Incident handler’s journal
Instructions
You may use this journal to record your findings after completing an activity or to take notes on what you’ve learned about a specific tool or concept.
Entry
Date:
2025-02-22
Entry:
001
Description
A targeted phishing email attack occurred in which malicious code was run through a clicked attachment. This malicious code then ran ransomware and locked the system from critical patient data.
Tool(s) used
Server logs were analyzed.
The 5 W’s – Capture the 5 W’s of an incident.
-
Who caused the incident? An organized group of unethical hackers known to target healthcare organizations.
-
What happened? A targeted phishing email campaign contained a malicious attachment that ran code that downloaded and ran ransomware encrypting critical patient data. A ransom note appeared on computers.
-
When did the incident occur? Tuesday, 9:00am.
-
Where did the incident happen? Targeted employees received a phishing email on company computers, the attachment was opened and infected the system.
-
Why did the incident happen? A phishing email attachment was opened.
Additional notes
The company was forced to shut down their computer systems and contact several organizations to report the incident and receive technical assistance.