Ransomware Under Siege: master the art of defence and apply threat hunting skills with microsoft sentinel & 365 defender

The latest targets of opportunity in a string of ransomware attacks are hospitals and medical centres. In these attacks, records have been encrypted, affecting thousands of patients, including some that are in the middle of ongoing treatment. Additionally, these attacks are responsible for threatening patients' lives by postponing critical life-saving surgeries. And, if that weren't bad enough, malicious actors are threatening to release patients' personally identifiable information (PII) on dark web sites if ransoms are not paid promptly. To make matters worse, ransom payments must be in cryptocurrency, which is harder for law enforcement to track and recover.

You have recently joined the hospital security team and were asked to assist with the Incident Response investigation of an attack on a United Veterans Medical Health System hospital. Several hospital employees have reported ransomware on their computers. Additionally, the IT team identified some anomalous network connections in their logs and found files on systems they could not identify. They have also learned that their MSSP was compromised. Your hospital was in the process of converting their enterprise to Microsoft 365 E5 licenses and had enrolled most of their devices into Microsoft 365 Defender. You also have access to Microsoft Sentinel to help you correlate activity to understand and recover from this attack.

Your job as a security analyst is to identify indicators of compromise, determine the impact of the attack, and mitigate any additional activity by this threat.