Richard Staynings, Chief Security Strategist, Cylera Discusses Recent Ransomware Attacks
This past week, there was a major attack on UHS hospitals across the globe. According to Microsoft, ransomware is the most common reason behind its incident response engagements from October 2019 through July 2020. Microsoft says, "The Department of Homeland Security, FBI and others have warned us all about ransomware, especially its potential use to disrupt the 2020 elections."
This is clearly a problem for organizations that hold sensitive data that won't go away any time soon.
We heard from Richard Staynings, Chief Security Strategist at Cylera -- who dove into the UHS attack in-depth and the implications for the larger cyber landscape.
Richard Staynings, Chief Security Strategist at Cylera:
"None of my contacts at UHS are talking which probably means a gag order, but from what we know, this appears to be a Ryuk ransomware attack, which was most probably executed from an initial phishing attack as most ransomware attacks are. According to reports by Crowdstrike, and FireEye this probably originated from Russia - a country which allows cybercriminals to operate with impunity so long as they avoid attacking Russian targets. A cybercriminal group known as ‘Grim Spider’ which has been attributed to a number of other Ryuk attacks may be behind the UHS attack. Timed to execute during the weekend when UHS security staff were not watching and waiting for security alerts would be indicative of this group’s past attack patterns. UHS had a reported TrickBot attack earlier in the year known to be indicative of the Grim Spider gang so this would further support this supposition, meaning that the UHS network could have been compromised for some time.
The gang is known to personalize ransom demands meaning that they are less often inclined to randomly broadcast their ill wares and that this may have been a targeted attack against a healthcare delivery organization despite threats of severe consequences earlier this year for anyone that does, by Mike Pompeo. So far Pompeo has yet to order the take down of cyber criminals who target healthcare entities during the current pandemic, but these things often take time. It wouldn’t be the first time however that the US has sent a drone after a cyber attacker.
The ransomware attack against UHS could most likely have been prevented with improved email security that sandboxes attachments and URL links, and by improved user security awareness training that teaches staff not to open attachments unless from a verified sender. It could also have been prevented or identified very early on by StealthWatch-like technology that monitors east-west traffic across the network for potential indications of compromise. This is how malware like ransomware spreads. Advanced malware protection (AMP) and next generation intrusion prevention systems (IPS) might also have quickly identified and quarantined any suspicious activity or malware before any ransomware payload could execute, as could a security umbrella technology that monitors traffic attempting to communicate with low reputation destination IPs or domain names.
The impact of the attack which we are told affected multiple hospitals across multiple states could have been mitigated by network segmentation which would isolate one hospital from another from any traffic that has not been explicitly authorized. And each part of a hospital against another part. This is essentially a ‘Zero-Trust’ security approach to the network and can be easily implemented by software defined networking (SDN) – something built into modern network switches and easily managed by Identity Services Engine (ISE) or other network security tools. The fact is that although this capability exists in most hospital networks most have yet to fully implement the technology as its pretty advanced and hospital network staff may need expert assistance to plan and get it working properly. Network segmentation confines users, applications and IoT objects like medical devices only to parts of the network which administrators have explicitly authorized, thereby containing who or which systems have access to what and how. It’s a widely used ‘compensating security control’ to make up for inadequate controls elsewhere or as an extra layer of security when something breaks – like a user clicking on an attachment or an embedded link, or an unpatched HIoT device that lacks any security that may be especially vulnerable to attack.
The implications for the impacted UHS hospitals and the communities they serve could be catastrophic. Only last week, a German woman died as a result of a ransomware attack against Düsseldorf University Hospital (UKD), also thought to be the act of a Russian gang. When WannaCry hit a large part of the British NHS a couple of years ago, many patients also had to be diverted, and procedures rescheduled for thousands – some time-critical. It is unknown exactly how many people died early as a result of this attack. The UK government has yet to release any data. Many other US hospitals have been attacked and rendered inert by ransomware and other forms of extortion though none have yet admitted deaths attributed to system outages – possibly for fear of legal action and compensation suits. An availability attack against the health information systems of a hospital is an act of attempted mass-murder and should be treated as such, just as a terrorist may attempt to blow up a school, a church, or an office tower. At a critical time of a global pandemic, the greed and lack of conscience by cyber criminals is even more heinous.
As a civilized society we need to discourage any form of cyber-attack against critical infrastructure of a nation-state. Even in times of war, this could be construed to be a war crime executed against innocent bystanders. But first we need to attribute attackers. Our law enforcement and cybersecurity agencies are getting a lot better at this, meaning that it is becoming increasingly easy to identify attackers and more difficult for them to hide in parts of the world that lack effective law enforcement. Next we need to establish international norms and agreements on cybersecurity behavior such that perpetrators of cyber crimes can be fully prosecuted and punished in their own country of residence or extradited to the country in which the crimes took place. Hiding in a country that lacks a legal judicial system should not be a reason for those individuals being brought to justice as it is at present. If corrupt nations that turn a blind eye and harbor international criminals, or those who actively encourage international cyber attacks against innocent people in other countries as agents of the state, we need to find other, perhaps extra-judicial means of bringing them to justice. The Israeli Defense Forces and the US military have demonstrated this on a number of occasions. In the absence of some sort of UN Charter on Cybersecurity this may become a more common practice till organized cybercrime is stopped once and for all."