Ransomware sucks, especially when its victims are in the business of helping others, and are prevented from that mission by losing access to their data and information systems. The cruelty is compounded when victim organizations are already under assault by external disruption, such as the COVID-19 pandemic or the current civil unrest.
Ransomware is most effective when the data is critical to the operations of a high-value system, as there are both the resources to pay the ransom as well as a strong incentive to retrieve the data. As a result, hospitals and other healthcare organizations are frequent, high-visibility targets of these types of attacks. In 2018, healthcare became the number two most attacked industry sector, second only to government, according to the Radware 2018-2019 Global Application and Network Security Report.
While there are certainly indiscriminate types of ransomware attacks circulating on public networks, in many cases high-value victims are specifically targeted. Direct attacks can be harder to interdict, because they may be targeting specific vulnerabilities known by the attacker- a particular flaw in a common system used by hospitals, or an exploit in a software package used in a particular device.
Ransomware, like many cyber exploits, can flourish in a time of change or disruption. Typical security processes can be compromised, and the professionals tasked with protecting the networks may be distracted, overworked, or even incapacitated, as during the current COVID-19 pandemic and civil unrest.
5 steps to protect your organization from ransomware
We surveyed a range of technical and healthcare professionals in our network to understand the unique risks hospitals may be facing during this time, as well as strategies they could employ to protect their networks from ransomware attacks. A critical element in being prepared for ransomware is understanding the reasons and methods of how a particular institution may attract the attention of bad actors. “Rural hospitals and mid-size to smaller health care systems may be more attractive targets,” says Carina Edwards, the CEO of Quil Health and a long time digital health executive. “Larger systems have more resources to secure their networks; smaller hospitals often don’t have the staff, or the budget, to counter sophisticated attacks.”
Cybersecurity firm BluVector (the supporting organization of Cyber.Media) has recently released their Healthcare Threat Report, which highlights recent intelligence about a range of threats facing the healthcare industry, including ransomware. Elements of the report have been used to develop this article.
Regardless of the resources available, it is possible for hospitals to reduce the odds and impact of a successful ransomware attack. According to the experts we spoke with, the precautions and processes necessary include the following steps:
- Prevent and detect intrusions
- Secure internal networks and devices
- Refresh your backup plans
- Treat your networks like your patients
- Educate, inform, and exercise your employee base
1. Prevent and detect intrusions
Like any malady, the best way to deal with ransomware is to prevent infection in the first place. If an organization can be protected from the typical points of entry that ransomware uses to infect individual computers and the networks they manage, they can avoid the significant downsides in both operational cost and reputation damage that can result from a publicized ransomware attack.
Targeted ransomware attacks can complicate traditional efforts to protect the network. Due to the possibly high rate of return on a successful attack, it’s likely that the attack can be via a novel vector or malicious code package. This means that typical blacklist based defenses may miss an attack it doesn’t recognize, or that hasn’t had time to be properly identified and classified by traditional methods.
Intrusion detection systems that operate using machine learning driven pattern detection typically fare better in these situations. They are able to detect anomalous activity, even if it hasn’t been previously identified in a lab setting, and alert other elements of an organization’s cyber defense to take further action to secure the network.
2. Secure internal networks and devices
Attackers rarely get in by knocking on a front door and finding it unlocked. Most organizations have taken at least the basic measures necessary to ensure that the obvious entry points are protected, or at least monitored. Anyone using corporate email in the last few years has experienced this- external emails are monitored, warnings are appended about malicious links, and so on.
As such, bad actors have become practiced at finding back doors that might escape the scrutiny of a typical IT security organization. Connected devices with embedded software, as well as personal devices on corporate networks, offer a tempting surface area for these attackers. Attackers have used vulnerabilities as esoteric as the code in a connected fishtank to gain broader network access.
Connected devices pose a particular threat because they often ship with widely known default credentials, and schemes designed to make it easy to connect them to networks (since they don’t have intrinsic user interfaces to manage network connectivity). Security professionals should pay special attention to changing access paths, admin account names, and passwords for all devices they add to their networks, regardless of how innocuous they seem.
3. Refresh (and follow!) your backup plans
The importance of backing up critical data has filtered down to the consumer level, with Apple’s TIme Machine, and Backup and Restore on Windows being installed by default on hundreds of millions of home and professional PCs.
Ransomware complicates the backup equation. In many cases, the time between infiltration and activation can be captured in a backup snapshot window. With too simplistic a backup strategy, it’s conceivable that backups could end up simply saving a dormant version of ransomware that simply recurs after data is restored- or worse, the backups themselves could become encrypted, and thus unusable without paying the ransomware bounty.
Like many preventative strategies, a ransomware resistant backup plan may seem excessive, at least until the crisis actually hits. Many security professionals recommend a “3-2-1 backup plan:“
3 – Keep at least three copies of all critical data. Frankly, given the stakes and relative low cost of storage, three copies should be considered the absolute minimum. With a little bit of incremental work and planning, snapshotting can increase the effective number of copies to whatever your storage regime can stand. In any case, multiple copies allow for options when restoring- and every sound backup plan should include periodic restore testing to ensure that the data being saved is truly recoverable in the case of disaster.
2 – Store your backups on at least two different devices, preferably devices that are logically separated from each other. Backing up to an external drive that is connected to your CPU can result in an encrypted backup that is useless for the purposes of recovery. Backing up to a network share or tape drive gets your data off the affected CPU, and increases the chances that it will be recoverable. Compliance may complicate using commercial offsite backup, but for maximum security…
1 – backup (at least) should be offsite, such as with a cloud backup provider or an offsite data center. For added redundancy, consider duplicate backups with competing cloud providers, so that in the event of a wider-ranging issue that takes down one provider, you may be able to retain access to the other.
Like other preventative measures, a good backup plan is like a seatbelt- it’s only effective if you actually use it. Make sure your organization treats backup hygiene as a critical business function, not an afterthought.
4. Emulate your hospital’s approach to preventative medicine
Health care providers have a special advantage with this dimension of ransomware preparedness, as it borrows a philosophy from their core business – maintaining the health and wellness of their patients. Providers are well used to advising their patients to practice preventative medicine- diet and exercise plus therapeutic drugs to reduce the risk of heart attack or stroke, for example. They are well aware that the best way to avoid a catastrophic outcome is to get ahead of predictable, and preventable, problems.
Security leaders in hospital should take a page from this playbook and treat their seemingly healthy networks as patients they are seeking to keep healthy from future threats. Disaster planning and red teaming are useful tools to kickstart conversations, but a good caretaker understands the long term health trends in their patients and adjusts their care accordingly.
Treat your network security like a patient whose health is in your hands- prescribe preventative measures and healthier security habits- and your “patient” will be in a better place to battle external threats down the line.
5. Educate, inform, and exercise your employee base
Despite the range of technological and operational solutions described above, the most important element of a layered defense is strengthening the weakest link- the users on your network.
“What we see every day, despite all the evolutions of technology, the number one attack vector continues to be people,” says Michael Venerra, Chief Information Officer of Independence Blue Cross. “When people are vulnerable, attackers double down on exploiting them.”
Venerra and his team had prepared for the sudden shift to a distributed environment during previous work from home events, such as when heavy snowstorms kept people out of the office. However, the extended duration of the pandemic, as well as an added emotional element, leads Venerra to be extra vigilant about malware and fishing attacks that can compromise their networks.
“COVID has amped up the urgency and fear,” says Venerra. “A typical phishing attack might spoof an email from the CEO or another executive, asking for an employee to click a link or open an email. In a time of crisis, an employee’s emotional response might overwhelm their typical caution, and they might make a move they wouldn’t otherwise out of fear and stress.”
What to do if your institution is the victim of a ransomware attack
Job one is securing the network from further exploits. If one attacker got in, it’s possible there are more waiting in the wings. Do the forensic work necessary to ensure you don’t turn one crisis into two…or more.
Once you feel you’ve stopped the source of the attack, assess the damage. If you’ve got proper backups in place, then carefully deploy them, testing after each restore to ensure data integrity.
If you’ve got customers / partners / vendors who are affected by your situation, be transparent and straightforward about your situation, and what you’re doing to solve the problem.
As to the big question – should you pay to restore your data? Given all the cost and effort, it may be tempting to simply pay to receive the decryption keys, and get on with your business.
Experts think that’s a bad course of action. Microsoft asserts that “Paying a ransom is often expensive, dangerous, and only refuels the attackers’ capacity to continue their operations; bottom line, this equates to a proverbial pat on the back for the attackers.” This assumes that the attackers actually uphold their end of the transaction- they’ve already established they are bad guys, so trusting them to deliver may not be the wisest choice.
Regardless of how you mitigate, use the incident to learn more about the vulnerabilities that led up to the attack, and improve your technology, processes, and user education to prevent a recurrence.
Has your institution suffered a ransomware attack, or have you taken measures we didn’t cover to prevent or blunt a future attack? If so, we’d like to hear about your experiences. We’ll be doing a series of followups to track how ransomware develops during the COVID-19 pandemic, and we’d love to spotlight your story.