Of all the potential cyberattacks businesses will face—ransomware attacks create some of the highest levels of anxiety. There’s just something extra alarming about discovering all your data has been encrypted and finding yourself dead in the water holding a ransom note.

In the cybersecurity world, some of the most damaging threats we see often start from within. Unlike external attacks, they are launched by people you know; often a disgruntled employee who already has access to your systems and data. 

Recently, this story became a reality for a major healthcare organization who found themselves racing against the clock to neutralize an act of sabotage. The incident—which was handled by our current Director of Incident Response, Tyler Hudak—demonstrated how urgent, intelligent response can stop a crisis from turning into a full-blown catastrophe. 

The Situation

In this case, the malicious insider was an IT employee who planted a “logic bomb” into several critical systems. This malicious code was designed to wipe database tables from key servers, effectively sabotaging business-critical operations. 

The employee set the logic bomb to go off about a week after they had been terminated, and the malware worked exactly as intended. Database tables disappeared from vital servers, disrupting operations and triggering a full-blown cybersecurity emergency.  

Still reeling from the damage, the organization feared there were additional bombs elsewhere and suspected backdoors may have been left in place to allow the attacker to return. 

Rapid Response

When logic bomb malware is involved, every second counts. Tyler and his team jumped on the case, using their tools, knowledge and speed to get the job done. 

Once engaged, Tyler’s response strategy followed three focused steps: 

• Forensic Analysis of the Attacker’s System: The first step was to examine the former employee’s workstation. At this point, the employee was only a suspect, so this step helped confirm the origin of the logic bomb. It also helped to reveal its scope and assess whether data had been stolen or if backdoors existed. Forensic triage software was also used to pull key artifacts, including files, logs and timelines, allowing for quick and clear analysis.
• Malware Reverse Engineering: Next, the team broke down the malware to understand what it did and whether it had other functions. As they analyzed the code, they found it was very destructive and designed specifically to remove targeted databases. Fortunately, it had no additional capabilities.
• Network-Wide Threat Hunting: Using centralized logs and endpoint detection tools, the team looked for signs of lateral movement from the malicious insider. Their investigation focused on activity taking place around the time of the disgruntled employee’s departure. This deep analysis paid off, uncovering evidence of other infected systems. Thankfully the team got there in time. The malware had not yet detonated on these systems, and they were able to remove it before it went off. 

The Results

The response to this incident was a success on several levels: 

• The damage was limited in scope: While the original logic bomb was able to target and damage several specific databases, the team was able to confirm the malware had no additional functionality. 
• The identity of the attacker was confirmed: Even in the case of a severe attack, quick and decisive action can help get a client back in business very quickly, minimizing downtime and mitigating the long-term negative impact.
• All remaining threats were neutralized: Additional logic bombs were detected and defused by the response team before they triggered, preventing costly damage to more of the organization’s databases. 
• All potential backdoors were closed: Before closing down their response, the team conducted a thorough investigation to ensure there were no signs of ongoing risk or unauthorized access paths.

The Big Takeaway

Insider threats rarely come with warning signs. When sabotage hits, speed and clarity matter. And with the right team, tools and approach, even the most dangerous situations can be resolved. 

Learn More

Don’t let insider threats take you down. Visit our Incident Response page to learn how Inversion6 can help you stay protected.