Surviving a Ransomware Attack in Healthcare

The rising instances of ransomware attacks is harrowing to say the least. Attackers seek to achieve quick financial gains through the use of this tactic and to be frank, it is working.

Ransomware is a type of malware that is spread through many different avenues. Organizations may run into a situation where an employee was sent a phishing email with a malicious link in it that redirects web traffic and downloads the ransomware to the user’s machine automatically. This is the most common tactic attackers will use to spread their ransomware, coming just ahead of using a spoofed website as seen in the image below:

Source: Ponemon Institute, https://www.ponemon.org/local/upload/file/Ransomware%20Report%20Final%201.pdf

How Does the Ransomware Work?

Once the ransomware is present on a machine, it starts the process of encrypting the hard drive, leaving the user with no access to any of the documents that they were working with, or that were present on the machine at all. The attackers retain access to the encryption keys and are essentially holding the organization’s data hostage until payment is received, or the organization ignores the request because they have full and accurate back-ups of all data. Typically, in these attacks, the storage on the machine is encrypted immediately, leaving the user with a screen that looks much like this:

What is the Attacker Looking to Gain?

In the case of a healthcare environment such as a hospital, this can be extremely challenging because there is no flexibility in the availability of these files. Health care providers must have them. There are times when the ability to access these documents is literally life or death. This forces the hand of the health care organization into paying the fee the attackers request. Many organizations have started to keep intermediary organizations to quickly initiate these payments in Bitcoin (which is what is typically used for these ransomware attacks). 

The attackers in this case are extremely knowledgeable about the financial aspect of this type of attack, and they understand that the organizations that are targeted will likely not pay the ransom if it is too high. They have found a sweet spot in the amount of ransom to charge, and according to (Ponemon, 2017), that amount is $2,500. That is the amount that most companies are willing to pay in order to have their data decrypted and returned to the original state. In speaking specifically about health care organizations, this amount is tiny when thinking of the devastating effects that could come from not paying the attackers.  

How to Protect your Organization’s Data

The first thing to do to ensure that your organization is protected from ransomware and most other types of attacks is to educate your employees about the importance of computer security and malicious links. Intelligent employees can identify and report suspicious emails to the proper authorities and ensure that there is no initial vector for the ransomware at all. Secondly, preparation is key in this situation. Preparing for the inevitable attack is the best mindset to have, and this can be in the form of mail filtering, proxies, and firewall rules. In the event that something does happen, all organizations should have a plan in place. Who do you call if you log into your computer at work and that ransomware screen pops up? There is nothing wrong with holding a tabletop exercise with your employees and walking through exactly what needs to happen. With an approach that encompasses these important aspects along with your local tactics and techniques, you can sleep well at night knowing that although you can never say that you’ve won the war, your organization has done its due diligence in preparing for the battle.

Author Bio

John Tagita Jr. is a Sr. Cybersecurity Engineer intern with Alpine Security.  He holds a variety of industry certifications including CISSP, GIAC, GCFA, and CCFE.  John has a passion for forensic investigations and breach response cases, application security, penetration testing, and blockchain technology.  He holds degrees in Information Technology, Cyber Security, and Criminal Justice.  John is currently active duty in the US Air Force service as a Cyberwarfare Training Chief.

When John is not working in the cyber security arena, you may find him developing Capture the Flag competitions, such as Hacktober or Hack The Arch, or competing himself.  He also is passionate about security research and networking with other like-minded hackers.  John loves spending the rest of his down-time with his beautiful wife and his four devilishly handsome sons.

Link up with John on social media at https://twitter.com/attackd0gz on Twitter, and https://www.linkedin.com/in/netsecspecialist on LinkedIn.

CIS Control 2: Are You Running Software Unaware?

My prior blog on CIS control 1 noted the importance of knowing every hardware device connected to a network. CIS control 2 also speaks to this type of basic security hygiene, only it is software and application specific. Often, attackers will look for unpatched or unsupported software to target, regardless of the system it is running on, or the type of business using it. It is a bootless errand to make sure everything hardware related is hardened as effectively as possible when deprecated or infected applications may be running in the background, allowing the point of attack all the previous hard work was meant to deny.   

CIS Control 2:  Inventory and Control of Software Assets 

Critical Control 2 states: “Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution” (CISv7).  This control is intended to prevent such things as zero-day exploits, when a previously unknown vulnerability is exploited, and other attacks through unpatched, known vulnerabilities in software applications. In order to successfully defend the software on a network, it is of vital importance to conduct a thorough and definitive software asset inventory. Like the physical asset inventory, the software asset inventory must be a live document that is constantly maintained and updated, possibly in concurrence with a patch and update list. At minimum this inventory should include the name of software and applications, along with known vulnerabilities and a system for keeping track of updates and patches. Like Control 1, Control 2 is subdivided into sub-controls to make adoption less onerous.

CIS Control 2:  Sub-Controls

Sub-control 2.1:  Maintain Inventory of Authorized Software. 

This sub-control addresses the necessity of maintaining an up-to-date list of all authorized software necessary for an organization to run business systems for business purposes.  Machines that have not been searched for all software are more likely to be running applications that may not be for business purposes, introducing an unnecessary risk.  Unmonitored machines are more likely to harbor undetected malware.  Once a single network foothold has been found, attackers will exfiltrate sensitive data and leverage this infected machine into several infected machines and networks as well.  The infected machines may also be used as part of a DoS/DDoS campaign.  Sustained and managed software control plays a critical role in executing backup, as well as planning and implementing incidence response and recovery. 

Sub-control 2.2:  Ensure Software is Supported by Vendor. 

When software is supported by the vendor, that means there will be published lists of vulnerabilities and patches, and these will be offered to the users.  When software is no longer supported by the vendor, then these patches and updates do not occur, leaving a system at risk.  Many attackers will search for outmoded software usage and attack through known vulnerabilities.  If any software is running that is unsupported, it should be noted in the inventory, and alternatives considered where possible. 

Sub-control 2.3:  Utilize Software Inventory Tools. 

This will greatly simplify the software documentation process.  Offerings run from commercial to open source and encompass a range of prices, so that there is a product for budget. 

Sub-control 2.4:  Track Software Inventory Information Software. 

As previously mentioned, the inventory should record the name, version, publisher and date of installation, as well as state the authorized operating systems. 

Sub-control 2.5:  Integrate Hardware and Software Asset Inventories.

It is recommended to tie the hardware and software asset inventories to each other so they may be managed from one central location, for ease of management. 

Sub-control 2.6:  Address Unapproved Software. 

This is a good point in the process to address the issue of any unauthorized software that may have been found.  It is good if there is a company policy for unauthorized software usage, but for our purposes the software should be either removed or added to the inventory. 

Sub-control 2.7:  Utilize Application Whitelisting.

Application whitelisting is the creation of an allowable software list.  Only software on this list will start and run on the system.  Anything not on the list will be prevented from starting and running.  

Sub-control 2.8:  Implement Application Whitelisting of Libraries. 

This is the process of allowing only certain types of software to run, such as “dll.”, “ocx.”, etc.  These specifications can help prevent malicious versions of acceptable software from running. 

Sub-control 2.9:  Implement Application Whitelisting Scripts. 

Application whitelisting must also protect the system against any unauthorized scripts. 

Sub-Control 2.10:  Physically or Logically Separate High-Risk Applications. 

Some applications may be needed to conduct business, but are inherently riskier than other applications.  These applications should be isolated by segmentation or with a dedicated operating system and workstation. 

At this time, whitelisting programs are often being bundled with firewalls and IDS/IPS. Most offer customizable whitelisting, and some allow for “gray” list functions, such as allowing administration to determine what programs can use what resources at what time of day.

CIS Control 2 and Beyond 

Of course, implementing the CIS controls is not something that can be accomplished in a short amount of time, and many seek specialized help. Alpine Security offers assistance to businesses of any size to ascertain how far they have already complied, and in what areas they may still need to make changes.  If the list seems long and the task ahead daunting, our specialists can help break things down and give your organization a roadmap to completion.  Alpine Security always offers a free consultation on our Enterprise Security Audit (ESA) Service. The ESA is based on the Top 20 Critical Controls published by the Center for Internet Security. The ESA is intended to provide a comprehensive picture of where an organization currently falls in Critical Control Implementation, while also delineating a roadmap for full implementation. With the increase in variety and methods of attack on organizations of all sizes and types, running malicious software unaware can become much more costly than the time spent making sure an organization knows everything that should be running on their system, and more easily able to spot when something should not be.

Author Bio

Mary, striking a Yoga Tree Pose

Mary Thierry is a Cybersecurity Analyst and Office Manager with Alpine Security.  She is earning her Master’s Degree in Cybersecurity from Maryville University in Missouri.  Mary was raised in rural Illinois on a farm, in a town with 500 people in it.  If you ask her nicely, Mary will tell you how to start heavy machinery on a cold morning, the best types of fertilizer, and the best places to build a deer stand.  Earlier in her career, Mary taught special education, and then worked as a higher education facilitator for disadvantaged teens.  Mary has a disabled daughter and is an advocate for persons with disabilities.  Outside work, Mary loves to spend time with her family, bake, read Science Fiction/Horror and attend Yoga classes.