In the first 7 months of 2020, 41 healthcare providers have reported ransomware attacks. Some organizations may opt to pay the demands of an attacker to keep the incident private, consequently avoiding potential harm to their reputation. Others may have controls in place that effectively prevent the attack or mitigate the impact of any damages. It is difficult to determine how many organizations have been targeted as well as how many have been affected by ransomware attacks. Below is a sample of industry-related, publicly acknowledged ransomware attacks:
Maryland Health Services (Lorien Health) disclosed a Netwalker ransomware attack in June. Earlier this year, CYDERES observed a new trend by ransomware operators wherein sensitive data is exfiltrated from the network prior to data being encrypted. The data is then used as an additional point of leverage to encourage the victim to meet the attacker’s demands. Maryland Health Services experienced this as the ransomware operators were able to collect sensitive data on up to 47,754 individuals. Following the attacker’s demands not being met, decryption keys and portions of the stolen data was publicly released.
Cozer-Keystone, SFI Health, and UCSF also recently disclosed similar Netwalker attacks. In the case of UCSF, the university paid attackers approximately $1.14 million (USD) to obtain the decryption key and prevent the disclosure of their data. Best practices to prevent and respond to a ransomware attack are encouraged, as paying attacker’s demands does not guarantee decryption and return of data. This may also serve as an indicator to other malicious actors that the organization is willing to capitulate to ransom demands, increasing the possibility of a future attack.
Magellan Health disclosed a second security incident earlier this year after sensitive personal data including social security numbers, usernames, and passwords were exfiltrated. This occurred after an attacker phished an employee, deceiving them into installing malware which propagated to the server housing said information. Details around the ransomware type and responsible actors are limited and CYDERES intelligence partners have not seen mentions of the attack across the darkweb services they monitor. Still, Magellan serves as an example of the importance of preparation for an attack given a similar phishing incident from 2019.
Mat-Su Surgical, Woodlawn Dental Center, Argus Medical Management, and Indoco Remedies have also disclosed recent ransomware attacks. The degree of impact on each organization varies but illustrates the breadth and size of services within the health care industry that malicious actors target.
A ransomware variant Netwalker, aka Mailto, has been distributed by attackers exploiting the COVID-19 pandemic with COVID-19 themed email messages. The messages often contain tainted Word or Excel attachments and users are enticed into opening the files and executing the malware initialization. Operators of Netwalker have also been known to disguise the malware as legitimate software such as Sticky Password. The payload may allow access for the actor to install additional malware, surveil the network and exfiltrate data. Once the ransomware executes, it scans for and begins encrypting files on the infected device and presents the user with a demand for payment to unlock files and prevent public disclosure of data.
Several different ransomware variants exist that function similarly to Netwalker. Operators of the Maze ransomware and Sodinokibi (REvil), like Netwalker, have been observed exfiltrating data from impacted networks prior to executing encryption protocols to maximize the potential for an organization to pay to prevent public data disclosure. Some ransomware variants target specific types of devices or organizations. Snake (aka EKANS) is one such ransomware found to target industrial and manufacturing organizations with the capability of identifying and terminating common industrial control systems related processes to deliberately impact production capabilities.
Ransomware attacks against health care providers increased by 350% in the last quarter of 2019. The evolving tactics of ransomware operators, impact of the global pandemic, increasing regulatory penalties, and low cost/effort to operate malware will likely result in this trend continuing.
Fortunately, there are several steps that can help prevent, identify, and respond to ransomware provided by CYDERES below:
Device backups should occur frequently. Multiple copies of the backup should be made and stored offsite in addition to locally. Cloud backups should also be considered where appropriate. Having multiple backups stored in separate, nonconnected locations gives the ability to confidently restore lost or encrypted data in the event that local backups are compromised.
Flat networks allow an attacker or malware to easily discover and spread to nearby network assets. Sensitive or critical assets should be segmented to limit the amount of damage that can be caused by a malware/ransomware infection. A segmented network can also help prioritize deploying detection and response capabilities as the movement of data on sensitive segments can be more highly scrutinized than non-sensitive segments.
Technical controls may also be easier to implement for cordoning off access to unnecessary services within sensitive segments. A client segment for instance may require internet access where storage devices should not have a default route out to the internet.
Next-generation endpoint detection and response/Antivirus agents should be deployed to any connected device where possible. Procedures should be in place to constantly review agent health and remediate noted exceptions. Signature files should be updated as soon as vendors make them available and currently installed versions should be part of the agent health check process.
Classic or legacy signature-based endpoint agents like anti-virus can be ineffective protecting against ransomware and modern threats. These solutions should be phased out in favor of modern tools that leverage AI and behavioral-based detections.
User and system accounts should be limited to only the permissions needed for their assigned tasks. Local admin accounts on devices should be disabled, passwords rotated, and use of these accounts permitted only after a request has been reviewed and approved. Service accounts should be set to non-interactive and their use limited to the devices necessary to carry out their purpose.
Roles should be routinely reviewed, and permissions adjusted as users transition to new positions or shift responsibilities.
Separate accounts for power users can be created with elevated privileges. These accounts should enforce more stringent password requirements and be controlled via multi-factor authentication where possible.
Training and Awareness
A user education program should regularly conduct training and awareness campaigns covering topics such as: password usage, identifying phishing emails, data classification and handling, and reporting security incidents.
24 x 7 x 365 Security Operations
Security logs should be collected with systems running detection logic against the telemetry for threats to the environment. Logs and detection events should be monitored 24 x 7 for signs of intrusion or malware execution.
Incident response plans should be on file and kept up to date. Third-party IR retainers should be in place prior to a security incident to augment response capabilities, provide expertise, and to assist in limiting the impact of a ransomware incident.
Penetration tests should be routinely ran against applications, servers, and network infrastructure in search of vulnerabilities.
Maintain an inventory of server and application assets. The asset list can be used to prioritize detection and response capabilities as well as inform monitoring for and applying patches on critical systems.
A patching schedule should be maintained so that critical firmware, OS, or application patches are applied as soon as possible after the release of patches.
SMTP gateway should be configured to enable spam and malware filtering.
Email and HTTP(s) traffic to/from the network should be filtered to only known-good external entities where possible. Uncommon TLDs such as .ru, .tv, etc., and webmail like gmail, yahoo, etc. should be limited to approved vendors or third-party contacts. An exception process should be in place and updates implemented based on periodic review.
User installed applications and associated plug ins should come from a trusted package or software management repository. Unsigned or internet downloaded application installation and execution should be blocked.
Securing the organization from threats like ransomware may seem a daunting task, but the experts at CYDERES can help. If your organization needs managed detection and response across both your cloud and on-premise environment, Fishtech Cyber Defense and Response (CYDERES) can help. CYDERES offers a better, faster and scalable SOC with a managed SIEM. CYDERES solutions include:
- Enterprise Managed Detection & Response
- Global Security Operations Center
- CYDERES Cloud
- CYDERES Security Incident Response Team
- CYDERES Red Team
- CYDERES CNAP
Fill out the form below to get in contact with one of our CYDERES experts to find out how we can best leverage our services to secure your business.