5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIMSS Presentation

Chris Bowen, MBA, CIPP/US, CIPT
Founder, Chief Privacy & Security Officer
Ransomware
Five Ways to Protect Your Organization

2PROPRIETARY & CONFIDENTIAL
Agenda
Ransomware: Anatomy & Psychology
Case Studies
Recovery Strategies
Five Prevention Strategies
1
2
3
4

Ransomware Attacks are Increasing
0
1000
2000
3000
4000
Total Ransomware
2013
Q1 Q2 Q1 Q2 Q3 Q4 Q1 Q2
2014 2015
Source: http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-aug-2015.pdf

Ransomware Attacks Costly
*https://www.ic3.gov/media/2015/150623.aspx
^http://cyberthreatalliance.org/cryptowall-report.pdf
Average cost of a demanded ransomware payment.
Combined losses of 992 victims from CryptoWall
in mid-2015*
Estimated Bitcoin transactions from CryptoLocker
in a two month period.
Estimated amount of losses by the Cyber Threat Alliance
to US companies^
$300
$18M
$27M
$325M

Types of Cyber Attackers
http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-aug-2015.pdf
Recreational
• Fame and notoriety
• Limited tech resources
• Known exploits
Criminal
• Vandalism
• Limited tech capabilities
Hacktivist
• Statement
• Relentless
• Emotionally committed
• Vast networks
• Targeted attacks
Organized Crime
• Economic gain
• Significant tech resources
and capabilities
• Established syndicates
• Adware, crimeware, IP theft
• A lot of spamming/phishing
• Prominent in ransomware
State Sponsored
• Cyberwar, state secrets;
industrial espionage
• Highly sophisticated
• Nearly unlimited resources
• Advanced persistent threats

The Psychology of a Ransomware Attacker
Why?
• Easy to buy and use the tools
• Profit is predictable
• Less risk in the payoff – no direct contact or sale of data
• Don’t have to find a data buyer
• I can automate it globally
• Less trackable using bitcoin
Pricing Dynamics
• Ransom usually comparatively low to increase
likelihood of payment
• Individual payment may be $300; Enterprise $30,000

Ransomware Tools
CryptoWall
Locky
TorrentLocker
CTB-Locker
TeslaCrypt
Samsam
CrypVault
PayCrypt
CryptoWall
• Use of unbreakable AES encryption
• Widely distributed using exploit kits, spam campaigns & malvertising
• Uses I2P network proxies and Tor network for payments using Bitcoins
TorrentLocker (sometimes referred to as CryptoLocker)
• File-encrypting Ransomware - distributed via spam email
• Uses AES to encrypt a wide variety of file types
• Harvests email addresses from victim to further spread itself
Locky
• New but aggressively distributed by spam and compromised websites
• Scrambles any files in any directory on any mounted drive that it can
access

Tools Gaining Sophistication
• Inflicted unwanted encryption on files stored locally to a
machine
• Now fully able to traverse network drives, SANs and
NASes, UNC paths
• Encrypts anything it can touch and access with the level
of permissions granted to the user account under which
the malware is executing.

Easy To Acquire https://ransomwaretracker.abuse.ch/

Anatomy of a Ransomware Attack
• Critical choices:
- Pay ransom
- Restore from backup
• Paying ransom increases risk of
future attacks
The Bait1
• User’s machine typically
connected to network, shared
cloud services, etc.
• Once open, ransomware silently
begins encrypting all of the files it
can, without any user interaction
or notification.
The Infection2 Ransom Notice3 Pay or Restore4
• Once done, it alerts the user and
provides payment instructions.
• Payment is usually in Bitcoins
• Some even provide “Customer
Service” info.
• Typically comes as an email
attachment
• Such as: Invoice, shipment
tracking document, etc.
• Often very generic, but could
include a real vendor name or
even your company name.

Typical Bait Email

Malicious Attachments
Word doc with
malicious VB code
activated by enabling
macros

• Emailing it to huge numbers of people, targeting particularly the US
and UK
• May come on its own (often by email) or by way of a backdoor or
downloader, brought along as an additional component
• Browser exploit kits, drive-by downloads
• TorrentLocker’s authors have been both nimble and persistent
• Also spreads via RDP ports that have been left open to the Internet,
as well as by email
• Can also affect a user’s files that are on drives that are “mapped”
– Thumb drives, dropbox, box, usb drives, storage shares
How Does Ransomware Spread?

Case Studies
Recent Healthcare Attacks

• Ransomware encrypted files on several of TRMC's data base services, blocking
TRMC's ability to enter or retrieve patient data in EHR.
• No ransom paid.Security team remedied situation
Titus Regional Medical Center– Jan 2016

• Suffered a ransomware attack that prevented access to EMR and communications.
• The leading suspectsuspected cause,according to sources familiar with the
investigation,is a phishing attack—likely a link in an e-mail that was clicked by a
hospital employee on a computer with access to the EMR system.
• Paid $17,000 in Bitcoin before contacting law enforcement.
Hollywood Presbyterian – February 2016

• Suffered a ransomware attack locked access to systems and files in all 10 hospitals
and 250 outpatientcenters.
• Attackers demanded 45 bitcoins within 10 days. Within one day, systems were once
again readable,butnot writeable.
• The attack involves SAMSAM--a server-side ransomware family that does not rely on
malvertising or social engineering hooks to arrive into a target's system.
MedStar Health – March 2016

• Locky ransomware locked down enough ofthe Kentucky hospital’s data that it was
forced to declare an internal state of emergency.Now officials are saying they
resolved the situation withoutgiving into attackers’ demands.
• Attack lasted five days. Claim they did not pay.
Methodist Hospital Kentucky– March 2016

Recovery Strategies
Options & Contingencies

What Happens When You’re Locked out
Pay Up
Become a target for life
Don’t Pay
Tell hackers to pound sand
(But you better have solid backups
and a secure place to restore to)
Files or Systems
Encrypted
Files Threatened
With Destruction or Deletion
Files or Systems
Locked
DELETE

Engage Incident Response
Notify your Info Security Team
• Notify authorities and regulatory bodies
• ID Recovery Time & Point Objectives
• Preserve evidence
• Engage your legal team ASAP

Isolate The Device
• Remove the impacted system from the network and
remove the threat
• Removal is best done with the system off the networks to
prevent any potential spread of the threat.

Attempt Data Recovery
• Restore any impacted files from a known good backup.
• Restoration of your files from a backup is the fastest way
to regain access to your data.
• Requires confidence in integrity of backup
• Requires a destination at which to restore
• May take some time

Hybrid Recovery
• Stall for time by trying to negotiate
• In meantime work on recovery from a backup
• Requires confidence in integrity of backup

Pay The Ransom?
Why Pay?
• Without a backup, may be the only realistic means of retrieving data
• Possibly quicker and cheaper than restoration or starting over
Reasons Not To Pay
• May increase likelihood of additional attacks
• Motivate the attackers to keep carrying out their attacks
• Increase likelihood of attacks form other sources
• Fund the cybercrime operation and the infrastructure that they are
using to commit further fraud
• May not achieve recovery, even if you pay

Start Over
• Dispose of all infected devices
• Rebuild from scratch
• Will be expensive and time consuming
• History lost

Prevention Strategies
Defense In Depth

Defense in Depth in IT
Multi-level Security
User, Process, Device
Data & Application Security
Physical Infrastructure
Network Security
Air-tight - properly configured
System Security
DEFENSE IN DEPTH DEFENSE IN BREADTH
Applied Across Each Use Case to Appropriate Level
REDUCE
ATTACK SURFACES
DEPLOY
CRYPTO KEYS
CREATE SECURE PEOPLE,
PROCESSES & SYSTEMS
APPLYING DEFENSE IN DEPTH & BREADTH

#1: BackupYour Data
• Regular and consistent backups along with tested and
verified restores.
• Keep a recent backup copy offsite and offline.
• Multi-Level Security
• Physical Infrastructure
• Network Security
• System Security
• Data & ApplicationSecurity
DEFENSE IN DEPTH

#2: Email Filtering & Phishing Awareness
• System Security
DEFENSE IN DEPTH • Don’t click on links without scrutinizing the email to make sure it’s
legitimate
• Inbound e-mails should be scanned for known threats and should
block any attachment types that could pose a threat.
• Filter Email
• Block dangerous email attachments
– ZIP, RAR, EXE, SCR, JavaScript, etc.
• Block macro-enabled content
– Work, Excel, PowerPoint
– Very prolific attack vector

#3: Antivirus
• System Security
DEFENSE IN DEPTH • Exploit kits hosted on compromised websites are commonly used to
spread malware.
• Regular patching of vulnerable software is necessary to help prevent
infection.

#4: Updated Patches & Software
• System Security
DEFENSE IN DEPTH • Be sure all system and application patches are current.
• Keeps you safer from drive-by downloads, Samsam attacks

#5: Settings & Access Control
• System Security
DEFENSE IN DEPTH • Show hidden file-extensions
• Disable files running from AppData/LocalAppData folders
– %APPDATA%
– %TEMP%
• Disable RDP
• Limit end user access to mapped drives
• Install Firewall and block Tor, I2P and restrict to specific ports

Resources
• Very good Ransomware Tracker:
https://ransomwaretracker.abuse.ch/
• Shodan HQ
https://www.shodan.io/
• Crypolocker Prevention Kit
https://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-
updated

chris.bowen@cleardata.com
(602) 635-4002
1600 W. Broadway Road Ÿ Tempe, AZ 85282
Chris Bowen, MBA, CIPP/US, CIPT
ChiefPrivacy & Security Officer

5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIMSS Presentation

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à 5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIMSS Presentation

Similaire à 5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIMSS Presentation (20)

Dernier

Dernier (20)

5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIMSS Presentation