[BreachExchange] Get ready for hospital ransomware attacks 2.0

[Audrey McNeil]

http://www.beckershospitalreview.com/healthcare-information-
technology/get-ready-for-hospital-ransomware-attacks-2-0.html

On February 5, 2016, staff members at Hollywood Presbyterian Medical Center
began having difficulty accessing the hospital's computer network. The IT
department was called in to investigate, and quickly, their worst fears
were confirmed — the hospital's network had been infected with ransomware.

Shortly afterwards, hospital staff declared an internal state of emergency,
and IT systems were forced offline, knocking out access to electronic
health records. This decision triggered a chain reaction of service delays
and outages that spread throughout the organization with serious effects:
Staff reverted to communicating via fax machines. Paperwork was completed
by hand. Lab work and test results were inaccessible. CT scanning and the
radiation oncology department were temporarily shut down. Some emergency
patients had to be diverted to other hospitals for care.

What had started out as files getting encrypted had quickly snowballed into
hospital-wide operations grinding to a halt.

The disruption lasted for 10 days. In the end, the hospital determined that
paying a ransom of $17,000 was "the quickest and most efficient way" to get
things back up and running. Yes, they were paying to restore the encrypted
data, but more importantly, they were paying to be back in business.

Still think the primary threat of ransomware is data loss?

Make no mistake — the ultimate objective of hackers targeting institutions
like hospitals isn't to encrypt their files. The true goal is to frighten
the victim into paying by creating widespread disruption. File encryption
has simply been a common means to that end. As the attack becomes more
debilitating to the victim's operations, it grows more and more likely that
the attacker will be able to demand, and receive, a bigger ransom payment.

Hollywood Presbyterian wasn't the only healthcare provider to suffer
through ransomware attacks and pay ransoms in 2016. Marin Medical Practices
and Kansas Heart Hospital were two other prominent cases. Educated by these
successes, criminals are now tailoring their attacks to make them even more
effective. Here are three tactics we've seen in the wild that are likely to
become more widespread in 2017.
Beyond encryption: 3 ways criminals are making their attacks more disruptive

1) Developing ransomware strains that spread like a virus
Imagine a ransomware attack that not only encrypts files but also turns
them into ticking time bombs, designed to spread their infection to more
machines and users as soon as it executes. That's the direction new
variants like Virlock are taking to expand the scope of their disruption.
By adopting traditional parasitic virus techniques, it does more than
simply encrypt victim files, it also injects them with malicious code that
kicks off new attacks to replicate itself from one machine to another.

The latest version of Virlock can even spread through cloud storage and
collaboration applications, making it possible for one infected user to
spread it across an entire enterprise network.

2) Creating new versions of ransomware that disable the victim systems
The popularity of file encryption as the primary threat in ransomware
began, at least in part, because that type of transformation is
straightforward, leaving the system capable of connecting to the network
for payment and decryption, and showing the victim the comforting, if
frustrating, local presence of their valued files. As the frequency and
public reporting of ransomware has increased, organizations have moved to
improve their recovery strategies, particularly in the form of more
comprehensive and tightly managed backups. In the presence of these backups
(a common best practice in any case), paying the ransom is much less
likely, since restoration of data is a sure thing without paying criminals.

Seeing this, some attackers have changed their tactic to disabling the
system entirely. Ransomware variants such as Petya attack systems at the
boot-level, preventing rebooting to any but the Petya screen, and
encrypting the tables which describe the locations of all of the data on
the disk. An attack like Petya, combined with parasitic expansion
capabilities like Virlock, would create campaigns that could routinely
cause the kind of debilitating breach that would take days or weeks to
resolve.

3) Turning ransomware attacks into data breach events
Threatening to permanently destroy encrypted files is a common ransomware
tactic. Many variants even incorporate a countdown element, adding a sense
of urgency to the victim's decision to pay.

New strains are taking things a step further. Instead of threatening to
destroy encrypted information, they're threatening to release it publicly —
a tactic known as doxxing. An example is Jigsaw, which not only encrypts a
victim's data, but threatens to send copies of those stolen files to all of
the victim's contacts. This shift in tactics is especially relevant for
hospitals and other healthcare service providers who are required to report
exposures of private patient medical records, and who can be fined
extensively for violations.

This changes the ransom equation completely, since the very best backup
will not be able to put the private data genie back into the secure storage
bottle. Criminals are raising their demands accordingly. On January 11, an
Indiana-based cancer services agency received a demand for $43,000 in
exchange for the hackers not releasing the data of thousands of cancer
patients. This was done interactively, by a human, but with tools like
Jigsaw available, the automation and anonymization of this tactic is not
far off.

Prescription: A tight focus on prevention
The best way for healthcare organizations to avoid extensive damage from
the next evolution of ransomware attacks will be to avoid them in the first
place.

While attack tactics and technology change constantly, one relative
constant has been the entry point that criminals target most often — users
and their endpoints. By committing to improving user training and
establishing better endpoint security that protects users even if they do
make a mistake, hospitals can reduce their risk considerably and block
attacks before they spiral out of control.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170202/de4be1d3/attachment.html>