Full Report
Metro Pet Vet, with three offices in Lancaster County, is grappling with a ransomware attack that began earlier this week, affecting access to patient records and causing significant operational challenges. Despite the setback, the office continues to treat patients, using an app to assist with scheduling, although they lack access to patients' histories. "It's mostly just a real challenge for my team to basically do things without computers anymore. You know, we're basically just treating it like we did 40 years ago, where we don't have computers, we just write everything down," said Dr. Jeff Steed, owner and medical director of Metro Pet Vet.
Analysis Summary
# Incident Report: Metro Pet Vet Ransomware Attack
## Executive Summary
Metro Pet Vet, operating three offices in Lancaster County, experienced a ransomware attack that began early in the week, manifesting as technical difficulties before ransomware was detected on Wednesday morning. The incident severely impacted access to the central server, encrypting critical patient records and medication histories, leading to significant operational challenges requiring manual, paper-based workflows. The organization is actively treating patients but lacks historical data access while remediation efforts are underway, with an expected resolution by the following week.
## Incident Details
- **Discovery Date:** Wednesday morning (when ransomware was detected)
- **Incident Date:** Began Monday/Tuesday (technical difficulties/router failure)
- **Affected Organization:** Metro Pet Vet (Three offices)
- **Sector:** Veterinary Services/Healthcare
- **Geography:** Lancaster County, Pennsylvania
## Timeline of Events
### Initial Access
- **Date/Time:** Monday and Tuesday of "earlier this week"
- **Vector:** Unspecified technical difficulties, including a router failure.
- **Details:** The disruption began with technical difficulties and the failure of their router, which precedes the detection of the ransomware.
### Lateral Movement
- **Details:** Not explicitly detailed, but the result was the loss of access to the main server containing patient records.
### Data Exfiltration/Impact
- **Details:** The server containing patient records, including vaccine and medication histories, was locked by ransomware. Patient phone numbers and addresses were stored on the compromised server.
### Detection & Response
- **Detection:** Ransomware was detected Wednesday morning.
- **Response actions taken:** The computer team is actively working on the issue. Operations continue with staff treating patients manually ("writing everything down") and using a separate app for scheduling.
## Attack Methodology
- **Initial Access:** Unknown, but correlated with router failure and subsequent technical difficulties starting Monday/Tuesday.
- **Persistence:** Not detailed; assumed to be maintained by the ransomware encryption mechanism.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Not detailed (No evidence of data exfiltration mentioned, only encryption/locking).
- **Exfiltration:** Not explicitly confirmed, though always a possibility in ransomware attacks.
- **Impact:** Encryption/locking of the central server, resulting in loss of access to patient records and operational hindrance.
## Impact Assessment
- **Financial:** Not estimated; impact quantified by operational challenges.
- **Data Breach:** Patient phone numbers and addresses were stored on the compromised server. **No** credit card or Social Security information was stored on the server.
- **Operational:** Significant operational challenges; staff forced to revert to paper-based record-keeping, similar to 40 years prior. Clinical operations (treating patients) continue, but access to history is lost.
- **Reputational:** Public disclosure of the incident was made to inform patients.
## Indicators of Compromise
- **Network indicators - defanged:** Router failure reported early in the week.
- **File indicators:** Presence of ransomware (malicious software locking files).
- **Behavioral indicators:** Sudden requirement to operate without computer systems starting Wednesday morning.
## Response Actions
- **Containment measures:** Not detailed, though the initial router failure may have accidentally aided in limiting spread if the compromise was localized.
- **Eradication steps:** Computer team is "working on the issue."
- **Recovery actions:** Relying on manual processes while working towards technical resolution, with an estimated fix by "next week."
## Lessons Learned
- The reliance on digital records exposed the organization to severe operational paralysis when the central server was compromised.
- The outage immediately reverted critical workflows to highly manual processes.
- While highly sensitive financial data was reportedly segregated, patient contact (phone/address) data was at risk.
## Recommendations
- Isolate the compromised network segment if feasible.
- Engage external forensic specialists immediately to determine the exact ransomware strain and TTPs.
- Accelerate data recovery efforts and restoration from offline, tested backups (if available).
- Review and harden network perimeter defenses, specifically focusing on router/firewall security, to prevent recurrence of initial access vectors.
- Implement multi-factor authentication (MFA) across all critical systems.
- Ensure critical patient data storage is segmented from less critical operational systems, if possible.