“Doctors are gods and don’t let anybody tell them what to do, so enforcing whitelisting in an organization [and telling doctors they can’t run certain applications] is a political exercise not just a technical one. It is fraught with organizational ‘challenges'” he says.
Ransomware has been an Internet scourge for more than a decade, but only recently has it made mainstream media headlines. That’s primarily due to a new trend in ransomware attacks: the targeting of hospitals and other healthcare facilities.
The FBI has released flash alerts warning about an uptick in attacks that use a strain of ransomware called MSIL/Samas—one such warning as recently as last Friday. The FBI first warned about Samas last year, stating that it “encrypts most file types with RSA-2048 [a strong encryption algorithm]. In addition, the actor(s) attempt to manually locate and delete network backups.”
“You need to protect every damn layer [of your network] within an inch of your life,” Sjouwerman says, to make attackers work harder. Hackers are looking for a quick and easy return on their investment. And if you can turn your network into a hard target they’ll “simply go away,” he says, and search out an easier mark.
Sjouwerman says security awareness training for employees is also key to prevent them from clicking on phishing emails. With good training “you can actually truly get a dramatic decrease in click-happy employees,” he says. “You send them frequent simulated phishing attacks, and it starts to become a game. You make it part of your culture and if you, once a month, send a simulated attack, that will get people on their toes.”
The ransomware known as Locky does this as well, and much more, says Sjouwerman. Locky searches for Volume Shadow Copy files, a feature in Windows systems that backs up copies of files automatically, even while people are working on them. Locky erases them.
“If you have patients, you are going to panic way quicker than if you are selling sheet metal,” says Stu Sjouwerman, CEO of the security firm KnowBe4. Hospitals are a good target for another reason as well: they “have not trained their employees on security awareness … and hospitals don’t focus on cybersecurity in general,” he says. Instead, their primary concern is HIPAA compliance, ensuring that employees meet the federal requirements for protecting patient privacy.
It helps to know what strain of ransomware is on your system; if it’s well-known, there may be information published online by security firms or even tools that can bypass the encryption—if the attackers designed it poorly.
The payoff for hackers can be huge. The FBI estimated in 2014 that the extortionists behind the CryptoLocker strain of ransomware swindled some $27 million in just six months out of people whose data they took hostage.
Then this week, news broke that MedStar Health, which operates 10 hospitals and more than 250 out-patient clinics in the Maryland/Washington, DC area, was hit by a virus that may be ransomware. MedStar wrote in a Facebook post that its network “was affected by a virus that prevents certain users from logging-in to our system,” but a number of employees told the Washington Post that they saw a pop-up screen appear on their computers demanding payment in Bitcoin. The organization responded immediately by shutting down large portions of its network. Employees were unable to access email or a database of patient records, though clinics and other facilities remained open and operating. MedStar did not respond to a call from WIRED.
Security awareness training for employees is also key to prevent them from clicking on phishing emails.
And ransomware attackers have upped the ante in recent months with attacks that encrypt not just files on an individual computer but on core servers, to prevent an entire organization from accessing shared files and databases. The really malevolent attacks also go after backup repositories that victims might ordinarily use to restore data.
Earlier this month, Methodist Hospital in Henderson, Kentucky was struck by Locky as well, an attack that prevented healthcare providers from accessing patient files. The facility declared a “state of emergency” on a Friday but by Monday was reporting that its systems were “up and running.” Methodist officials, however, said they did not pay the ransomware; administrators in that case had simply restored the hospital’s data from backups.
His company also recommends configuring mail servers to block zip or other files that are likely to be malicious. Most importantly, they tell organizations to restrict permissions to areas of the network. Instead of having thousands of people accessing files on a single server, they recommend breaking into smaller groups so that if a server gets infected, it won’t spread ransomware to everyone. It also forces attackers to work harder to locate and lock down more servers.
Or hospitals could whitelist their machines to prevent ransomware installing. This involves scanning a machine to note all the legitimate applications on it, then configuring it to block any other executables. This can involve hundreds or thousands of machines, each with different applications, which is why few organizations actually take this step. It can be laborious and easily run aground by office politics.
The malware works by locking your computer to prevent you from accessing data until you pay a ransom, usually demanded in Bitcoin. Hospitals are the perfect mark for this kind of extortion because they provide critical care and rely on up-to-date information from patient records. Without quick access to drug histories, surgery directives and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.
It’s like getting a key to your hotel room and discovering that it actually gives you access to many other rooms as well. Adam Laub
Over the course of a year, measuring some 300,000 users, his company saw a drop in clicks from 15.9 percent to just 1.2 percent on average in companies that had training.
Worse, not only can attackers lock out all workers who need access; they could also use those shared files as a means of infecting anyone who accesses them, in order to spread malware to more machines.
“All-employee access groups are the exact type of data under attack by Ransomware,” says Adam Laub, a senior vice president at STEALTHbits. “It’s like getting a key to your hotel room and discovering that it actually gives you access to many other rooms as well. All a would-be intruder needs to do is try it in each door…. If access rights to file shares were better controlled via groups with only the proper users, the ability for ransomware to rapidly spread far and wide would be drastically reduced.”
The company advises victims to disconnect infected systems from a network and disable Wi-Fi and Bluetooth to prevent the malware from spreading. Victims are also told to remove any USB sticks or external hard drives connected to an infected computer to prevent those from being locked as well.
When ransomware strikes a hospital, the first reaction is often panic. After MedStar got hit with what is believed to be ransomware, it immediately shut down most of its network operations to prevent the malware from spreading. This meant health-care professionals could not access email or easily schedule patient visits or surgeries. The hospital reverted to paper records for communication and scheduling.
Generally, victims get infected with ransomware through phishing attacks that carry a malicious attachment or instruct recipients to click on a URL that downloads malware to their computer. But victims can also get infected through malvertising if they visit a web site that is serving up compromised ads.
Organizations often discover they’ve been infected with malware only after workers start complaining that they can’t access files on a shared server. “The [administrator] goes through the file server and sees [files with names like] ‘decrypt.html’ and ‘decrypt.txt’ with instructions on how to pay. And then they know that they’ve been hit.”
Last month, attackers took computers belonging to the Hollywood Presbyterian Medical Center in Los Angeles hostage using a piece of ransomware called Locky. Computers were offline for more than a week until officials caved to the extortionists’ and paid the equivalent of $17,000 in Bitcoin.
Locky attacks are different for another reason; they’re a hybrid of standard ransomware infections—which involve spray-and-pray phishing campaigns that deliver a mass email to a lot of people with the hope that some will click get infected with the ransomware—and traditional network breaches that involve lateral movement through a network to gain control of key servers. While the email portion of the attack is “mass market, low cost, and fully automated,” he says, the lateral movement requires the attacker to use tools like backdoors and keystroke loggers to steal administrative credentials and gain access to core systems. Once they do, they’ll lock up file-share servers where hundreds of employees in the organization might access shared files.
This was actually the proper response, says Sjouwerman, whose firm distributes a 20-page “hostage manual” (.pdf) instructing ransomware victims on what to do after an attack and how to prevent one.
Barring this, a victim has two options: pay the ransom or restore data from backups. If formal backups don’t exist, it may be possible to restore data using Shadow Copy files and other methods. The best action, of course, is for hospitals to take steps to prevent attacks and maintain what he calls weapons-grade backups.
“You don’t have to lock an entire network,” Sjouwerman says. “You just need to find where are the critical files in a network—what servers are serving up the millions of files that most workers use…. And you only need to lock maybe two or three file servers to essentially block the whole network.”
Ransomware is rampant because it works. The digital extortion racket has been around since about 2005 and began in Eastern Europe, but attackers greatly improved on the scheme in recent years with the development of ransom cryptware, which encrypts files on a machine using a private key that only the attacker possesses, instead of simply locking the keyboard or computer.
Analysis: What 2019 Could Bring for Bitcoin
Trading in altcoins was a big part of what made Bitcoin price spike towards the end of 2017. A section of the crypto space argues that while altcoins helped Bitcoin’s market cap swell, they also bro
Bitcoin Cash Going Down as Stellar Warms up
Bitcoin Cash’s market cap has been cut in half since the Nov. 15 hardfork which birthed the Bitcoin ABC and Bitcoin SV chains. Now at a mere $3.5 bln and a unit price of ~$201 as at the time of writ
300k User Data from Chinese Auto Finance Platform Sold For One Bitcoin on Dark Web
It is revealed that 300,000 pieces of user data from a Chinese auto finance platform Jiurong were compromised and priced at one bitcoin on the dark web.
According to the leaked data posted, persona
Heyday of Bitcoin Mining Rigs Business at China’s Huaqiangbei is Over Amid Crypto Market Carnage
Bitcoin price slumped to a 13-month low of about $4,300 on Wednesday, making mining the world’s leading digital currency an unprofitable business. A lot of mall miners, mining rigs dealers and minin
Dialogue with Bitcoin Evangelist in Latin America: RSK Labs CEO Diego on Crypto Industry
Diego Gutierrez is the CEO at Koibanx and president of Bitcoin Argentina NGO. In addition, Diego also serves as the CEO of Rootstock/RSK Labs, a smart contract platform built on top of bitcoin.
China’s Bitcoin Billionaire Zhao Dong : Bitcoin Price to Hit $50,000 in Three Years—Now Is the Time to Buy the Dip
Despite Bitcoin’s latest crash and a real chance that its price will go much lower, Zhao Dong, prominent Chinese OTC trader and founder of Dfund, remains bullish on the the world’s biggest cryptoc
Bitcoin Miners Sold by Kilo in China Amid Cryptocurrency Crash
The leading cryptocurrency bitcoin once fell below $4,300 on the afternoon of November 20 – down more than 17% on a 24-hour basis and hitting a 13-month low since October 2017. Great losses are seen
Xiao Lei: 3 Main Reasons of the “Unreasonable” Bitcoin Price Crash
Cryptocurrency markets experienced a havoc in the past few days. Bitcoin, the uncrowned king in the crypto world, has fell as much as 30% over the past two weeks, while other major tokens are all suff