Sophisticated ransomware attacks on healthcare organizations by ruthless cybercriminals are on the rise. Savvy HIT leaders are taking immediate action to protect their IT systems and data. During this webinar you’ll gain insight into the 5 most important precautions that healthcare providers should take and what steps should be followed in event your system is compromised to minimize the impact on patient care and restore your systems as quickly as possible.
In this presentation you’ll learn:
- 5 most important ways to protect your organizations from a ransomware attack
- What steps to take in the event your system is compromised by a ransomware attack
Link to On-Demand Webinar: https://www.cleardata.com/knowledge-hub/5-ways-to-protect-your-healthcare-organization-from-a-ransomware-attack/
4. 4PROPRIETARY & CONFIDENTIAL
Ransomware Attacks Costly
*https://www.ic3.gov/media/2015/150623.aspx
^http://cyberthreatalliance.org/cryptowall-report.pdf
Average cost of a demanded ransomware payment.
Combined losses of 992 victims from CryptoWall
in mid-2015*
Estimated Bitcoin transactions from CryptoLocker
in a two month period.
Estimated amount of losses by the Cyber Threat Alliance
to US companies^
$300
$18M
$27M
$325M
5. 5PROPRIETARY & CONFIDENTIAL
Types of Cyber Attackers
http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-aug-2015.pdf
Recreational
• Fame and notoriety
• Limited tech resources
• Known exploits
Criminal
• Vandalism
• Limited tech capabilities
Hacktivist
• Statement
• Relentless
• Emotionally committed
• Vast networks
• Targeted attacks
Organized Crime
• Economic gain
• Significant tech resources
and capabilities
• Established syndicates
• Adware, crimeware, IP theft
• A lot of spamming/phishing
• Prominent in ransomware
State Sponsored
• Cyberwar, state secrets;
industrial espionage
• Highly sophisticated
• Nearly unlimited resources
• Advanced persistent threats
6. 6PROPRIETARY & CONFIDENTIAL
The Psychology of a Ransomware Attacker
Why?
• Easy to buy and use the tools
• Profit is predictable
• Less risk in the payoff – no direct contact or sale of data
• Don’t have to find a data buyer
• I can automate it globally
• Less trackable using bitcoin
Pricing Dynamics
• Ransom usually comparatively low to increase
likelihood of payment
• Individual payment may be $300; Enterprise $30,000
7. 7PROPRIETARY & CONFIDENTIAL
Ransomware Tools
CryptoWall
Locky
TorrentLocker
CTB-Locker
TeslaCrypt
Samsam
CrypVault
PayCrypt
CryptoWall
• Use of unbreakable AES encryption
• Widely distributed using exploit kits, spam campaigns & malvertising
• Uses I2P network proxies and Tor network for payments using Bitcoins
TorrentLocker (sometimes referred to as CryptoLocker)
• File-encrypting Ransomware - distributed via spam email
• Uses AES to encrypt a wide variety of file types
• Harvests email addresses from victim to further spread itself
Locky
• New but aggressively distributed by spam and compromised websites
• Scrambles any files in any directory on any mounted drive that it can
access
8. 8PROPRIETARY & CONFIDENTIAL
Tools Gaining Sophistication
• Inflicted unwanted encryption on files stored locally to a
machine
• Now fully able to traverse network drives, SANs and
NASes, UNC paths
• Encrypts anything it can touch and access with the level
of permissions granted to the user account under which
the malware is executing.
10. 10PROPRIETARY & CONFIDENTIAL
Anatomy of a Ransomware Attack
• Critical choices:
- Pay ransom
- Restore from backup
• Paying ransom increases risk of
future attacks
The Bait1
• User’s machine typically
connected to network, shared
cloud services, etc.
• Once open, ransomware silently
begins encrypting all of the files it
can, without any user interaction
or notification.
The Infection2 Ransom Notice3 Pay or Restore4
• Once done, it alerts the user and
provides payment instructions.
• Payment is usually in Bitcoins
• Some even provide “Customer
Service” info.
• Typically comes as an email
attachment
• Such as: Invoice, shipment
tracking document, etc.
• Often very generic, but could
include a real vendor name or
even your company name.
13. 13PROPRIETARY & CONFIDENTIAL
• Emailing it to huge numbers of people, targeting particularly the US
and UK
• May come on its own (often by email) or by way of a backdoor or
downloader, brought along as an additional component
• Browser exploit kits, drive-by downloads
• TorrentLocker’s authors have been both nimble and persistent
• Also spreads via RDP ports that have been left open to the Internet,
as well as by email
• Can also affect a user’s files that are on drives that are “mapped”
– Thumb drives, dropbox, box, usb drives, storage shares
How Does Ransomware Spread?
15. 15PROPRIETARY & CONFIDENTIAL
• Ransomware encrypted files on several of TRMC's data base services, blocking
TRMC's ability to enter or retrieve patient data in EHR.
• No ransom paid.Security team remedied situation
Titus Regional Medical Center– Jan 2016
16. 16PROPRIETARY & CONFIDENTIAL
• Suffered a ransomware attack that prevented access to EMR and communications.
• The leading suspectsuspected cause,according to sources familiar with the
investigation,is a phishing attack—likely a link in an e-mail that was clicked by a
hospital employee on a computer with access to the EMR system.
• Paid $17,000 in Bitcoin before contacting law enforcement.
Hollywood Presbyterian – February 2016
17. 17PROPRIETARY & CONFIDENTIAL
• Suffered a ransomware attack locked access to systems and files in all 10 hospitals
and 250 outpatientcenters.
• Attackers demanded 45 bitcoins within 10 days. Within one day, systems were once
again readable,butnot writeable.
• The attack involves SAMSAM--a server-side ransomware family that does not rely on
malvertising or social engineering hooks to arrive into a target's system.
MedStar Health – March 2016
18. 18PROPRIETARY & CONFIDENTIAL
• Locky ransomware locked down enough ofthe Kentucky hospital’s data that it was
forced to declare an internal state of emergency.Now officials are saying they
resolved the situation withoutgiving into attackers’ demands.
• Attack lasted five days. Claim they did not pay.
Methodist Hospital Kentucky– March 2016
20. 20PROPRIETARY & CONFIDENTIAL
What Happens When You’re Locked out
Pay Up
Become a target for life
Don’t Pay
Tell hackers to pound sand
(But you better have solid backups
and a secure place to restore to)
Files or Systems
Encrypted
Files Threatened
With Destruction or Deletion
Files or Systems
Locked
DELETE
21. 21PROPRIETARY & CONFIDENTIAL
Engage Incident Response
Notify your Info Security Team
• Notify authorities and regulatory bodies
• ID Recovery Time & Point Objectives
• Preserve evidence
• Engage your legal team ASAP
22. 22PROPRIETARY & CONFIDENTIAL
Isolate The Device
• Remove the impacted system from the network and
remove the threat
• Removal is best done with the system off the networks to
prevent any potential spread of the threat.
23. 23PROPRIETARY & CONFIDENTIAL
Attempt Data Recovery
• Restore any impacted files from a known good backup.
• Restoration of your files from a backup is the fastest way
to regain access to your data.
• Requires confidence in integrity of backup
• Requires a destination at which to restore
• May take some time
24. 24PROPRIETARY & CONFIDENTIAL
Hybrid Recovery
• Stall for time by trying to negotiate
• In meantime work on recovery from a backup
• Requires confidence in integrity of backup
25. 25PROPRIETARY & CONFIDENTIAL
Pay The Ransom?
Why Pay?
• Without a backup, may be the only realistic means of retrieving data
• Possibly quicker and cheaper than restoration or starting over
Reasons Not To Pay
• May increase likelihood of additional attacks
• Motivate the attackers to keep carrying out their attacks
• Increase likelihood of attacks form other sources
• Fund the cybercrime operation and the infrastructure that they are
using to commit further fraud
• May not achieve recovery, even if you pay
26. 26PROPRIETARY & CONFIDENTIAL
Start Over
• Dispose of all infected devices
• Rebuild from scratch
• Will be expensive and time consuming
• History lost
28. 28PROPRIETARY & CONFIDENTIAL
Defense in Depth in IT
Multi-level Security
User, Process, Device
Data & Application Security
Physical Infrastructure
Network Security
Air-tight - properly configured
System Security
DEFENSE IN DEPTH DEFENSE IN BREADTH
Applied Across Each Use Case to Appropriate Level
REDUCE
ATTACK SURFACES
DEPLOY
CRYPTO KEYS
CREATE SECURE PEOPLE,
PROCESSES & SYSTEMS
APPLYING DEFENSE IN DEPTH & BREADTH
29. 29PROPRIETARY & CONFIDENTIAL
#1: BackupYour Data
• Regular and consistent backups along with tested and
verified restores.
• Keep a recent backup copy offsite and offline.
• Multi-Level Security
• Physical Infrastructure
• Network Security
• System Security
• Data & ApplicationSecurity
DEFENSE IN DEPTH
30. 30PROPRIETARY & CONFIDENTIAL
#2: Email Filtering & Phishing Awareness
• Multi-Level Security
• Physical Infrastructure
• Network Security
• System Security
• Data & ApplicationSecurity
DEFENSE IN DEPTH • Don’t click on links without scrutinizing the email to make sure it’s
legitimate
• Inbound e-mails should be scanned for known threats and should
block any attachment types that could pose a threat.
• Filter Email
• Block dangerous email attachments
– ZIP, RAR, EXE, SCR, JavaScript, etc.
• Block macro-enabled content
– Work, Excel, PowerPoint
– Very prolific attack vector
31. 31PROPRIETARY & CONFIDENTIAL
#3: Antivirus
• Multi-Level Security
• Physical Infrastructure
• Network Security
• System Security
• Data & ApplicationSecurity
DEFENSE IN DEPTH • Exploit kits hosted on compromised websites are commonly used to
spread malware.
• Regular patching of vulnerable software is necessary to help prevent
infection.
32. 32PROPRIETARY & CONFIDENTIAL
#4: Updated Patches & Software
• Multi-Level Security
• Physical Infrastructure
• Network Security
• System Security
• Data & ApplicationSecurity
DEFENSE IN DEPTH • Be sure all system and application patches are current.
• Keeps you safer from drive-by downloads, Samsam attacks
33. 33PROPRIETARY & CONFIDENTIAL
#5: Settings & Access Control
• Multi-Level Security
• Physical Infrastructure
• Network Security
• System Security
• Data & ApplicationSecurity
DEFENSE IN DEPTH • Show hidden file-extensions
• Disable files running from AppData/LocalAppData folders
– %APPDATA%
– %TEMP%
• Disable RDP
• Limit end user access to mapped drives
• Install Firewall and block Tor, I2P and restrict to specific ports