5 Stages Of Grief During A Cyber AttackThe 5 stages of grief during a cyber attack really do follow the process of dealing with grief in those familiar 5 stages. Many don’t realize that ransomware attacks aren’t always just the result of someone clicking in an email and running a program.  As Erie County Medical Center found out recently, ransomware attacks can come from a hacker being active in your network too.  Those 5 stages of grief during a cyber attack for them and others we have seen is what we will be discussing today.

We have a special guest with us for today’s discussion, too.  David Benton with Altep is joining us today.  David is a super IT forensics dude.  The CSI of the nerds, so to speak.  He is helping us review this topic by adding some of his tips and stories about data breaches.


HIPAA For MSPs by David Sims 5 Stages Of Grief During A Cyber Attack - 4 Listens
00:00:00 00:00:00

In this episode:

5 Stages Of Grief During A Cyber Attack

Speaking Engagements

Special Guest – David Benton of Altep

Topic for today – 5 Stages Of Grief During A Cyber Attack

Terminal servers on risk analysis

Tips from David Benton

Today we are doing a special interview.

David Benton, Director of Data Forensics – Southern US, Altep

About David and Altep

Timetable for a breach

Erie County Medical Center Ransomware Attack

It was 2 a.m. Palm Sunday. Computer screens across Erie County Medical Center flashed white with bright red words: “What happened to your files?”

“For the first few minutes when I learned what happened, I was in a state of disbelief,” said Dr. Jennifer Pugh, associate chief of service for emergency medicine. “Then my reaction changed to anger. This is our Level 1 trauma center. It felt like a direct attack.”

5 stages of grief during a cyber attack really do follow the process of dealing with a serious loss. While ransomware attacks are a major issue these days many don’t realize that actual infiltration, like one by TDO, is also happening out there.  The hackers can actually be in your network moving around for a period of time before launching their ransomware attack.  No matter how the attack happens, when you notice something is wrong that is when the 5 stages of grief during a cyber attack begin.

Notice something wrong

  • ways that most people notice something is up
  • other ways we should notice something is up

1 – Denial

  • it isn’t us, we can’t be hit by one of those things.
  • it can’t be that bad, right?
  • it won’t take long to get us back up and running, right?
  • There’s nothing to worry about we just restore and keep going, right?

2 – Anger

  • This is so wrong!  We have too much to do!
  • Why did they come after us, we don’t have anything they want!
  • Why do you have to take me down?  Can’t you just do what you need to get done and we keep working?
  • Investigation? What do you mean?
  • How much will this cost, not much right?

3 – Bargaining

ECMC’s network would go dark for weeks. But in the hours after the attack, hospital managers had a decision to make: Should they pay the ransom?

  • Can we just assume it is ok if you don’t see anything right away?
  • Can we just restore everything while you do your stuff?
  • Can you tell me tomorrow so we can get back up and running tomorrow night?
  • But I do have all the HIPAA stuff: binders, annual training, antivirus, NPP, what else are you saying I need to have?
  • Log files, don’t you have what you need from the computers?

4 – Depression

In its response, ECMC turned back to paper charts and face-to-face messaging – easier said than done in any modern hospital that has come to rely on a complex array of integrated computer systems to run every major aspect of the organization

Officials believe the hackers randomly accessed the ECMC server about a week before the ransom notes arrived using a variant of ransomware known as SamSam.

Once they had breached the perimeter, it’s believed a person then logged in and manually searched files. The intruders then encrypted files in a way that made it more difficult to recover data before they issued the ransom note.

  • When are you going to give me some answers I am scared now!?!
  • If we have to tell all of our patients this is going to be so bad
  • What I have doesn’t tell you enough? How can I get more, I don’t understand any of this?
  • Are you telling me they were really in our systems?

The decisions you make in the first few minutes of when you discover an event has occurred is often key to determining the final outcomes.

5 – Acceptance

Now, after six weeks of around-the-clock efforts to reconstruct its systems, ECMC is closer to normal operations. Officials say no patient data was compromised. But the cyberattack left a lasting impression, magnified by a growing epidemic of computer attacks, including the global ransomware extortion that disabled hundreds of thousands of computers this month.

The medical center follows a protocol for computer issues and uses regular down times for parts of its system to practice. But no one expected a disruption as long or extensive as this.

When you go back to paper and face-to-face communications there used to be a lot more people involved in making that happen.  Technology allowed us to be much more efficient.  We can do the same with 5 people that we used to need 10.  The challenge is that people think they can actualize all the savings.  They still need to secure and manage the tools.

These computers weren’t designed for just a specific setting so you need to secure it and customize it to work in your setting not just the same everywhere.  There is a switch off between reducing overhead by bringing in computers to replace people and what you have to do for maintaining that computer.  You got rid of a person when you get a computer but you

Russian government bought typewriters to reduce their concerns about cyber security.

  • Let’s deal with the consequences and get it done
  • How can we make sure this never happens again?

“Security is not just for the IT department. We all have a responsibility, and should be held accountable,” said Pelgrin, also a co-founder of the Global Cyber Alliance and former president of the Center for Internet Security.

Recommendations for how to never need David Benton

  1. Strong passwords
  2. Shut down public RDP access!
  3. Use a good VPN
  4. Risk Assessment should be done to see what is going on in your organization.
  5. Don’t just assume someone who sets up a computer understands security.

David Benton was great to talk with in this episode.  We could have continued for hours on our discussion.  The 5 stages of grief during a cyber attack was a perfect way to keep us on track and with a set destination. Each of those stages can involve many other things than what we touched on here.

Altep incident response hotline 877-937-3988.

OCR Cyber Attack Checklist – HHS.gov