Hospitals are often at a disadvantage against ransomware gangs, and the wrong move can have deadly consequences.

Why it matters: Ransomware continues to pummel health care organizations — disrupting patient care, threatening lives and costing cash-strapped institutions millions of dollars.

Driving the news: Semperis, a cybersecurity unicorn that focuses on identity protection, hosted its first hospital hack tabletop exercise on the sidelines of the Black Hat conference in Las Vegas last month.

• Dubbed "Operation 911," the exercise gathered a group of cyber specialists, health care professionals and law enforcement officers to act out a fictitious ransomware attack.

Inside the room: Participants spent close to two hours in a hotel suite at the Mandalay Bay Hotel running through a scenario in which hackers have taken a Las Vegas hospital offline.

• A group of about 10 cybersecurity professionals investigated a third-party IT vendor account that was coming online at odd hours and exfiltrating heaps of data.
• Their response was typical for any health care organization: They isolated the affected systems, called in the FBI for help, and, once the intrusion was identified as ransomware, stalled the hackers by negotiating a payment price for as long as possible.
• But they faced a huge setback that other infrastructure sectors don't normally struggle with: They couldn't just turn off all of their systems. Doing so could disrupt patient care — or even lead to death.

The other side: The red team — which represented the ransomware gang targeting the hospital — sat in a separate room of the hotel suite. Their goal was to remain undetected for as long as possible so they could exfiltrate sensitive patient records and the hospital's financial documents.

• Each of these documents could help the hackers extort the hospital for as much money as possible.
• To remain undetected, the red team focused on moving data laterally and banked on the hospital monitoring only what was coming in and out of its systems — rather than what was moving between internal networks.
• The red team also focused on stealing administrators' passwords so they could log in as legitimate users.
• And the red team duplicated all of the files it stole first so it would be harder for the blue team to notice what had been exfiltrated.

Admittedly, the red team of former hackers, police officers and cybersecurity executives had an easier job: keep squeezing the hospital for more money.

• For instance, the red team chose to reach out to local journalists and give interviews about its antics — creating more public pressure for the hospital.
• "It's totally asymmetric, it's really painful [for hospitals]," one of the red team members said.

Between the lines: Once a malicious hacker is inside a health care system's networks, it's really difficult, if not impossible, for a victim organization to walk away with any sort of win.

The big picture: Ransomware targeted 85% of health care organizations in the last year, according to Semperis' 2024 ransomware risk report.

• "People still have gaps in their understanding of what an actual incident would look like," Semperis CEO Mickey Bresman told Axios during the event. "It typically becomes very quickly very chaotic."

The bottom line: Not having a plan for responding to ransomware can have deadly consequences.

• Bresman recommended that all health care executives run training exercises so they're prepared to make tough choices if they face ransomware.

Microsoft is creating new capabilities that will let security vendors operate outside of the root of Windows operating systems.

Why it matters: The changes should help safeguard against a repeat of the global CrowdStrike outage in July — which bricked roughly 8.5 million Windows devices.

Driving the news: Microsoft hosted a cybersecurity summit Tuesday with government representatives and other security vendors at its Redmond, Washington, headquarters.

• During the event, participants looked at "longer-term steps" Microsoft could take to ensure network resilience and safeguard cybersecurity, according to a blog post published Thursday.

Zoom in: David Weston, Microsoft's vice president of enterprise and operating system security, wrote in the blog post that many of the company's ecosystem partners asked Microsoft to design new tools that would help them operate away from the Windows kernel.

• Broadcom, CrowdStrike, ESET, SentinelOne, Sophos, Trend Micro and Trellix all participated in the summit.
• Weston said Microsoft is now developing tools that should help vendors follow certain secure-by-design principles, provide anti-tampering protections, and meet performance needs outside of the kernel.

Between the lines: Part of the reason the CrowdStrike incident was so detrimental was that the faulty content update was sent straight to the Windows kernel, which manages the operating system's memory, processing power and more.

• Security vendors will often push data to the kernel level to free up space in their own products' storage and help the security tools run faster.
• Microsoft has said certain European Union interoperability rules require it to provide this level of access.

What's next: Microsoft did not provide a timeline for the new security features, but it said it plans to collect feedback from vendors as it develops these tools.

A pair of Democratic senators are looking into just how vulnerable the federal government's IT networks are to an outage similar to this summer's CrowdStrike outage, according to a letter first shared with Axios.

Why it matters: Little attention has been paid nationally to the impact that the July 19 outage had on the federal government.

Zoom in: Sens. Brian Schatz (D-Hawaii) and Peter Welch (D-Vt.) sent a letter to the General Services Administration asking for more details about how the global outage impacted the federal government and what steps the agency has taken since the event to improve network resilience.

• The senators also said the incident laid bare the risks of relying on "too few contractors to operate such a large share of the federal government's IT systems."
• The GSA is the agency responsible for negotiating federal agencies' contracts with private companies, including IT vendors.

What they're saying: "Your agency should ensure that the IT systems our country relies on are as secure and resilient as possible," the senators wrote in the letter.

• "This includes considering any potential reliability and security threats that could be mitigated through increased supply chain diversification."

Catch up quick: The CrowdStrike outage had a ripple effect throughout government offices across the country.

• The Social Security Administration had to close all of its offices.
• Customs and Border Protection experienced processing delays.
• And some Indian Health Service clinics faced service disruptions.

Between the lines: The CrowdStrike outage was a wake-up call for all organizations, including government offices, that reliance on a single tech vendor across all networks can make them more vulnerable to outages and malicious cyber threats.

What's next: The senators requested that the GSA respond to their questions by the end of the month.

• A House Homeland Security subcommittee is hosting the first congressional hearing about the outage on Sept. 24.

@ D.C.

🗳️ Taylor Swift endorsed Vice President Kamala Harris for president, citing concerns about misinformation from the AI deepfake former President Donald Trump created of Swift. (Axios)

📝 The Federal Communications Commission is looking for new administrators for the U.S. Cyber Trust Mark program, which will put an educational cybersecurity label on internet-connected devices that opt in to the program. (Nextgov)

@ Industry

💳 Mastercard is buying threat intelligence company Recorded Future in a $2.65 billion deal. (Reuters)

👀 Former CrowdStrike employees, including many who were fired, say the cybersecurity company has repeatedly rushed software quality checks to launch products quickly. (Semafor)

@ Hackers and hacks

⚠️ Fortinet, one of the largest cybersecurity companies in the world, confirmed that a malicious actor stole 440 gigabytes of files from its Microsoft Sharepoint server. (BleepingComputer)

🚔 A teenager was arrested in connection to a cyberattack on London's public transportation agency. (Reuters)

📲 Some cybercriminal groups are deleting their Telegram accounts and moving to other encrypted messaging apps after Telegram CEO Pavel Durov's arrest. (404 Media)

Big day for Recorded Future, Mastercard — and cash back rewards!