Handout B: Backup Failure and Data Transfer Correlation
Compiled by infrastructure and network teams during recovery planning at the hospital.
Pre-Encryption Data Exfiltration โ DLP Alert Correlation
| Date (UTC) | Source | Volume | DLP Status | File Types | Source Directory |
|---|---|---|---|---|---|
| 2026-02-19 02:33 | CLIN-WS-114 | 847 MB | SUPPRESSED | .pdf (38%), .hl7 (29%), .docx (18%), .csv (15%) | \\CLIN-FS-001\PatientRecords |
| 2026-02-27 03:11 | CLIN-WS-114 | 1.2 GB | SUPPRESSED | .pdf (52%), .csv (31%), .xlsx (17%) | \\CLIN-FS-001\Billing |
| 2026-03-03 01:55 | CLIN-WS-114 | 634 MB | SUPPRESSED | .pdf (61%), .docx (25%), .csv (14%) | \\CLIN-FS-001\StaffRecords |
Total exfiltrated: ~2.7 GB across 3 sessions over 12 days ยท DLP alert threshold: 100 MB outbound ยท DLP alerts raised: 0 (service account exemption active for all sessions)
IM NOTES (Do Not Show to Players):
- The three exfiltration sessions (Feb 19, Feb 27, Mar 3) show deliberate, low-volume staging spread over 12 days before detonation on Mar 6 โ total ~2.7 GB.
- DLP was bypassed entirely:
it.admin.bholds exemption DLP-EXCL-ADMIN-002, which suppressed all outbound volume and classification alerts. No alert fired across all three sessions despite exceeding the 100 MB threshold. - HL7 clinical records, billing data, and staff records confirm the attacker targeted data with maximum regulatory and extortion value.
Backup System Compromise and Recovery Assessment
CVMC-BAK-01 โ Backup Server Assessment
IP: 192.168.20.45 (admin subnet โ same as ADMIN-WS-009, CVMC-DC-01)
OS: Windows Server 2019
Auth: Domain-joined โ accepts domain admin credentials
Firewall: NONE between 192.168.20.0/24 and backup storage LUNs
Backup job: Nightly incremental at 02:30 UTC; weekly full on Sundays
Compromise Timeline
2026-02-17 01:44 UTC CVMC-BAK-01 accessed via it.admin.b (7 shares enumerated)
2026-02-22 02:15 UTC CVMC-BAK-01 accessed again โ backup catalog read
2026-03-06 18:38 UTC Domain admin credential obtained (same session as DC)
2026-03-06 18:41 UTC CVMC-BAK-01 accessed with domain admin โ 3 minutes
2026-03-06 18:45 UTC Backup catalog deleted โ backup encryption begins
2026-03-06 18:47 UTC LockBit detonation (2 minutes after backup encrypted)
Recovery Status
2026-02-20 02:30 UTC replication_status=SUCCESS (last confirmed clean full backup)
2026-03-06 18:45 UTC backup_catalog_delete volume=ALL node=CVMC-BAK-01
2026-03-06 18:45 UTC replication_status=FAILED node=backup-02 (catalog purged)
Last immutable snapshot: 2026-02-20 02:30 UTC
Recovery option: Tape backup (Iron Mountain, week of 2026-02-20)
Gap: 14 days of clinical data unrecoverable from tape
IM NOTES (Do Not Show to Players):
CVMC-BAK-01at192.168.20.45is on the admin subnet with no firewall controls to the backup LUNs. Backup catalog deletion at 18:45 UTC was the final action before ransomware detonation โ a deliberate sequencing to maximize pressure.- The attacker reconnoitered the backup infrastructure 17 days before detonation (Feb 17 and Feb 22) โ the backup destruction was premeditated, not opportunistic.
- The last clean full backup is 2026-02-20 02:30 UTC. The only remaining recovery option outside the compromised backup infrastructure is the weekly tape sent to Iron Mountain during the week of 2026-02-20. Any data changed between Feb 20 and Mar 6 โ approximately 14 days of clinical activity โ is unrecoverable from tape.
- Backup placement in the admin subnet โ a convenience decision โ is what allowed a single credential chain to destroy both live systems and backups.
IM Facilitation Notes
- Release after participants ask about backup viability or data theft confirmation.
- Use this handout to drive discussion on recovery confidence versus speed, and DLP control gaps created by service account exemptions.
- The 14-day gap in recovery coverage is the key pressure point: paying the ransom is the only way to recover those 14 days of clinical data.