This is part 2 of a series on ransomware. Read part 1 here.
Ransomware is on the rise. CISA released a joint statement co-authored with the FBI and HHS describing the tactics, techniques and procedures (TTPs) that are being used by cybercriminals to extort healthcare organizations and hospitals with ransomware during COVID-19. State and local governments are also being targeted during the election.
We heard from some of the top cyber experts on what the threat of ransomware means for not only hospitals, but the election, how organizations can defend against it, and if the industry feels ransomware is going to be an even bigger problem in 2021:
Lavi Lazarovitz, Director of Security Research, CyberArk
“The ransomware campaign against the US healthcare system is concerning for so many reasons – not least of which is the fact that the US is still very much battling to get the pandemic under control with hospitalizations on the rise in many states. We’ve already seen the consequences of attacks like this which could certainly include loss of life – making these particular attacks callous and devastating.
Downtime of any kind can impact patient wellbeing. Due to the complex and interconnected nature of modern healthcare, even localized attacks can affect the flow of information between departments and staff – putting patients at risk.
Ransomware typically starts on the endpoint. But, of course, encrypting one device isn’t going to cause the disruption or generate the ransom attackers are after. Instead, they will use this single device as a gateway to move throughout the network to encrypt the files, applications and systems that matter most to the organization. This move from the endpoint to the network is integral to an attacker’s strategy – and is also the point where healthcare providers can break that chain and prevent these attacks from spreading.
Taking a proactive approach to security is key – including protecting privileged access to those files and systems that matter most. This helps stop attackers in their tracks by keeping these events contained to the initial infection point -- making them much less effective and minimizing the potential damage.”
Tim Bandos, CISO, Digital Guardian
“Despite the ongoing pandemic, cybercriminals continue to target the healthcare sector with ransomware. This latest campaign appears to be a variant of Ryuk, which was reportedly responsible for the attack on Universal Health Services last month. Although healthcare organizations often have some of the most constrained security budgets, they need to find ways to fund cybersecurity programs more appropriately with a focus on threat prevention and gaining visibility into, and control over, their sensitive information and PII – regardless of where it’s shared and stored. Fortunately, some of the most effective defenses against ransomware are tried and true IT/cybersecurity best practices that many organizations likely have already implemented, including:
Scheduling Frequent Data Backups
Executing Patch Updates
Avoiding Clicking Email Links/Attachments
Using Anti-Virus Software
Investing in End-user Security Awareness Training.”
Daniel dos Santos, Security Researcher, Forescout
“Early on October 28, we found out that personal and medical details – including names, social security numbers, and diagnostics images – of more than 3 million U.S. patients are available online, unprotected and accessible to anyone who knows how to search for it.”
Later that same day, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a joint cybersecurity advisory about “Ransomware Activity Targeting the Healthcare and Public Health Sector”. The advisory details techniques used by malicious actors to infect healthcare systems with a specific ransomware strain – the Ryuk malware – and to exfiltrate data, both presumably for financial gains. More worryingly, the advisory describes not only attacks that could happen, but attacks that are taking place right now and whose imminent escalation is probable.
All of this is happening in the middle of a pandemic that puts huge pressure on healthcare staff. This pressure is what led us at Forescout Research Labs to release (coincidentally at the same day as the events discussed above) a new research report that highlight the risks that allow incidents like these to happen and the recommendations to protect organizations from these threats.”
The risks we identified and the mitigations we recommended are in line with CISA/FBI/HHS’s:
Lack of visibility into networked devices means that they may be vulnerable, unpatched, or misconfigured and can be used as an entry point or as the targets of malware. Identifying and patching vulnerable devices is paramount for mitigating risk.
Improper network segmentation allows threats to spread within the network. Sensitive data and devices should be isolated from less critical segments.
Several protocols and network communication expose devices to undue risk. Map and block externally accessible protocols whenever they are not needed.”
Darren Mar-Elia, Vice President of Products, Semperis
"Ransomware is a real threat. It is something these organizations are already dealing with today. In the immediate term, healthcare organizations can prepare for ransomware attacks by saving backups on non-domain joined servers and offsite. Surprisingly, many organizations have not even tested their AD cyber disaster recovery plans. In fact, according to our 2020 survey of identity-centric security leaders, 21% of responders said they had no plan at all. This discovery is alarming given the rise of fast-moving ransomware attacks and the widespread impact of an AD outage. Poor preparation will increase the downtime and costs associated with a ransomware attack.
“No one can ignore the sharp uptick of hospitals victimized by ransomware. And in healthcare, the stakes are higher. Just last month, a 78-year-old patient at University Hospital Düsseldorf died after a ransomware attack crippled the hospital's IT systems and forced doctors to attempt to transfer her to another facility. It's clear just how physically dangerous cyberattacks can be, but there are no signs of attackers are slowing down. Healthcare organizations, both large and small, are in the crosshairs because human collateral pays. All it takes is a user clicking on the wrong link to kick off a deadly campaign.”
Scott M. Giordano, Esq., V.P. and Sr. Counsel, Privacy and Compliance, Spirion
The recent surge in ransomware attacks is not surprising – threat actors use them because they work. As a consequence, we can expect this problem to grow in the coming years. It’s easy for organizations to assume that they’re not targets because they’re somehow not “important,” but the reality is that our global economy is tightly interconnected and every participant is indeed important. As far as election security goes, nothing has changed; political organizations and municipal bodies involved in the election process must assume they’re the target of threat actors and prepare accordingly. Two vulnerabilities that should be prioritized are defeating phishing attacks and patching servers and other Internet-connected devices as soon as those patches are made available. Just effectively addressing those two things will go a long way to protecting the integrity of our election process.
Jeff Costlow, CISO, ExtraHop
“We find the potential for ransomware attacks against hospitals, as reported by CISA, during this time of crisis unconscionable. We suspect that the recent Zerologon vulnerability is a factor and any hospital that has not patched their systems is at risk. Unfortunately, sophisticated and motivated bad actors may easily get through the first layer of perimeter defenses, and once inside the network will move laterally through the network and attempt to escalate their privileges. It’s that time between the malware infection and the attacker attaining privilege escalation that matters, so organizations must act as quickly as possible. It’s imperative that organizations are monitoring east-west traffic inside the network to look for filenames like RYUK or .ryk that are indicators of this particular compromise to detect and stop it before the ransomware can execute.”