On July 17th, Lorien Health Services announced through their website that a ransomware incident had occurred on June 6th. A team of cybersecurity experts was brought in to assist with incident response and to determine whether any personal information had been accessed. By June 10th, the team determined that personal data had indeed been accessed and could have included Social Security numbers, birthdays, addresses and health and treatment information. Lorien reported the incident to the FBI and notified all potentially impacted clients on June 16th. Although Lorien’s public announcement did not mention the specific ransomware family, the operators behind the Netwalker ransomware began publishing screenshots in mid-June and have posted a dump containing a small amount of the stolen data. Binary Defense analysts detected that Lorien Health information appeared on the Netwalker website on June 19th. Credit monitoring and identity protection services are being offered through ID services to those affected by the incident.
Although no information has been made public on how Lorien was infected, phishing and poorly secured Remote Desktop Protocol (RDP) are two common vectors of infection used by ransomware operators. Educating employees on phishing and security awareness can go a long way in preventing all types of malware infections. Network administrators should avoid exposing RDP to the Internet when at all possible. If remote access is needed, it should at least be protected by a corporate VPN or multi-factor authentication. Security works best in layers. Managed security services such as the Binary Defense Security Operations Center (SOC) can provide 24/7 monitoring to quickly detect, contain and alert security teams to threats before they have the chance to spread throughout the network.