5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIMSS Presentation

Chris Bowen, MBA, CIPP/US, CIPTFounder, Chief Privacy & Security Officer

RansomwareFive Ways to Protect Your Organization

2PROPRIETARY & CONFIDENTIAL

Agenda

Ransomware: Anatomy & Psychology

Case Studies

Recovery Strategies

Five Prevention Strategies

1

2

3

4


Ransomware Attacks are Increasing

0

1000

2000

3000

4000

Total Ransomware

2013Q1 Q2 Q1 Q2 Q3 Q4 Q1 Q2

2014 2015

Source: http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-aug-2015.pdf


Ransomware Attacks Costly

*https://www.ic3.gov/media/2015/150623.aspx^http://cyberthreatalliance.org/cryptowall-report.pdf

Average cost of a demanded ransomware payment.

Combined losses of 992 victims from CryptoWall in mid-2015*

Estimated Bitcoin transactions from CryptoLocker in a two month period.

Estimated amount of losses by the Cyber Threat Alliance to US companies^

$300

$18M

$27M

$325M


Types of Cyber Attackers

http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-aug-2015.pdf

Recreational

• Fame and notoriety• Limited tech resources• Known exploits

Criminal

• Vandalism• Limited tech capabilities

Hacktivist

• Statement• Relentless• Emotionally committed• Vast networks• Targeted attacks

Organized Crime

• Economic gain• Significant tech resources

and capabilities• Established syndicates• Adware, crimeware, IP theft• A lot of spamming/phishing• Prominent in ransomware

State Sponsored

• Cyberwar, state secrets; industrial espionage

• Highly sophisticated• Nearly unlimited resources• Advanced persistent threats


The Psychology of a Ransomware AttackerWhy?• Easy to buy and use the tools• Profit is predictable• Less risk in the payoff – no direct contact or sale of data• Don’t have to find a data buyer• I can automate it globally• Less trackable using bitcoin

Pricing Dynamics• Ransom usually comparatively low to increase

likelihood of payment• Individual payment may be $300; Enterprise $30,000


Ransomware Tools

CryptoWall

Locky TorrentLockerCTB-LockerTeslaCryptSamsamCrypVaultPayCrypt

CryptoWall• Use of unbreakable AES encryption• Widely distributed using exploit kits, spam campaigns & malvertising• Uses I2P network proxies and Tor network for payments using Bitcoins

TorrentLocker (sometimes referred to as CryptoLocker)

• File-encrypting Ransomware - distributed via spam email • Uses AES to encrypt a wide variety of file types • Harvests email addresses from victim to further spread itself

Locky• New but aggressively distributed by spam and compromised websites• Scrambles any files in any directory on any mounted drive that it can

access


Tools Gaining Sophistication• Inflicted unwanted encryption on files stored locally to a

machine

• Now fully able to traverse network drives, SANs and NASes, UNC paths

• Encrypts anything it can touch and access with the level of permissions granted to the user account under which the malware is executing.


Easy To Acquire https://ransomwaretracker.abuse.ch/


Anatomy of a Ransomware Attack

• Critical choices:

- Pay ransom

- Restore from backup• Paying ransom increases risk of

future attacks

The Bait1

• User’s machine typically connected to network, shared cloud services, etc.

• Once open, ransomware silently begins encrypting all of the files it can, without any user interaction or notification.

The Infection2 Ransom Notice3 Pay or Restore 4

• Once done, it alerts the user and provides payment instructions.

• Payment is usually in Bitcoins• Some even provide “Customer

Service” info.

• Typically comes as an email attachment

• Such as: Invoice, shipment tracking document, etc.

• Often very generic, but could include a real vendor name or even your company name.


Typical Bait Email


Malicious Attachments

Word doc with malicious VB code

activated by enabling macros


• Emailing it to huge numbers of people, targeting particularly the US and UK

• May come on its own (often by email) or by way of a backdoor or downloader, brought along as an additional component

• Browser exploit kits, drive-by downloads

• TorrentLocker’s authors have been both nimble and persistent

• Also spreads via RDP ports that have been left open to the Internet, as well as by email

• Can also affect a user’s files that are on drives that are “mapped” – Thumb drives, dropbox, box, usb drives, storage shares

How Does Ransomware Spread?

Case StudiesRecent Healthcare Attacks


• Ransomware encrypted files on several of TRMC's data base services, blocking TRMC's ability to enter or retrieve patient data in EHR.

• No ransom paid. Security team remedied situation

Titus Regional Medical Center– Jan 2016


• Suffered a ransomware attack that prevented access to EMR and communications.• The leading suspect suspected cause, according to sources familiar with the

investigation, is a phishing attack—likely a link in an e-mail that was clicked by a hospital employee on a computer with access to the EMR system.

• Paid $17,000 in Bitcoin before contacting law enforcement.

Hollywood Presbyterian – February 2016


• Suffered a ransomware attack locked access to systems and files in all 10 hospitals and 250 outpatient centers.

• Attackers demanded 45 bitcoins within 10 days. Within one day, systems were once again readable, but not writeable.

• The attack involves SAMSAM--a server-side ransomware family that does not rely on malvertising or social engineering hooks to arrive into a target's system.

MedStar Health – March 2016


• Locky ransomware locked down enough of the Kentucky hospital’s data that it was forced to declare an internal state of emergency. Now officials are saying they resolved the situation without giving into attackers’ demands.

• Attack lasted five days. Claim they did not pay.

Methodist Hospital Kentucky – March 2016

Recovery StrategiesOptions & Contingencies


What Happens When You’re Locked out

Pay Up Become a target for life

Don’t PayTell hackers to pound sand (But you better have solid backupsand a secure place to restore to)

Files or SystemsEncrypted

Files ThreatenedWith Destruction or Deletion

Files or SystemsLocked

DELETE


Engage Incident Response

Notify your Info Security Team• Notify authorities and regulatory bodies• ID Recovery Time & Point Objectives• Preserve evidence• Engage your legal team ASAP


Isolate The Device• Remove the impacted system from the network and

remove the threat

• Removal is best done with the system off the networks to prevent any potential spread of the threat.


Attempt Data Recovery• Restore any impacted files from a known good backup.

• Restoration of your files from a backup is the fastest way to regain access to your data.

• Requires confidence in integrity of backup

• Requires a destination at which to restore

• May take some time


Hybrid Recovery• Stall for time by trying to negotiate

• In meantime work on recovery from a backup

• Requires confidence in integrity of backup


Pay The Ransom?Why Pay? • Without a backup, may be the only realistic means of retrieving data• Possibly quicker and cheaper than restoration or starting over

Reasons Not To Pay• May increase likelihood of additional attacks• Motivate the attackers to keep carrying out their attacks• Increase likelihood of attacks form other sources• Fund the cybercrime operation and the infrastructure that they are

using to commit further fraud• May not achieve recovery, even if you pay


Start Over• Dispose of all infected devices

• Rebuild from scratch

• Will be expensive and time consuming

• History lost

Prevention StrategiesDefense In Depth


Defense in Depth in IT

Multi-level SecurityUser, Process, Device

Data & Application Security

Physical Infrastructure

Network SecurityAir-tight - properly configured

System Security

DEFENSE IN DEPTH DEFENSE IN BREADTHApplied Across Each Use Case to Appropriate Level

REDUCE ATTACK SURFACES

DEPLOY CRYPTO KEYS

CREATE SECURE PEOPLE, PROCESSES & SYSTEMS

APPLYING DEFENSE IN DEPTH & BREADTH


#1: Backup Your Data• Regular and consistent backups along with tested and

verified restores.

• Keep a recent backup copy offsite and offline.

• Multi-Level Security• Physical Infrastructure• Network Security

• System Security• Data & Application Security

DEFENSE IN DEPTH


#2: Email Filtering & Phishing Awareness



DEFENSE IN DEPTH • Don’t click on links without scrutinizing the email to make sure it’s legitimate

• Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.

• Filter Email

• Block dangerous email attachments– ZIP, RAR, EXE, SCR, JavaScript, etc.

• Block macro-enabled content– Work, Excel, PowerPoint

– Very prolific attack vector


#3: Antivirus



DEFENSE IN DEPTH • Exploit kits hosted on compromised websites are commonly used to spread malware.

• Regular patching of vulnerable software is necessary to help prevent infection.


#4: Updated Patches & Software



DEFENSE IN DEPTH • Be sure all system and application patches are current.

• Keeps you safer from drive-by downloads, Samsam attacks


#5: Settings & Access Control



DEFENSE IN DEPTH • Show hidden file-extensions

• Disable files running from AppData/LocalAppData folders

– %APPDATA%

– %TEMP%

• Disable RDP

• Limit end user access to mapped drives

• Install Firewall and block Tor, I2P and restrict to specific ports


Resources• Very good Ransomware Tracker:

https://ransomwaretracker.abuse.ch/

• Shodan HQ

https://www.shodan.io/

• Crypolocker Prevention Kit

https://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updated

[email protected]

(602) 635-4002

1600 W. Broadway Road � Tempe, AZ 85282

Chris Bowen, MBA, CIPP/US, CIPTChief Privacy & Security Officer

5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIMSS Presentation

Health & Medicine

Transcript of 5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIMSS Presentation