Guarding Against Fileless Ransomware Attacks

Guarding Against Fileless Ransomware Attacks

Fileless ransomware attacks are predicted to comprise 35 percent of all attacks next year, according to the Ponemon Institute

Fileless Ransomware Attacks are the new way for cybercriminals to maneuver around ransomware blocks and remain undetected. As forms of protection technology advance, so do the technology the criminals are using to attack.

A recent study indicates that 77 percent of compromised attacks this year were fileless ransomware attacks, and are ten times more likely to succeed than file-based attacks.  These emerging forms of cyber attacks go unrecognized by antivirus tools since they don’t download new software.

Fileless ransomware attacks target vulnerabilities, like browser vulnerabilities, to make the browser run malicious code.  Typically, this happens when a user receives a spam message with a link to a malicious website.  What this also means, is that much of the discourse on preventing ransomware to this point is now outdated.  The focus recently has been preventing ransomware by not downloading attachments from unknown senders.  While that is still applicable, it is not a silver bullet to preventing ransomware attacks.

As this new threat emerges, it is important to update your prevention mechanisms.  A successful fileless attack relies on software vulnerabilities in the software already installed, therefore patching and updating the operating systems and applications are critical.  Additionally, implementing behavior-based systems, including endpoint protection, into your defenses can also spot and prevent a fileless attack. Finally, updating your training, or including a reminder that ransomware attacks can come in ways other than just through email, will also be helpful.  As with many other technical threats to PHI, this one will require a multi-layer approach.

fileless ransomware attacks
KRACK: Understanding the Vulnerability

KRACK: Understanding the Vulnerability

The KRACK WIFI vulnerability was announced by security researchers and the US-CERT today. This vulnerability can affect every modern WIFI network and has the potential to impact every device that connects to WIFI. If affected, KRACK could allow for any information sent over wifi to be stolen including passwords, credit card numbers, private emails, and so on. This vulnerability is a major problem for our enterprises and users. Vendors will be required to step up and provide fixes quickly and everyone throughout the organization to pitch in and follow the recommended remediation.

What is KRACK?

KRACK is a vulnerability in the most common security protocol, WPA2, used to authenticate WIFI connections to a secure network and is used by virtually every WIFI network. When this vulnerability is exploited, it permits an attacker to decrypt the session between a WIFI client (e.g. a mobile device) and the server (e.g. wireless router).  In certain cases, it would permit the alteration of content.  All versions of WPA2 are affected.

How serious is it for me?

KRACK is a very serious problem in the long run, but how concerned you should be in the short term depends upon analyzing your threats.  Threats of concern are those that are local (e.g. within range of your WIFI) and interested in compromising the confidentiality or integrity of your trusted network and the data it contains.  This means that it is not scalable to international actors such as crime cartels.  It can only be exploited by a local actor.

What actions should I be taking?

In the short term, we suggest revisiting your threat assessment and your staff training.  To assess if the threat is imminent, determine whether a local person (e.g.. disgruntled current or former staff)  who may be interested and capable of exploiting this vulnerability.  If this threat exists, a defensive strategy should be developed.

The specific strategy is very organization specific but should include working with law enforcement, upgrading monitoring and log analysis, changing of firewall rules or restructuring of trust zones. Staff should also be trained to pay close attention to HTTPS connections.  This protocol is a weak protection against exploitation, but if the user always checks the internal web resource is protected (e.g. lock icon or “https://” in the URL) the contents will still be encrypted as a  second line of defense. Users must be trained to pay attention to this as they may not receive alerts if it is missing.

Long-term, we recommend that you connect with all vendors of WIFI associated equipment that is used in your environment and determine their schedule for release of software patches and upgrades.  As soon as these are available, install and test each wireless device to ensure proper function.

What WIFI connections and activities are safe?

Bear in mind that “Safe” is a relative word in cybersecurity.  These are safer activities,

  • Use of SSL (HTTPS) connections encrypt data, but the user must pay close attention; and
  • Use of “Thinclients” (e.g. Citrix, VNC or other proprietary protocols) which allow connection to a data that is a picture of the data, rather than a copy of the data.
What WIFI connections are unsafe?

The following connections are not considered safe,

  • VPN connection assumed to be trusted and not using SSL (HTTPS);
  • Internal wireless connection where internal servers do not require SSL;
  • Home WIFI of remote users;
  • Anywhere that the login credentials to WIFI can be reused in another context (e.g. Active Directory);
  • Wherever WPA2 is used in any form to connect to a wireless access point.

To summarize, a new vulnerability has just come to light that impacts WIFI connections.  This vulnerability can only be carried out by a local actor, therefore you need to evaluate potential threats to staff and others.  If you determine an imminent threat, you should take action immediately.  Otherwise, install and test updates from WIFI associated equipment vendors to mitigate this vulnerability.  

For up-to-date information about the patches you need to secure your wifi, please visit ZD Net. 

QI Express to Present at 89th Annual AHIMA Convention

QI Express to Present at 89th Annual AHIMA Convention

The American Health Information Management Association (AHIMA) Convention and Exhibit is taking place this year in Los Angeles. This annual five-day conference brings together healthcare professionals to explore the vast world of information technology.

AHIMA American Health Information Management Association

The conference will examine the vital topics of health data analytics, informatics, security, and governance. As an increasing need for cyber solutions forms, conferences such as these become one of the main formats to discuss the changing climate of health technology. AHIMA allows presentations, panel discussions, and open forums to educate and advance the healthcare world.

QI Express is proud to announce, that Robert Zimmerman (C.E.O. and Founder) and Adam Bullian (Chief Operating Officer) will be presenting at the Privacy and Security Institute.

Robert Zimmerman, C.E.O.

Connect on LinkedIn

Robert will be kicking off the event early, co-presenting with Special Agent Boeing Shih of the FBI. Their discussion “Emerging Cybersecurity Threats In Small and Medium Sized Hospitals: A Conversation with the FBI Cybersecurity Task Force and Industry Experts” expects to draw a big turnout, as this issue is prevalent and growing in the industry. Robert and Boeing will provide insights into threats that can affect organizations, as well as provide guidance on the best practices on implementing prevention techniques. This panel will be on Saturday, October 7th at 9:15 am.

Adam Bullian, C.O.O.

Connect on Linkedin

Adam will be presenting later that day on “The Essentials of Auditing and Managing Business Associates.” This discussion will cover how healthcare organizations are growing more reliant on vendors to deliver critical business services. As more associates are added to the business chain, more vulnerabilities arise and the risk grows. Adam will provide practical steps that hospitals of all sizes can take to understand, evaluate, validate, and manage the safeguards our business associates are applying. Adam’s discussion will be on Saturday, October 7th at 1:45 pm.

QI Express’s solutions include Security Risk Assessments, Security Readiness for Small and Medium-Sized Businesses, Security Awareness Training, HIPAA HITRUST Audit and Certification, and Emergency Preparedness.

For more information on AHIMA please visit a schedule of AHIMA events please visit

We look forward to seeing you there! To request a demo or would like more information about our services, please fill out the form below. 

Your Name:*
Type the characters you see here:

Details on the Largest Data Breach Settlement in History 

Details on the Largest Data Breach Settlement in History 

On Friday, attorneys announced a $115 million settlement to customers affected by the 2015 Anthem data breach.  It is believed to be the largest settlement related to a data breach in history.  Approximately 79 million people were affected by the breach.  The settlement funds will be used to provide two additional years of credit monitoring to affected individuals or cash for those already enrolled in monitoring.  This is in addition to the initial two years of credit monitoring previously.

The February 2015 breach was caused by an unknown hacker who accessed a database with personal information.  There has been no evidence that the information was released on the cybercrime underground, which leads some to theorize that it was the work of a state-sponsored hacker.

This settlement is in additional to the $260 million of security improvement, remediation and clean-up which followed the breach bringing the total costs associated with this breach to $375 million.

Do These Things Right Now To Defend Against WannaCry

Do These Things Right Now To Defend Against WannaCry

As you probably heard, a massive ransomware attacked swept through networks around the world on Friday. It appears to have started in the healthcare industry, thus underlying the vulnerabilities within the entire industry. While the ways to defend or prevent this attack are nothing new, here are the three things you should do right now.

  1. Update All Patches:  Wannacry exploits a vulnerability in the Windows OS.  Microsoft has released a patch to correct this vulnerability, including for Windows versions it technically no longer supports.  Be sure ALL patches, especially Windows patches, are up to date on all workstations and mobile devices.
  2. Re-Train Staff On E-mail Best Practices: Wannacry is initially delivered through an e-mail attachment or link.  You should remind all staff immediately to be aware of ALL links and attachments they receive, especially in the next few days.  Everything about an e-mail with a link or an attachment should be scrutinized before opening a link or downloading an attachment.  If anything seems suspicious or out of place, contact the sender to confirm its authenticity or contact your IT manager for further instructions.
  3. Validate Backups:  If patching and training are ineffective, your last line of defense against WannaCry is having up to date backups that are segmented from the rest of your network and are conducted with a high degree of frequency.  You should also have recently tested your backup to ensure you can restore your systems if necessary.

Despite what you might have heard in various news reports, we expect this ransomware attack to continue to spread for the next several days or weeks. You should take these three steps immediately to prevent your organization from falling victim to this attack.  We will send additional updates as new information warrants.  Let us know if you have any questions.

Preventing Insider Threats

Preventing Insider Threats

No one likes to think about it, but malicious attacks by an insider and other insider threats are the cause of a significant number of healthcare data breaches.  They can be from a disgruntled employee, a recently terminated member of the staff, or even someone who is being bribed to provide patient information.  While they may be some of the hardest attacks to guard against, they are preventable.  Here are a few steps to keep in mind,

  • Screen New Hires:  One of the best prevention methods is to not hire someone who turns out to be a malicious employee in the first place.  You may consider completing a background check on all new hires and even periodic checks on current staff members.  While not an exact science, it may help to identify potential bad actors before they cause any damage;

  • Terminate Employees Immediately:  Often when employees leave any organization there can be hard feelings which potentially leads to irrational decisions.  To help guard against this, you should terminate all access to PHI immediately upon the employee leaving the organization.  Any delay in terminating access can leave you susceptible to the whims of a disgruntled former employee;

  • Perform Regular Access Audits:  Having a process in place to review logs of who within your organization is accessing PHI and what they are accessing can be a helpful tool in spotting a snooping employee. To truly be effective, the logs need to be reviewed on a consistent basis to identify an employee who is accessing PHI unnecessarily or to pick up suspicious patterns of access; and

  • Train Staff on Sanctions:  Training should include information that outlines the sanctions that can be imposed (both by you, the employer, and the authorities) for malicious actions involving the access or disclosure of PHI.

Admittedly, guarding against insider threats is a challenge, but it is possible.  If you implement reasonable protections then you can prevent or stop nefarious actions by your staff.