Case Study

Rebuilding a healthcare provider’s environment after a ransomware attack

After a healthcare provider’s environment—including all of its viable backups— was locked by a ransomware attack, it needed experts who could understand the problem and rapidly craft a response to get its network back up and running, recover its data, and secure the network against future threats.

In brief


Healthcare provider




United States

Products and Services

Unit 42® Incident Response services

  • Rapidly investigate a ransomware attack
  • Recover access to locked data
  • Rebuild the environment to eliminate threat actor access
  • Transform security posture to prevent future attacks
  • Unit 42® investigated and identified BlackCat ransomware
  • Helped client negotiate ransom, coordinated communications, and restored the environment
  • Client regained access to its environment
  • Threat actor backdoors were removed
  • A new approach to security made the client’s system more resilient to attack
Download PDF Share


Responding to a rapidly escalating attack

A healthcare provider’s security team found a suspicious file on one of its servers. After further investigation revealed that the same file was on several other servers, the team realized that they had a serious problem.

As the incident progressed, the threat actor deployed a ransomware payload and locked the organization out of its systems. The security team recognized that they needed the help of knowledgeable and experienced experts who could investigate the problem, assist in negotiations with the threat actor, and get the client’s environment back online.

Prisma Cloud


Incident Response experts investigate, respond, and rebuild

The client decided to bring in Palo Alto Networks Unit 42 Incident Response team. Unit 42 brings together world- renowned threat researchers with an elite team of incident responders and security consultants to create an intelligence-driven, response-ready organization.

Unit 42 put almost 40 people on the investigation team. Investigators quickly realized that the threat actors were using BlackCat ransomware, which, at the time, was a newly emerging threat.

The Unit 42 Threat Intel team, embedded in the client’s security organization, was very effective at obtaining information available about BlackCat and putting it in the hands of Unit 42 investigators. This allowed investigators to learn as much as possible about what the threat actor was doing, how they operated, what they had accessed, and what they had taken.

The Unit 42 team provided continuous updates to the client, keeping everyone up to date on the status of the investigation.

Part of Unit 42’s process included reaching out to the threat actor. Early in the exchange, the threat actor recited parts of the client’s insurance policy indicating that they had been in the environment long enough to understand the client’s business and what it might be capable of paying in ransom.

With Unit 42’s help, the client negotiated with the threat actor and made a payment.

Unit 42 advised the client to deploy Cortex XDR® throughout its entire environment to provide the visibility necessary to understand whether the threat actor was still in the environment and what they were doing.

After the client regained access to its systems, Unit 42 investigators found a suspicious binary in a Windows directory. A malware analysis quickly determined that it was a keylogger, evidence that the threat actor had stolen credentials in a more systematic way than the initial analysis suggested.

When Unit 42 presented these findings to the client’s leadership, one executive asked, “How are we ever going to trust our environment again?” Unit 42’s answer was that, indeed, the organization could not regain full trust in the existing environment; the entire environment needed to be rebuilt from the ground up.

Although a difficult decision for the client to make, this action ultimately resulted in a much stronger, more secure system.


Stronger security to meet future challenges

In addition to responding quickly to the ransomware attack and restoring the organization’s access to its systems, Unit 42’s Cyber Risk Management team helped the client identify vulnerabilities and gaps in its policies and processes. The team helped the client redesign their security program and posture entirely, making them much more resilient to future attacks.

For the client, working with Unit 42 brought industry-leading strengths in three areas:

  • Threat-Informed Incident Response: Unit 42 stepped in quickly, understood the nature of the attack, and assisted the client in successfully negotiating with the threat actor. This response was made more effective by superior knowledge of the overall threat environment and, in particular, of the emerging BlackCat ransomware threat.
  • Security Toolbox: Unit 42 uses best-in-class tools, such as Cortex XDR®, to contain threats and gather the evidence needed to fully analyze the incident with full visibility across endpoint, network, and cloud, making sure nothing gets past its search.
  • Cyber Risk Assessment: Because of Unit 42’s knowledge of the threat landscape, and experience responding to hundreds of client incidents each year, it could provide an expert assessment of the client’s policies and processes, enabling the organization’s IT team to rebuild a more secure environment.

BlackCat Ransomware Case Study

Watch the video for an expert insider’s look into the investigation

About Unit 42

Palo Alto Networks Unit 42 brings together world-renowned threat researchers, elite incident responders, and expert security consultants to create an intelligence-driven, response-ready organization that’s passionate about helping you proactively manage cyber risk. Our team serves as your trusted advisor to help assess and test your security controls against the right threats, transform your security strategy with a threat-informed approach, and respond to incidents in record time so that you get back to business faster.

If you’d like to learn more about how Unit 42 can help your organization defend against and respond to severe cyberthreats, visit to connect with a team member.

Under attack?

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team at or call North America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +, UK: +44.20.3743.3660, APAC: +65.6983.8730, or Japan: +81.50.1790.0200.