Skip to content
Chimera readability score 0.6597 out of 100, reading level.

In March 2020, the CTI League was established with the understanding that ransomware can be a life-threatening risk. For instance, when the 2017 WannaCry cyberattack shut down 40 percent of the United Kingdom’s National Health Service, care delivery was delayed, denied, and degraded.
On October 27, an adversary group locked the computers of as many as 30 healthcare providers, severely limiting their ability to deliver care to patients and causing some to turn away ambulances. The US Cybersecurity and Infrastructure Security Agency (CISA) quickly released an alert to the healthcare community the same day with technical indicators and attack patterns used in the campaign.
CTI League volunteers used the CISA data, as well as information gathered from our own sources, to identify command-and-control (C2) infrastructure, track victims, and forecast future targets so they can be alerted. We formed a task force of 28 experts from multiple organizations and disciplines, based around the world. This group assisted in lawful takedowns of adversary infrastructure, helped victims respond, and alerted potential victims, through our law enforcement and healthcare ecosystem partners. Lessons learned through this experience will help the CTI League and the healthcare sector prepare, train, and respond to similar future crises.
On behalf of the 28 members of the task force, we would like to thank the 1500+ vetted volunteer cybersecurity professionals in the CTI League and the hundreds of others in our law enforcement and healthcare partner organizations who responded professionally and promptly. We continue to be humbled by what we can accomplish by working together.
For those who would like more information, please contact [email protected]

Facts Only

Establishment: CTI League (March 2020)
Adversary Group: Locked computers of up to 30 US healthcare providers (October 27)
Response: US Cybersecurity and Infrastructure Security Agency (CISA) released an alert with technical information about the attack
Identification: CTI League identified command-and-control infrastructure
Tracking: CTI League tracked victims of the attack
Forecast: CTI League forecast future targets
Task Force: Formed a task force of 28 experts from multiple organizations and disciplines
Assistance: Helped law enforcement take down adversary infrastructure, assisted victims in responding, and alerted potential victims

Executive Summary

In March 2020, the CTI League, a group of volunteer cybersecurity professionals, was established to combat ransomware attacks, particularly those targeting healthcare providers. On October 27, an adversary group launched a campaign that locked the computers of up to 30 healthcare providers in the US, severely impacting their ability to deliver care to patients. The US Cybersecurity and Infrastructure Security Agency (CISA) quickly responded by releasing an alert with technical information about the attack. The CTI League used this data, along with their own sources, to identify command-and-control infrastructure, track victims, and forecast future targets. A task force of 28 experts from various organizations and disciplines was formed to help law enforcement take down adversary infrastructure, assist victims in responding, and alert potential victims. The incident underscored the life-threatening risks posed by ransomware attacks on healthcare providers.

Full Take

This incident highlights the critical role that cybersecurity plays in protecting essential services like healthcare. The attack on 30 US healthcare providers underscores the increasing threat of ransomware attacks and their potentially life-threatening consequences. The CTI League's response demonstrates the power of collaboration between various organizations and disciplines in addressing such threats. However, it is important to note that these types of attacks are likely to continue, as they can be highly profitable for cybercriminals. Questions remain about the long-term effectiveness of efforts like those of the CTI League, the potential for further regulation, and the need for increased investment in cybersecurity infrastructure.
Patterns detected: ARC-0043 Motte-and-Bailey, ARC-0024 Ambiguity (The article emphasizes the life-threatening risks of ransomware attacks but does not provide specific details about the number of lives actually lost or the extent of the damage caused.)

CTI League Responds to Coordinated Hospital Attack — Arc Codex