This is part 1 of a series.
Earlier this week, CISA released a joint statement (revised yesterday) co-authored with the FBI and HHS describing the tactics, techniques and procedures (TTPs) that are being used by cybercriminals to extort healthcare organizations and hospitals with ransomware during COVID-19. The alert specifically pointed out the use of, most notably, TrickBot, BazarLoader, Ryuk and Conti.
The alert also posted the CISA Joint Ransomware Guide -- which provides tips to mitigate threats. It might be too little too late.
According to NBC, there's been a large surge of ransomware attacks that have infected more hospitals than previously known, including a University of Vermont network with locations in New York and Vermont.
We heard from some of the top cyber experts on what the threat of ransomware means for not only hospitals, but the election, how organizations can defend against it, and if the industry feels ransomware is going to be an even bigger problem in 2021.
Peter Mackenzie, Incident Response Manager, Sophos Rapid Response
“It is important to note that ransomware attacks on hospitals are common, but in our experience they are not affected more than other industries. Earlier in the pandemic there were fewer attacks targeting hospitals after many ransomware groups publicly stated that they would avoid them. It is clear the operators behind Ryuk are back from their summer break, and now targeting hospitals along with other industry sectors. Most of the heightened interest in these attacks stems from the attack on UHS hospitals a few weeks back. This saw many hospitals hit at once, but only because they were all connected. In other words, it wasn’t a string of attacks, but rather a single attack that affected multiple sites.”
Heather Paunet, Senior Vice President of Product Management at Untangle
“While many cybersecurity vendors have been successful in building barriers for ransomware that will stop the majority of attacks, cybercriminals are continuing to evolve their techniques to get around those barriers. Generally criminals take down servers or steal information either because they can and it becomes a game to them, or they do it because they can make some money out of it. In the case of making money, ransomware is a key focus for cybercriminals. When cyber attackers see that businesses pay the ransom, they see the enormous potential of getting rich without caring about the damage they may do. As business pay ransoms, and the large dollar amounts they pay are highlighted in the news, this becomes an indication that organizations are willing to pay. Attackers set their targets and evolve their techniques where they feel they will be most successful.”
Ms. Kacey Clark, Threat Researcher at Digital Shadows
“In response to the large-scale and coordinated attacks on healthcare services conducted by ransomware operators, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released a join cybersecurity advisory report describing threat details and mitigations regarding the evolving Ryuk ransomware campaign. The report also stated that ransomware operators are actively targeting the healthcare and public health sectors, primarily by leveraging TrickBot malware to deploy Ryuk ransomware. Reports say that Ryuk ransomware affected at least six hospitals in the United States within 24 hours, which has disrupted patient care processes and can ultimately lead to loss of life. The group will likely continue conducting attacks against healthcare organizations in the United States. The advisory urges healthcare organizations to maintain business continuity plans to reduce service interruptions, implement network best practices by patching vulnerable systems, implementing multi-factor authentication (MFA), and disabling unused remote access; and carry out ransomware best practices by regularly backing up data and focusing on security awareness training.
At this time, Digital Shadows is closely monitoring the situation and will continue to update accordingly.”
John Ford, IronNet cyber strategist and former healthcare CISO
"The seemingly crazy predictions of the past around the cost of ransomware attacks on the healthcare industry stand to be proven true in 2021. We’ve seen a substantial rise in ransomware since the onset of COVID, and as the space race 2.0 continues, so will the prevalence of attacks. With countries all around the world hunting for a COVID vaccine we will see more nation state attacks leveraging ransomware and an increase in cloud-based ransomware attacks as healthcare systems expedite their transition to meet the growing remote needs. Lately, what is different about this tried and true attack method is that malicious actors aren’t just locking out data. They are also putting it on data leak sites where people can buy/have access to it leading to additional compliance concerns and my prediction for upcoming HIPAA changes. As hackers get closer to where care is delivered (hospitals, nursing homes) the likelihood of a ransomware event increases. It is a near-perfect business model that shows no signs of slowing down, and despite warnings regarding payment by agencies such as the U.S. Department of Treasury, this puts healthcare entities in a difficult situation when human lives are on the line."
Sam Curry, Chief Security Officer at Cybereason
"The FBI's and DHS's hastily scheduled news conference warning U.S. hospitals of imminent ransomware attacks is more than just a wake up call for the industry, it is a call to action that must be taken seriously. When you compare the number of hospitals and health systems facing possible threats, the risk is many times greater than 2017's global WannaCry ransomware attack that hit the healthcare system in the UK. For hospitals, no more excuses, it's time to practice cyber hygiene alongside medical hygiene. Plan to be resilient so you can spring back from any damage.
If healthcare computer networks are taken offline, patient care will be stalled and lives could literally be at stake. While no wide scale ransomware attacks are confirmed, the potential risks must be a wakeup call for healthcare providers that operate critical infrastructure such as hospital networks. Cyber terrorists are raising the bar and the ability to defend against them is now officially a matter of life and death.
Let me clear the FBI's and DHS's suggestions for hospitals to unplug and not opening email isn't a guarantee to protect critical systems and patient data. The newest suggestion feels more like Y2K, only its ransomware this time while some hospitals could be on the precipice of a wide-scale shutdown. Taking this issue seriously means making the tough choice between losing some functionality pro-actively by disconnecting some systems as opposed to running a chance of losing all functionality if targeted."
Torsten George, cybersecurity evangelist, Centrify
“Hackers that target the healthcare space could be motivated by two things: 1) hospital systems are mission critical, and with many lives at stake, healthcare organizations become more likely to pay a ransom to swiftly get back up and running; 2) ransomware is used as a distraction while hackers move laterally across the network, stealing patient data for additional pay off on the dark web, where it can be sold for $1,000 per record.
To minimize exposure to these attacks, there are fundamental measures to take such as implementing cybersecurity training, regularly updating anti-virus and anti-malware with the latest signatures, performing regular scans, as well as backing up all data to a non-connected environment and verifying the integrity of those backups regularly.
While these practices are table stakes, ransomware is just one form of exploit that can easily be replaced by another. According to Forrester, an estimated 80% of data breaches are tied to privileged access abuse, making it the No. 1 cause of data breaches. By applying proper access controls, organizations are applying a ‘dual therapy’ to the ransomware epidemic, which is addressing privileged access abuse, while also minimizing the overall impact of a ransomware attack by preventing malware from running or limiting its capability to spread through a network. In this context, organizations should establish a secure admin environment, enforce access zones that restrict access to specific systems by privileged users and require multi-factor authentication (MFA) in order to reach assets outside of their zone. In addition, vault away shared local accounts, and apply the concept of least privilege to granularly control what access admin users have and what privileged commands they can run.”
Nicole Bucala, VP of Business Development at Illusive Networks
“Advanced Ransomware Threats (ARTs) are the biggest concern of all. ARTs combine Advanced Persistent Threat (APT) techniques with ransomware techniques. Like an APT, sophisticated ransomware attackers target and navigate to carefully selected strategic assets on the network that hold business-critical information. Attackers then take those assets hostage using advanced evasive ransomware techniques, massively disrupting hospital operations and saying they will stop only in exchange for a very high fee. Organizations without proper ART-protection have no choice but to pay the fee to avoid further disruptions, loss of money, and worst off loss of life.
These threats are serious, but they are not insurmountable. To beat an attacker, you need to think like an attacker. When a security team thinks like an advanced attacker, it can know what the attacker is after and can focus on those assets. Every healthcare organization needs to be able to view the attack landscape, map attack pathways and know where the high-risk critical assets are, which will be fundamental for building a strategy for pre- and post-breach penetration.
IT security teams need to focus on active detection to minimize, or even prevent, damage from a ransomware attack. This should include the ability to detect lateral movements within the network. Deception technology is a category of security tools designed to detect attackers who are already in the network and prevent them from doing damage. It works by distributing deceptions that mimic genuine IT assets throughout the network. Instead of relying on traditional signatures, deception technology alerts are generated by real attacker movements within a network. The IT team will be able to see, in real time, any malicious lateral movement that is happening on the network and can mitigate the attack, protecting the computer systems that literally keep people alive.”
Matt Walmsley, EMEA Director at Vectra
“The business of ransomware has changed. Criminals have moved to lower volume, but highly targeted ransomware attacks. These are multifaceted, complex, and unfold over extended periods of time and increasingly use the legitimate tools within our networks and cloud services. This makes traditional signature based defences increasingly ineffective so we’re now detecting attackers by their behavior rather than looking for the specific tools or ransomware used. This makes it much more challenging and costly for attackers because even when they adapt configurations, their immutable behaviors still betray them. This new approach is both effective and durable.
The performance and analytical power of AI is needed to detect these subtle indicators of ransomware behaviors and the misuse of privileged credentials at a speed and scale that humans and traditional signature-based tools simply cannot achieve. Ransomware will continue to be a potent tool in cybercriminals’ arsenals as they attempt to exploit, coerce, and capitalise on organizations’ valuable digital assets.”
Daniel Norman, Senior Solutions Analyst at the Information Security Forum
“The threat of ransomware has prospered worldwide at an incredible rate and scale, especially during the COVID-19 pandemic. A reason for this is due to its accessibility and ease to spread. While thousands of organizations, and millions of individuals, have been hit by ransomware over the last few years, measuring the overall financial and reputational impact is difficult to calculate and is entirely relative.
Moving forward, end users should receive ample security awareness, education and training on the threat of ransomware, particularly its delivery mechanism. Typically, the success of ransomware is reliant on whether or not the target organization has patched its devices properly. Therefore, having all systems patched and up-to-date is a minimal for security.”
Hank Schless, Senior Manager, Security Solutions at Lookout
“Over the past year, ransomware attacks have targeted specific organizations and are delivered to employees via socially-engineered phishing messages.
No matter which type of app the attacker uses to deliver the phishing link, there is high likelihood that it enters corporate infrastructure via a mobile device. As workers across the globe began working from home, organizations enabled their employees to stay productive by using mobile devices, and attackers know this. They also know that mobile devices exist at the intersection of our work and personal lives, so they use social engineering on various mobile apps to increase the success rate of their attacks.
The scope of these compliance standards is slowly expanding to include mobile devices, which is a necessary step considering they have access to a wealth of corporate data. Organizations that are proactive about securing mobile devices with mobile security are at the forefront of innovation and demonstrate that they are adapting to today’s rapidly evolving threat landscape.”
Jack Kudale, founder and CEO of Cowbell Cyber
"Electoral systems and processes must be protected using the most advanced cybersecurity models used today in private or public sectors. In addition to post election audit, continuous risk assessments should be mandatory and performed to validate the integrity of all cyber components supporting the election process."
###