Customer Story


Health Services Provider

Leading Health Services Provider Thwarts Ransomware Attack with ExtraHop

Rapidly isolated the source of the malicious code

Quickly and efficiently quarantined impacted resources and stopped the spread of the ransomware

Created alerts on the malicious file extension to rapidly detect and prevent future attacks

The Beginning


A ransomware attack threatened to hold the company's sensitive, business critical files hostage

Early in 2016, an employee with a large health services provider was experiencing performance problems with his client machine. He opened a ticket with the organization's IT department. What they found came as a surprise – and a wake-up call – to everyone involved.

The slowness and performance problems that seemed innocuous turned out to be much more insidious. The client machine had been infected with ransomware, and it was already working to capture files and systems to which the employee had access.

In order to prevent a large-scale data hostage situation like that experienced at Hollywood Presbyterian the same week, the IT and security teams at the health services provider needed a way to determine how and when the employee's machine had become infected with ransomware, determine which files and systems had been impacted, and quickly alert on any activity associated with the malicious file. In this case, the file used an extension that had no business on the organizations NAS at all, so they created an alert for all files of that type to serve as an early warning against this type of ransomware.

Quote Icon

Today's threat actors are taking advantage of vast attack surfaces that extend across every endpoint from the branch office to the datacenter or the cloud and too often they operate unnoticed. At ExtraHop we've spent years developing technology that can analyze the entire network in real time – every critical asset and every transaction - so that there are no blind spots.

Jesse Rothstein
CTO and co-founder, ExtraHop

The Transformation


With ExtraHop, the health services provider can quickly pin down how ransomware has infiltrated the client machine and track its movements in real time

In order to gain real-time insight into what the ransomware was doing in their network-attached storage (NAS), the health services provider turned to ExtraHop.

Visibility from the Network to the Client Machine

Because ransomware relies on the permissions of the infected user or machine to access and encrypt files on any shared volumes on the NAS, the IT team first needed to understand what was happening on the employee's machine.

Using ExtraHop to monitor and analyze East-West traffic, they were able to monitor the client machine and watch, in real-time, each file that the ransomware was reading. In turn, they were able to quickly isolate impacted assets and stop the attack from progressing.

CSI: Network

While the most critical step in thwarting a ransomware attack is blocking its access to NAS resources, it's also crucial to understand when and how the client machine or user was infected in the first place.

Using the look-back functionality in the ExtraHop Discover appliance, the security team for the health services provider was able to investigate the employee's activity on his machine, looking specifically at the 10 minutes leading up to when the attack started.

In this particular case, the IT and security teams were able to use ExtraHop to determine that the ransomware came not from a PDF or executable file the user had intentionally downloaded, but from a URI on which the employee had clicked.

The Outcome


The provider quarantined the malicious file before it could do significant harm

Security Beyond the Perimeter

Ransomware attacks are yet another example of why traditional perimeter-based security solutions are no longer sufficient to address today's increasingly sophisticated threats.

ExtraHop provides real-time visibility into all East-West traffic, empowering IT and security teams to detect anomalous behavior – such as irregular NAS activity – and track that behavior from the client machine or user through the entire application delivery chain. With that insight, IT and security teams can spot potential breaches early, and proactively block off sensitive assets before they are attacked.

Fast Quarantine + Proactive Alerting

For the health services provider, one of the most critical steps in curtailing the ransomware attack was quarantining systems to prevent further spread. Using the ExtraHop ransomware bundle, the organization's information security team was able to identify that the malicious file had an unexpected extension and search for it across the entire infrastructure. This allowed them to quickly identify and isolate compromised systems, as well as create alerts for instances of that file extension moving forward.