lockbit attacks Heidell, Pittoni, Murphy & Bach

“On or about November 22, 2021, an attacker exploited vulnerabilities in HPMB’s Hybrid Exchange Management Server to gain access to HPMB’s systems. The vulnerabilities the attacker exploited had been identified by Microsoft several months earlier—in April and May 2021—and Microsoft had released patches for the software vulnerabilities around the same time. HPMB did not timely apply the patch for these vulnerabilities, rendering the server vulnerable to the attack. On or around December 25, 2021, the attacker deployed the Lockbit ransomware variant on HPMB’s systems using PSExec. HPMB personnel were alerted to this intrusion on December 25, when HPMB received an internal alert relating to syncing errors. HPMB subsequently identified encryption on its network consistent with a ransomware attack. In response to the attack, HPMB disconnected its servers from the internet and hired a forensic cybersecurity firm to conduct a forensic investigation. The forensic firm engaged in discussions with the attackers, who provided the forensic firm a list of tens of thousands of files the attackers claimed to have exfiltrated from HPMB’s systems. This list included legal pleadings, patient lists, and medical records that HPMB had in its possession in connection with litigation matters. The forensic firm identified evidence that the listed files had been staged and exfiltrated from HPMB’s systems. HPMB subsequently paid $100,000 in ransom in exchange for the return and promised deletion of the exfiltrated data but was not provided evidence the data was deleted.”