Last week the latest ransomware worm is spread across the world. It encrypts files and demands a ransom payment in return for the decryption key.
This malware attack is commonly called “Petya” and, as a worm, it can spread from one computer to another without human intervention within a Windows network. As such, it targets organizational windows networks which are common in Healthcare. The initial infection appears to be via the EternalBlue malware that was used in WannaCry. It also may use the software updates from Ukrainian financial software vendor MeDoc, as well as MS Word documents containing malicious code.
The propagation within the local network is done using PsExec and WMI services. The result of infection is encryption of files and the Master Boot Record. Once an infected system has been encrypted, it should be restored from backup. It is not clear if payment of the ransom will result in a usable key.
To prevent this malicious software from infecting your systems, check the following.
- Ensure all systems have up to date patches. In particular, make sure that MS17-010 has been successfully install on all windows systems.
- Disable the utility called “psexec.exe”. This is often installed as a service. If possible, it should be disabled.
- Block the file C:\Windows\perfc.dat from running.
- Review information here on a potential vaccine. While this is not a kill switch, can can be useful in preventing an attack.
Unfortunately, once a system (or the network) has been infected, it may be too late and significant data loss is the likely outcome.
Please take a moment to attend to this risk by patching all systems, evaluating your vulnerabilities, deploying the vaccine, and training staff about suspicious files.
Please let us know if you have additional questions.
As you probably heard, a massive ransomware attacked swept through networks around the world on Friday. It appears to have started in the healthcare industry, thus underlying the vulnerabilities within the entire industry. While the ways to defend or prevent this attack are nothing new, here are the three things you should do right now.
- Update All Patches: Wannacry exploits a vulnerability in the Windows OS. Microsoft has released a patch to correct this vulnerability, including for Windows versions it technically no longer supports. Be sure ALL patches, especially Windows patches, are up to date on all workstations and mobile devices.
- Re-Train Staff On E-mail Best Practices: Wannacry is initially delivered through an e-mail attachment or link. You should remind all staff immediately to be aware of ALL links and attachments they receive, especially in the next few days. Everything about an e-mail with a link or an attachment should be scrutinized before opening a link or downloading an attachment. If anything seems suspicious or out of place, contact the sender to confirm its authenticity or contact your IT manager for further instructions.
- Validate Backups: If patching and training are ineffective, your last line of defense against WannaCry is having up to date backups that are segmented from the rest of your network and are conducted with a high degree of frequency. You should also have recently tested your backup to ensure you can restore your systems if necessary.
Despite what you might have heard in various news reports, we expect this ransomware attack to continue to spread for the next several days or weeks. You should take these three steps immediately to prevent your organization from falling victim to this attack. We will send additional updates as new information warrants. Let us know if you have any questions.
New data indicates that small and medium healthcare organizations are a growing target of ransomware attacks. The data also suggests that of the victims of a ransomware attack that paid the ransom, only 45 percent got their information back.
This changes the thinking about ransomware from something you might be able to recover from, to something you should do everything possible to prevent. Good ransomware prevention is a combination of high-tech and low-tech solutions.
High-tech solutions include having adequate backups. If you are equipped with a good backup, you can switch to that backup without losing access to any data and avoid having to deal with whether you will pay a ransom or not. To be successful against a ransomware attack, backups should be located on alternative media to avoid being encrypted by a hacker. They must also occur frequently enough to allow you to restore to the backup without losing any information. Finally, your backup should be tested to ensure it can be relied on if necessary.
Low-tech solutions include a disaster recovery plan and workforce training. Your disaster recovery plan should anticipate and address ransomware. It should also require that you test your backups and your plans regularly.
Training should also be done to educate staff how to spot and avoid a ransomware attack. In most instances, ransomware attacks are initiated by an employee downloading an e-mail attachment that looks legitimate. Therefore, your workforce members should know how to spot such attempts, and what to do if they see one. A simulated phishing attacks is an excellent way to help improve staff behavior. In these scenarios you will send a benign phishing e-mail to staff and track who downloads the attachment inappropriately. You then use this as an opportunity to re-train those individuals.
It is uncertain whether paying the ransom will allow you to gain access to your data in a ransomware attack. Therefore, the focus must be firmly placed on prevention of such an attack. While there is no silver bullet, ransomware attacks can be prevented with a multi-faceted approach.
Can We Really Win the Ransomware War?
The threat of “Ransomware” has been growing at an enormous rate over the last few years. Many experts believe it to be one of the major income streams for organized cybercrime. Of all the target areas for Ransomware, healthcare is one of the most profitable. This trend will only increase as new attack software has far outstripped the industry’s response.
How does Ransomware work?
Ransomware is malicious software that is installed on one or more of your systems, usually by an innocent click of a staff member on an email containing an infected file or link. Once activated, the malware systematically encrypts files with a key only known to the attacker. It is usually intended to bring all operations to a halt and create an emergency situation that only the attacker can resolve. A ransom fee is demanded and, if paid, the key to decrypt the files is provided. Experts estimate that nearly 50% of healthcare organizations have been hit by Ransomware. The cost and disruption of a Ransomware attack can be significant, and although they rarely involve the direct release of PHI to the public, HHS Office of Civil Rights has ruled that Ransomware incidents are releases under the HIPAA Omnibus Rule and must be reported as a privacy breach.
So, although ransoms demanded in 2016 averaged only $679 per event, the costs of response, interruption to operations, damage to patient trust and public reporting burden, coupled with rising ransoms and increasing frequency of attacks, all point to a rapidly increasing risk for healthcare providers.
The biggest problem we face with Ransomware is its profitability. As a tool of extortion, it is very effective. Especially given the fractured international enforcement of cybercrime laws. Added to that is the problem that the healthcare industry lags behind other industries in deploying basic security controls. This means that healthcare organizations of all types are the “Low Hanging Fruit” that can provide a huge cash flow using automated hacking tools.
Despite headlines of large institutions being targeted, it is the smaller institutions that are at highest risk. Many smaller ransom payments add up quickly and by keeping ransom demands at a level that doesn’t break the bank they get less publicity (and effort from law enforcement).
Thus, small and medium-sized healthcare organizations are perfect targets because,
- They are completely reliant on continuous availability to their EHR and Practice Management Software
- They are often behind the curve on implementing effective cyber risk management
- They tend to overlook threats to business-critical IT services posed by ransomware during contingency and disaster recovery planning
- The combination of weak protection of the network, and inadequate backup, leaves most victims at the mercy of the extortion
As a result, a huge amount of money is getting extorted. With minimal risk of prosecution, we can anticipate a continuing epidemic of Ransomware targeting the healthcare industry.
What can we do about it?
The only thing that will change this trend is to decrease the likelihood of success through prevention. That means small and medium sized providers must step up their game when it comes to educating everyone about Ransomware, it’s prevention, and how to respond to it.
How do we fight the criminals?
There are three ways of stopping Ransomware and they all should be implemented. The first two are basic risk management controls that should be part of every institution’s cybersecurity program. The third will likely become core technology required to mitigate the risk of Ransomware.
- Good cyber infection controls
This means your anti-virus/anti-spam/anti-malware software is installed and maintained on all devices, including cell phones and tablets used in the workplace. It also means that you have tools, such as an Intrusion Protection System, to quickly identify and halt attacks, whether by email attachments or direct compromise of servers by hackers. Finally, it requires that all staff be trained in good computer hygiene and incident reporting.
- A tested disaster recovery plan that anticipates and addresses Ransomware
This means that data is backed up onto alternative media and cannot be encrypted by the Ransomware. The backups must occur frequently enough for you to be able to restore your operations from them without the benefit of the data that has been created since the last backup. And, it means that the backup restoration is tested and can be relied on to bring your operations back on line quickly.
- New technology that detects and stops the encryption
Vendors have created security software that detects common variants of current Ransomware. They are also developing tools that detect the behavior of Ransomware and can shut down processes that appear to misbehave until an operator can assess the situation. There are various evolving technologies that hopefully will be effective in curbing Ransomware.
Where to start?
Ongoing Risk Management is a requirement. It needs to factor in the increasing threat from Ransomware. It also needs to evaluate the effectiveness of protective controls, and it needs to keep on top of the contingency planning process to ensure that you are not left at the mercy of a cybercriminal in the event of a Ransomware attack.
This is not a situation to be taken lightly. Ransomware can expose your business to an existential threat. Remember, the extortionists can always take your money and fail to deliver the key. They may even ask for more ransom. This threat will only increase, so now is the time to get serious and make Security Risk Management and Ransomware preparedness a core part of your business plan.
Eric Hummel, CTO