The COVID-19 pandemic is one of those black swan events that is beyond the scope of normal contingency planning and has unpredictable, long-lasting, and highly disruptive consequences. Yet amid the chaos, one thing has been completely predictable: malicious actors quickly exploiting the panic.
Not long after emergency orders were issued and the healthcare industry was preparing for the first wave of patients infected by coronavirus, malicious actors were already bombarding healthcare workers with phishing emails weaponized with ransomware, and exploiting vulnerable remote desktop systems deployed by hospitals to enable a remote workforce and then installing ransomware on hospital systems.
Ransomware is one of the more insidious attacks that can be unleashed by malicious actors. It usually enters an organization through phishing attacks or vulnerable systems deployed on a network’s perimeter. Once the ransomware gains a foothold, the infection spreads through common exploits or open shares, moving laterally from machine to machine and encrypting important data. Then, once the important data is encrypted, the attackers display a message to pay a ransom or else the data will be lost forever; that is followed by instructions for transferring money to the attackers via untraceable cryptocurrency. In most ransomware cases, the requested ransom amount increases over time in an attempt to lure companies to act fast and pay a lower ransom payment. UCSF was recently targeted by the Netwalker ransomware and paid $1.14M to recover their data.
Hospitals and other healthcare organizations are especially susceptible because many of their mission-critical, internet-connected devices—including medical devices—run vulnerable operating systems that cannot be patched. Some examples include nursing station that have to interact with legacy systems that, in turn, have out of date operating system requirements; or expensive imaging equipment which runs on unsupported and unpatchable versions of WindowsXP. Our Rise of the Machines: 2020 Enterprise Risk and Adoption Report found that 15-19 percent of deployments had IoT devices running on legacy operating systems Windows 7 (or older).
By some estimates there are nearly 650 million IoT and IoMT devices operating in the healthcare industry right now, and 82% of healthcare organizations using IoT/IoMT devices have had those devices attacked.
When a ransomware attack happens:
- Don’t Panic: If you can isolate infected machines, do it quickly. Stop the spread of ransomware by isolating those machines from the network and protecting systems with important information. It is much easier to deal with a few infected machines versus thousands, so identifying and stopping the spread of ransomware should be the primary goal after it has entered the network.
- Research: Ransomware has been around for a long time. Some variants have been well-studied, and free decryption programs are available to defeat them. Once you know what variant of ransomware has hit your network, you may learn that the keys to decrypt your data are easily available and that your infection turns out to be little more than a nuisance. However, newer variants are more virulent, and use sophisticated algorithms that can’t be decrypted.
- Respond: Having assessed your situation and taken the appropriate action to limit the damage, you may still find that your important data is encrypted. This is where the question, “Should I pay the ransom?” comes into play and you have decisions to make. Some points to consider:
- How valuable is your lost data and can you do without it?
- Do you have that data backed up and archived?
- Does losing the data affected by the ransomware put the life of your business at risk?
- Follow the Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments by the U.S. Department of the Treasury to make sure that you are not facilitating payment if, “there is a reason to believe the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.” This could potentially result in an assessed fine.
- No Guarantees: One major point to consider if you decide to pay the ransom is that, after doing so there is no guarantee of recovery. Keep in mind that attackers are criminals. They may execute an attack campaign, scoop up quick payouts, and then abandon their victims in order to leave a cold trail for investigators. The systems they’ve set up for transferring payment may not work as intended. Or, they may have never intended to cooperate with anyone who made payment in the first place.
Of course, the best thing you can do to respond to a ransomware attack is to take proactive, mitigating actions. Working with trained security experts to assess vulnerabilities, close security gaps, train employees, and put written incident plan in place specific to your organization, and of course having a robust backup strategy for important information before an attack occurs is your best course of action. There are many antivirus and backup tools out there that can prevent or limit the damage of a ransomware or other malware attack.
For organizations that have adopted IoT as a part of their infrastructure and technology strategy , the Ordr platform is designed to give you full visibility into all the devices connected to your network, understand their purpose and operation, and automate management and security policies to ensure maximal protection for even the most sensitive and mission critical equipment. In a worst-case scenario, Ordr can facilitate the rapid isolation and protection of infected devices.
If you have questions about your situation, or need a partner with the skills and expertise to help protect your IoT assets, let us know. We work with a number of excellent integrators and managed security providers who specialize in protecting healthcare and other industries that are heavily invested in the use of connected devices.
Jeff Horne is currently the CSO at Ordr where he is responsible for security direction both within Ordr products and internal security. Prior to Ordr Jeff was the VP of Information Security for Optiv where he was responsible for all Security Operations, Governance Risk and Compliance, Endpoint, Internal Incident Response, Physical Security, and Employee Security Awareness groups. Before Optiv Jeff was the Senior Director of Information Security for SpaceX where he was responsible for the overall security strategy of SpaceX and managing the Information Security, Compliance (ITAR), Security Operations, and Physical Security groups. Previous to SpaceX Jeff was the Vice President of R&D and Chief Architect for Accuvant LABS where he managed teams of researchers and consultants specializing in reverse engineering, malicious code, incident response, breach analysis, and vulnerability assessment. Prior to Accuvant Jeff was the Director of Threat Research at Webroot Software where he led several teams of malware researchers, reverse engineers, and a development organization specializing in creating anti-malware functionality and detection signatures for all Webroot products. Jeff began his career as a Vulnerability Researcher at Internet Security Systems where he was responsible for vulnerability discovery, exploit creation, IDS evasion research, and behavioral detection of malware. Jeff is well known for his insight in interviews for numerous news channels and publications, speaking roles at various security conferences, as well as authoring several vulnerability disclosures and patents.
Follow by Author