spanned weeks, months and even up to a year Smith said.

“Building and restoring systems took a week, the directory deep clean took weeks, the insurance and the legal works took months, [engaging] stakeholders and partners took weeks,” he said.

To complete the catalogue of the data and prepare notices took over a year.

Key takeaways

For businesses to be prepared in the face of an attack Smith recommended a few key actions to build cyber resilience;

• Deploy multi-factor authentication
• Determine the board and executive position on paying a ransom
• Undertake fire drills
• Create a data catalogue