Microsoft Word - Project Description.docx Page 1 of 6 Project Description The 500-bed Chicago Hospital has been hit by a ransomware attack that has encrypted entire hard-drives on computer systems...

Microsoft Word - Project Description.docx
Page 1 of 6
Project Description
The 500-bed Chicago Hospital has been hit by a ransomware attack that has encrypted entire
hard-drives on computer systems across the network, including patient records and systems
unning medical equipment such as MRI, CAT and X-ray scanners. The IT staff are not sure
what type of ransomware it is. After several unsuccessful attempts to restore the network,
and with just two days before the deadline, the hospital has contacted the FBI and Delta Force
Security Consultants, to help in dealing with the crisis. As the cybersecurity emergency
esponse team from Delta Force, it is your job to come up with a plan of action. Over a period
of three days, you will be expected to:
1. Contain and investigate the nature of the attack:
• What is the name of this ransomware?
• Are there any means of circumventing the ransomware?
• Would you advise the hospital to pay the ransom?
• What does USB Ru
er Ducky do, and how does it affect your
cybersecurity strategy?
• Do you believe Dave? What action would you take against Dave?
• Do you intend to press charges against Adam?
2. Return the hospital to full working order;
3. Propose and outline a cybersecurity framework to protect the hospital from
future attacks:
• You may choose a standard cybersecurity framework (i.e. NIST) and
adapt it to the context of this case.
4. Propose and outline a series of penetration tests.
Your report will provide a time-line na
ative of what you did to contain and investigate the
attack, the steps taken to return the hospital to full working order, as well as the steps
equired to implement a cybersecurity framework within the hospital (i.e., what needs to be
done first, second, etc., etc.). The penetration tests you propose should demonstrate how
the framework would have prevented the original ransomware attack.
• Due: Sunday March 6th, 11:30 p.m.
• Maximum of five pages
• Font: Cali
i, Font Size: 11, Line Space: 1.0
• APA Citation Format
CSEC 340
Project – Chicago Hospital
Page 2 of 6
Background
The hospital itself is a six-story building, including a basement level. Most diagnostic
departments (X-ray, etc.) are in the basement. Emergency, and in-patient consult offices are
on the first floor, while in-patient wards are on the second to fourth floors. The fifth (top)
floor houses administration and the data center. Access to different parts of the hospital are
y card swipe, with logs made of each swipe.
The network has been developed haphazardly over the years. A new fiber-optic backbone
network connects each floor. Each department, however, has a range of devices. Some
departments have their own file-servers. Some are completely wireless (e.g., the first floor),
others completely wired (e.g., the basement), while others are a mix of wired and wireless.
There is no backup strategy, and no cybersecurity framework in place, although patient
ecords are encrypted.
The hospital has an IT staff of 10. There is an IT manager (Jennifer), who is effectively the CIO.
Two people (Carl and Jim) run the IT Help Desk full time, while six others (De
ie, Jose, Kate,
Pete, Sammy, and Vincent) deal with all aspects of the network and data center. Finally, Dave
is assigned to cybersecurity and compliance. Because of limited resources, however, most of
Dave’s time is split assisting the IT Help Desk or operations.
Morale in the IT department is low. Budget constraints has resulted in no cost of living
adjustments for six years in a row. At the end of April, Adam, a CISSP-certified cybersecurity
expert, quit after being passed over for promotion. Dave was moved from the IT Help Desk
team to take his place, but is not certified.
Page 3 of 6
Day 1
A meeting of all the IT staff is called. They explain what happened. At about 10am on Monday
May 8th, a complaint was received by the IT Help Desk by an analyst in the HR department
that said a webpage had appeared on their computer stating all their files had been
encrypted. Within a few hours a flood of similar complaints was received from all
departments in the hospital. Systems within the datacenter were also being affected, and the
IT manager, Jennifer, ordered a shut-down of the entire network. Only a handful of
computers remain unaffected. With no back-up procedure in place, all systems are cu
ently
unrecoverable. After several unsuccessful attempts to decrypt the machines, the hospital
everts to a back-up, paper-based system in order to keep operating.
After interviewing some of the first people to report the problem, the only consistent report
of anything odd happening was that earlier in the day a pop-up kept appearing stating there
was some sort of drive problem. Some had reported the problem to the IT Help Desk. Nothing
else appeared to happen, until the webpage appeared.
Delta Force begins to scan hard-drives of infected computers to determine the nature of the
ansomware. Unplugging one machine from the network, the machine is booted-up and the
following pop-up appears:
Every few minutes the pop-up appears again, regardless of which button is clicked. After
about an hour, however, a HTML page called “How to decrypt files” is displayed, with the
anner ALL YOUR PERSONAL FILES ARE ENCRYPTED, as shown below:
Page 4 of 6
The rest of the page states payment in bitcoins is required, if payment isn’t made within four
days the payment will increase by 5 bitcoins, and, after seven days the decryption key will be
destroyed permanently, preventing recovery of any files. The ransom is 1.2 bitcoins
(approximately $1400). A final warning is then shown stating that any attempt to decrypt files
will result in the decryption key being destroyed. With over 100 infected computers, paying
the ransom for each machine would cost the hospital $140,000.
Page 5 of 6
Day 2 Notices
The hospital continues to be in disa
ay. Patients are being redirected to other area hospitals,
while all electronic patient records (EPRs) are unavailable because of the attack. The FBI have
egun their forensic analysis of computer hard-drives and network logs in an attempt to
determine the origins of the attack. A preliminary report is expected at the end of the day.
Meanwhile, as you are cleaning one of the computers you find a USB drive with the logo of a
duck, as shown below:
One of the FBI agents tells you it’s called a USB Ru
er Ducky.
Day 2 FBI Report
As each computer is cleaned, the FBI begins an historical trace of infections, which traces the
spread of the attack back to a computer called ITHelpDesk-01. A forensic analysis suggests
the ransomware installed itself on the computer at 7:57 pm, on Friday, May 5th. Keycard
swipes put Dave as the only person in the vicinity at that time.
On questioning Dave, he initially denies being there, but when video surveillance shows him
leaving the building at 8:09 pm, he admits he was there but says he was only
owsing job
websites. He then remembers he may have clicked on a job announcement sent to him by
email, and that might have been how the ransomware was downloaded. He apologized for
his stupidity, but reminded the FBI agents he hadn’t had a pay raise for six years, and none of
this would have happened if the hospital had given his friend Adam the promotion he
deserved, because he was the senior cybersecurity person at the hospital beforehand.
Page 6 of 6
Day 3 Notices
Even with the help of Delta Force and the FBI, the IT staff are struggling to clean the
computers in a timely manner. In particular, one of the servers that supported the HR system
had its username and password changed recently, and you cannot access the hard-drive for
cleaning. The hospital staff are getting nervous and suggest paying the ransom to save the
data on the drive.
Furthermore, at about 9:30 am this morning a computer in the accounting department is re-
infected with the ransomware. The machine had been cleaned but not re-connected to the
network. The accounting clerk using the machine said all they did was back up some files to
a USB drive.
Day 3 FBI Report
Adam (a disgruntled ex-employee) has been a
ested and charged with orchestrating the
attack on the hospital.
Further analysis by the FBI and Delta Force team had discovered the account used to login to
an IT Help Desk computer and download the malware was not Dave’s account, but an internal
hospital account called NaNa, which appears to no longer exist. A forensic examination of
Adam’s old work station showed the NaNa account had been created at 9:04pm on Sunday,
April 2nd. Further analysis showed that at 7:56 pm on Sunday April 30th, two days after Adam
quit, someone remotely logged in to the ITHelpDesk-01 machine in the IT department using
the NaNa account. The user logged into Gmail where an email was accessed and an
attachment activated that contained the malware. Adam was a
ested, and a search wa
ant
of his computer discovered a copy of the same malware file.
Records show that Adam had spent eight consecutive days (Friday, March 31st to Friday, April
7th) in the hospital battling a malware attack, logging more than 100 hours during that period.
Adam received the letter informing him of his denial of promotion on his return to work on
Monday, April 10th.