Sector
Healthcare provider with multiple sites and mixed on-premises and cloud infrastructure.
Healthcare Provider – Ransomware Containment
Containing a ransomware outbreak impacting clinical systems and restoring critical services safely.
Overview
A regional healthcare provider experienced a ransomware incident that impacted clinical systems, file shares, and back-office services. The organisation needed to contain the outbreak quickly, restore critical systems, and demonstrate appropriate handling of the event to regulators and partners.
Cyber Defence’s Disrupt team was engaged to support triage, containment, forensics, and recovery, with SOC365 and Threat Intelligence supporting detection and scoping.
Context
Client context & objectives
Key systems
Clinical applications, shared drives, Microsoft 365, remote access, and some OT/IoT for building and clinical equipment.
Objectives
Stop lateral spread, preserve evidence, restore critical services, and demonstrate appropriate response.
Our approach
1. Immediate triage and containment support, including isolating affected hosts and restricting high-risk access paths.
2. Forensic imaging of key systems to preserve evidence before remediation steps were taken.
3. SOC365 integration to ingest and monitor logs from endpoints, identity, and key applications.
4. Identification of initial access vector and lateral movement pathways used by the attackers.
5. Prioritised recovery plan for clinical and care-critical systems.
6. Post-incident engineering recommendations to reduce the likelihood and impact of future events.
Outcomes
Results
Containment
Further lateral movement was stopped, and infected systems were isolated within hours.
Service restoration
Critical clinical systems were restored in a prioritised manner, minimising disruption to patient care.
Root cause clarity
The initial access method and propagation techniques were understood and documented.
Regulatory confidence
Clear documentation and timelines supported discussions with regulators and partners.
Improved resilience
Security Engineering work followed, including hardening identity, remote access, and endpoint controls.
SOC integration
Ongoing SOC365 coverage now provides earlier detection of similar threats.