The first quarter of 2016 saw more than $209 million in ransomware payments made in the U.S. according to FBI estimates, compared to only $24 million in payments in all of 2015. Though ransomware has been around for more than a decade, it has only recently grabbed mainstream media attention in large part due to the affect it is having on healthcare organizations.
Hospitals are an ideal target for ransomware attacks because, without access to computer systems and patient records, it’s not possible to access drug histories, surgery directives, and other critical information needed for patient care. This results in hospitals being more likely to pay a ransom rather than risk delays that could result in death and lawsuits.
So what precautions should healthcare providers take, and what steps should be followed in the event healthcare IT systems are compromised to minimize the impact on patient care and to restore IT systems as quickly as possible?
Health IT Outcomes set out to find the answers to these questions and more, speaking with ClearDATA Founder and Chief Privacy and Security Officer, Chris Bowen.
Q: How does ransomware work and who is behind it?
Bowen: Usually ransomware is installed on a system with the help of an unwary user who opened an email attachment from a phishing attack, or clicked a link on an infected website. Once this happens, the ransomware installs itself and quietly begins to run in the background. It begins by encrypting local files but can quickly travel to any mapped drive or volume and does the same thing.
For the most part, ransomware is being distributed by organized criminals looking for a way to scale their efforts to capitalize on the unprepared. These cyber criminals use ransomware because it’s relatively easy to buy and use the tools, the profit is fairly predictable because there is instant demand for decryption help, and there is less risk in the payoff because there is usually no direct contact or sale of data. As with any criminal organization, there are many kinds of attackers.
Q: What are some of the tools of the trade utilized by cyber attackers?
Bowen: Ransomware really came on the scene in 2012. According to the Department of Homeland Security, attackers using data from a command and control (C2) server of 5,700 compromised computers profited approximately $33,600 per day when nearly 3 percent of the victims paid the average ransom of $200. In 2013, more destructive and lucrative ransomware variants were introduced including Xorist, CryptorBit, and CryptoLocker.
Ransomware criminals use many kinds of software to entrap their victims, each with its own flavor. For example, CryptoWall uses an unbreakable AES encryption, is widely distributed using exploit kits, spam campaigns, and malvertising, and uses I2P network proxies and the Tor network for payments using Bitcoins. TorrentLocker (sometimes referred to as CryptoLocker) is similar. Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email which contains Upatre, a downloader, which infects the user with GameOver Zeus, which is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. This particular ransomware harvests email addresses from the victim in order to further spread itself to new victims.
The Locky tool is relatively new to the scene but is aggressively distributed by spam and compromised websites, and scrambles any files in any directory on any mounted drive it can access.
Unlike most ransomware, SamSam, which appears to be focused on the healthcare industry, is not launched via phishing campaigns or exploit kits. Instead, this menace seems to be distributed by compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom.
Other tools include TorrentLocker, CTB-Locker, Samsam, CrypVault, and PayCrypt. Interestingly, TeslaCrypt recently shut down its operations and published its decryption keys.
Overall, these tools are gaining features. In the early days, ransomware inflicted unwanted encryption on files stored locally on a machine. Now ransomware is fully able to traverse network drives, SANs and NASes, and UNC paths. It encrypts anything it can touch and access with the level of permissions granted to the user account under which the malware is executing. Signatures for ransomware can also be polymorphic — it may change after every installation in order to avoid detection by signature-based anti-malware.
Q: Break down a typical attack from start to finish.
Bowen: Assuming we’re describing a phishing-based distribution method, typically the user will receive an email attachment such as an invoice, shipment tracking document, or something that looks normal. These emails are often very generic, but could include a real vendor name or even your company name. The user’s machine is typically connected to network, or a shared cloud service.
Once the user clicks that attachment in the email, the ransomware silently begins encrypting all of the files it can without any user interaction or notification. Once complete, it alerts the user and provides payment instructions, usually made in Bitcoins. Some ransomware attackers even provide “Customer Service” information to help the victim decrypt its files — a method used to instill confidence in the victim that payment will solve their problem.
At that point the victim has two choices; 1) pay the ransom or 2) wipe their system and restore from a valid, recent backup. In many cases it’s not an easy choice, especially when access to patient records that may not be available on paper could cause hardship or even death for a patient.
Q: What impact — financially and psychologically — does a ransomware attack have on an organization?
Bowen: Ransomware has been so effective its shock value seems to be decreasing — unless you’re a victim, especially in healthcare. It can be scary to see that screen pop up and demand a ransom. Those who have lived through it will probably never forget the chaos that happens within their operations; the angry patients who show up for a procedure only to be turned away, and heaven forbid the many medical mistakes made due to lack of access. I’m shocked by the claims of some ransomware victims who have publicly pronounced after an attack that “patient care has not been compromised,” or that “all patient data is safe.”
The ransom itself is the least of the healthcare providers’ expenses in the wake of a ransomware attack. If they pay the ransom, it’s relatively small compared to the hundreds of thousands or even millions of dollars it may take to completely restore their systems. Then there are the lawsuits, the regulatory investigations, the lost trust, and the damage to an organization’s reputation. Ransomware can be devastating to an organization.
Q: What happens when an organization is locked out and who within that organization should be involved in resolving the attack?
Bowen: As with any incident, a rehearsed, practiced, and well-known incident response procedure should help guide the organization during the attack. But the response needs to be incredibly fast in order to minimize the damage. Certainly the Chief Information Security Officer should lead the response, but he’ll need the support of the information security operations team and probably outside consultants who are experts at containing ransomware. In addition, the CISO should surround himself with legal, compliance, and communications experts to assist with documenting findings, determining the cause, performing a risk assessment, and properly communicating with affected stakeholders and regulators.
Q: The FBI advises not paying ransom. Do you agree with that advice?
Bowen: This is a tough decision. On the one hand if you trust that your systems will be successfully decrypted, you could be back in business much sooner than if you had to rebuild and restore your infrastructure. Of course this is no guarantee, nor is there a guarantee the encrypted files will be released; it only guarantees the malicious actors receive the victim’s money and, in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed. One thing you can count on if you pay — your organization will be known to the entire cyber underworld as having paid the ransom, making you a perpetual target.
I lean toward the do-not-pay camp, but can understand why some do. If a healthcare provider is unprepared for a recovery on their own, they may have little choice between paying and starting over.
Q: Is it possible to defend against a ransomware attack? What are some strategies to accomplish this?
Bowen: Of course it’s possible to defend against a ransomware attack. Begin by educating users about the dangers of email attachments. Employing proper security controls and having a data backup and recovery plan for all critical information is a must. I also recommend that these backups be tested for recovery times to limit the impact of data or system loss and to expedite the recovery process. It’s imperative that critical backups be isolated from the network for optimum protection.
I also recommend implementing application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
Your operating system and software should be kept up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
Although some ransomware changes signatures often, it’s still important to maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing. Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services.
This next one seems obvious. Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources.
Q: How important is educating/training staff in the prevention of ransomware attacks?
A: It’s always first on my list. In my opinion it’s equally as important as anti-malware software, firewalls, security patches, and every other defensive mechanism. You can have all the controls in the world, and then that new ransomware variant finds its way to an inbox — then you’re left to the awareness of the user who can either recognize the attack, or bring down your entire organization.