In March 2020, the CTI League was established with the understanding that ransomware can be a life-threatening risk. For instance, when the 2017 WannaCry cyberattack shut down 40 percent of the United Kingdom’s National Health Service, care delivery was delayed, denied, and degraded.

On October 27, an adversary group locked the computers of as many as 30 healthcare providers, severely limiting their ability to deliver care to patients and causing some to turn away ambulances. The US Cybersecurity and Infrastructure Security Agency (CISA) quickly released an alert to the healthcare community the same day with technical indicators and attack patterns used in the campaign.

CTI League volunteers used the CISA data, as well as information gathered from our own sources, to identify command-and-control (C2) infrastructure, track victims, and forecast future targets so they can be alerted. We formed a task force of 28 experts from multiple organizations and disciplines, based around the world. This group assisted in lawful takedowns of adversary infrastructure, helped victims respond, and alerted potential victims, through our law enforcement and healthcare ecosystem partners. Lessons learned through this experience will help the CTI League and the healthcare sector prepare, train, and respond to similar future crises.

On behalf of the 28 members of the task force, we would like to thank the 1500+ vetted volunteer cybersecurity professionals in the CTI League and the hundreds of others in our law enforcement and healthcare partner organizations who responded professionally and promptly. We continue to be humbled by what we can accomplish by working together.

For those who would like more information, please contact [email protected]