A report on cyber security firm Halock's website (https://www.halock.com/medical-records-of-750000-patients-compromised-in-oregon/) describes a ransomware attack on a healthcare provider and its aftermath. The report is worth reading for its description of how to handle such incidents.
In a two pronged attack, the attackers targeted the records of about 750,000 patients and 552 past and present employees. After the records were extrilfated, the ransomware attack occurred. The attack locked the organization out of its servers, forcing them to rebuild their infrastructure with the help of off-site backups. An outside cybersecurity consulting group was brought in to aid the remediation and investigation.
The attack took place last July. In October the FBI informed the provider of the data breach. It seized an account belonging to the Hello Kitty ransomware group. The FBI has posted an alert about this group.
The provider decided to replace its breached firewall. They have expanded their use of multi-factor authentication. (According to Halock, they could also have patched known vulnerabilities.) Victims have been provided with 12 months of identity protection services, credit monitoring and a $1,000,000 identity theft insurance policy. They have been advised to be compliant about cybersecurity hygiene and watch out for scams. Employees were urged to contact the Social Security Administration if their numbers were compromised.
The provider was able to recover because they could restore infrastructure and data from backups. The FBI recommends storing backups in the cloud or on an external drive, preferably offsite. Multi-factor authentication is recommended. If you detect a ransomware attack, immediately isolate the affected systems or area. Shut down and power off all connectable devices, and physically separate infected machines from the network. Obtain the services of an outside firm specializing in ransomware remediation and forensic investigation.