Surviving Ransomware, Part 1

Wed, 13 May 2026 18:00:00 -0500

The Story as of 2018

The healthcare industry was, and largely still is, a magnet for cyber attack. Patients trust their doctor’s office, their psychiatrist, their parent’s nursing home, with some of the most sensitive data that exists about them. That trust is not always honored – not always through malice, but sometimes through neglect, underfunding, or simple ignorance of the risk.

Healthcare companies do not always do the utmost to protect it…or if they do, it isn’t good enough. The following posts are my recollection of the events that occurred, my involvement with them, and the lessons learned.

My Role

I worked as a Systems Engineer for a small 2-hospital system in Upstate New York at the time. Largely a traditional Cisco network / Windows server shop, with the challenges of small teams, small budgets, and no acceptable downtime.

Annual risk assessments covered most risks we were aware of, but the spectre of non-compliant deployments would become a nightmare from which it took a long time to recover.

In March, during one of our weekly technical meetings, the ‘Manager’ provided a list of open ports on the hospital firewall, and what they went to. I glanced over it, looking mainly for any server related items. As I recall, a couple had already been flagged to be disabled.

One of them, which I took no note of at the time, was port 3389, the Windows Remote Desktop port. It went to an IP I was unfamiliar with. Most of this was the purview of the Network Engineer, and I saw my participation as a way to see if we had disabled or shut down any servers that might still have ports open.

The Attack

My phone rang and buzzed a couple of times before I woke up enough to notice it. ~1 AM, March 18th, 2018 - the morning after St. Patrick’s day.

The message - we’ve been attacked.

Adrenaline pumping, I jumped out of bed, told my wife what had happened, and quickly dressed. A 15-minute drive in, I moved toward the datacenter – my office was in there too, which I’d never loved, but that night I was glad for the short walk. One of our PC Technicians and our IT Director were there already, and I was briefed on what we knew so far.

PCs throughout the organization were displaying text files on their desktop, one for every ransomed file as I recall. We did not know in the moment whether the attack was finished, ongoing, or if data was being exfiltrated. The Director asked our PC Technician if he would please disconnect our Internet uplink to try to mitigate further damage to the system.

I immediately began a check on all of the server level systems, crafting a list of all physical and virtual machines, as our Systems Administrator who worked with me arrived. We tackled the list together, quickly assessing based on a visual check whether a server had been touched or not. I was thrilled to see that my recently built set of Microsoft Exchange servers had survived intact, and promptly shut them down in case processes were running inside our network that could corrupt them.

When all was done and checked, almost all of our 200+ server instances were ransomed. Databases not working, web services down, file shares completely useless. Almost every PC was similarly affected.

Incredibly, our MEDITECH Magic environment (a very old EMR that ran in a unique emulation mode on modern Windows OSes) was untouched. We shut it down as a safety precaution.

Our Director reached out to our third-party cybersecurity vendor, who dispatched their response team. For the moment, having assessed the damage and saved what we could, we stopped. The servers we had built, patched, argued over budget for, and depended on every single day – gone, or as good as. It had taken hours. It had taken us years.

Pilbeam Engineering

Surviving Ransomware, Part 1

The Story as of 2018

My Role

The Attack