Ransomware and Digital Extortion - EXPLORE 2020 · •Overview of Ransomware/Digital Extortion and...
Transcript of Ransomware and Digital Extortion - EXPLORE 2020 · •Overview of Ransomware/Digital Extortion and...
Ransomware and Digital Extortion Prevention and Recovery
Presented By: CS-FO Thomas Gilchrist, FBI-Oklahoma City
On Behalf Of: Explore Healthcare Summit 2019
My Bio
• 2007: Intern at FBI-Birmingham
• 2008: SSC/SST/OST at FBI-Birmingham
• 2009: B.S. in Criminal Justice at UAB
• 2013: M.S. in CIS at UAB
• 2015: CS-FO at FBI-OKC
• 2018: Adjunct Faculty at UCO
Today’s Objectives
• Overview of Ransomware/Digital Extortion and the Threat to Healthcare Industry
• Case Studies of Healthcare Ransomware Attacks
• Ransomware Tips/Strategies for Prevention, Mitigation Preparation and Recovery
• Law Enforcement Involvement Considerations
• Overview of Other Cyber Attacks
– Denial-of-Service, Data Theft, Business Email Compromise, Malvertising, Cryptojacking
• Q and A
Ransomware and Digital Extortion
• Digital Extortion is the act of coercing an individual or company to pay to access stolen or hidden cyber assets – Ransomware is the most common weapon for achieving this
– 2016 was the “Year of Ransomware”
Two Types of Ransomware
• #1: Locker – “Locks down” a digital device
– Blocks the user’s ability to access anything on the system until the ransom is paid
– Files remain intact (just not accessible)
– Common requested payment is prepaid cards and vouchers
– Most commonly targets mobile devices
• #2: Crypto – Weaponizes encryption
– Searches through files on a system targeting specific file extensions
– Encrypts targeted files and drops a ransom note for payment in exchange for the private key (required for decryption)
– Common payment is cryptocurrency (Bitcoin)
Locker Ransomware
Crypto Ransomware
Ransom Note
Encrypted Files
Targeted File Extensions
Ransom Notes
Text File
HTML Splash Page
Healthcare is Under Attack
• Some 2019 Statistics: – 89% of healthcare organizations have experienced a data breach in
the past 2 years
– 50% of healthcare organizations have experienced a ransomware incident within 1 year
– Average losses for ransomware on a business is $133,000
– Estimated losses for healthcare industry in 2019 is $25 billion
• Reasons Healthcare Targeted: – Significant amount of PII in data
– Downtime of systems means downtime in patient care
– Its profitable!
Case Study #1: Hollywood Presbyterian
• 2016 – First well-documented attack on healthcare
• Hollywood Presbyterian Medical Center – Los Angeles, CA
• Targeted by Locky ransomware – Delivered through VBA Macro embedded Word Doc
• 10 Days of Downtime – Systems for lab work, pharmaceutical orders, and emergency room
inaccessible
• Paid $17,000 Bitcoin ransom
Case Study #2: MedStar Health
• 2016 – First multi-site attack
• Affected 10 hospitals and more than 250 outpatient centers – Baltimore/DC Area
• Targeted by SamSam ransomware – Delivered via Web App security vulnerability (a patch existed)
• Mass confusion caused by multi-site compromise
• Paid $19,000 Bitcoin ransom
• Two Iranian hackers indicted in 2018 by DOJ – Made roughly $6 million and caused $30 million in damages
Case Study #3: To Pay or Not to Pay
• 2016 – Kansas Heart Hospital – Wichita, KS
• Paid initial ransom – Partial file access
– Second ransom demand
• 2016 – Christopher Rural Health – Christopher, IL
• Did not pay ransom – Restored from backups!
• The FBI DOES NOT support ransom payment – Cyber Division Assistant Director James Trainor
• Reasons: – Access to files is not a guarantee (see Kansas Heart)
– Payment can fund other criminal enterprises
– Payment sets bad precedent and emboldens criminals
2019 Attacks Continue…
• While ransomware attacks are on the decline for most industries this is not the case for healthcare – Due to the success rate of these organizations paying ransoms quickly to
regain access to important data and a lack of preparedness
• NEO Urology – Paid $75,000 ransom
– Suffered 3 days of downtime
• Estes Park Health – Insurance paid the ransom…TWICE
– Paid $10,000 deductible on ransom payment
• Olean Medical Group
• Seneca Nation Health System
• Shingle Springs Health and Wellness Center
• Boston Residex Software
Ransomware Prevention
• Prevention of ransomware is associated with understanding common delivery mechanisms and “plugging those holes” – Prevent the malware from getting on your systems in the first place!
• Common Initial Attack Vectors – Phishing/Email Attachments
– Social Engineering
– Vulnerability Exploit Kits
– Hacking
• Let’s discuss some techniques to prevent each of these…
Phishing/Social Engineering
• Continual education of employees against phishing attacks and social engineering is critical
• Train employees to never open email attachments with certain suspicious file extensions: exe, vbs, js, ps
• Turn off JavaScript execution in Adobe Reader for PDFs
• Turn off Flash player execution in Browsers
• Be VERY cautious of Microsoft Office VBA Macros – Often code that reaches
out to malicious server to download and execute malware
More Email Tips
• Train employees to be cautious with links – Shortened links are suspicious;
sites exist to expand out shortened links without visiting them (checkshorturl.com)
– Be aware a link can say it will send you one place and redirect you to a malicious site to download malware
– Be aware legitimate sites can host ads that direct to malware • See Malvertising later…
• Train employees to be cautious with unknown storage media – USBs exist that pose as a “virtual keyboard” entering commands into
a system when plugged in; they execute commands on the system with no user interaction!
Hacking
• Hacking just means gaining unauthorized access to network – Its not always that sophisticated!
• If the criminal can gain access to the network, they no longer need an employee to execute the malware…they can just do it themselves
Hacking/Vulnerabilities Tips
• There are many ways to prevent unauthorized access – Block remote access unless absolutely necessary
– Severely limit users that can remote access
– Whitelist specific devices allowed remote access
– Enforce strong passwords and Two Factor Authentication
– Enable logging of proxies and VPN concentrators
– Keep systems patched for security risks
– Run automatic vulnerability scans for security risks • Nessus
– Hire pen testers to test the network and your security team • White Hat Hackers
• Be wary of vulnerability scanners posing as pen testers!
Ransomware Preparedness
• Preparedness for ransomware is the process of putting protections in place to mitigate the damage of a ransomware attack BEFORE it occurs
• #1 Key is BACKUPS! – BACKUP all operations critical data
– Backups should be AIR-GAPPED • Store OFFLINE and OFFSITE
• Anti-Ransomware Software – Antivirus vendors are offering Anti-ransomware software
– Detects sudden mass changes to files and stops it from continuing
– Companies like Malwarebytes are still Beta testing
Ransomware Preparedness Cont.
• Engineer Network Architecture with Security Precautions – Utilize host and network security appliances like firewalls and
intrusion detection/prevention systems • Configure with default deny rules and event alerts instead of silent logs
– Segment network with VLANs to prevent lateral movement
– Use Virtual Machine environments • Snapshot to have restore points
– Use Honeypots and Decoy Systems
– Utilize a constant Network Security Monitoring team • Requires human inspection not just IDS/IPS auto alerting
Incident Response and Recovery
• Fully Develop Incident Response Plan – Fully scope your security landscape
• Includes all sites and third parties with access like contractors/vendors
– Fully identify job duties and roles
• Typical plan: – Isolate infected systems from network
– Identify the malware by researching encrypted file extensions • Some ransomware strands have known decryptors online!
– Collect Evidence for/report to law enforcement • Image compromised systems, memory captures of live compromised systems,
security log files, malicious executables, phishing emails with headers
– Restore systems via backups
– Fix security flaw to prevent similar compromise
Law Enforcement Considerations
• Things the FBI will not do: – Help restore your data
– Determine who you should notify
• Things the FBI will do: – Collect evidence
for investigation
– Indict the parties involved
Denial-of-Service
• A denial-of-service (DoS) attack has one goal: Make a networked service or resource unavailable
• DoS is the older cousin of ransomware
• There are two main methods: – Distributed DoS (DDoS) flood
bandwidth with junk traffic
– Exploit bug/weakness in application to cause it to freeze/crash
DoS Prevention and Recovery
• There are several vendors of DDoS protection services – Such as Imperva Incapsula, Akamai, and Cloudflare
• There are things your organization can do to mitigate attacks – Engineer the architecture to have real-time scalable bandwidth and
design failsafes for system crashes
– Use black hole routing to route malicious traffic to another destination to be dropped
– Keep services and applications patched for known flaws
– Configure firewalls and IDS/IPS to use rate limiting and traffic filtering
– Use load balancing for important services
– Use a CAPTCHA to prevent bot access to a resource
Data Theft
• When a network is compromised, data theft is a real possibility – Target Personally Identifying Information (PII) or trade secrets
• Possible for data theft to occur prior to a ransomware attack
Data Theft Protections
• The key to protecting data is to identify data to be protected! – Knowledge is power…must KNOW what is sensitive in your network
• Design your network in mind to protect sensitive data – Segment it away from publicly accessible network segments
behind security appliances
– Restrict access with strong authentication
– Store with encryption
– Monitor access with logs and/or traffic captures/live monitoring
• Most important means of protection is education of social engineering attacks!
Business Email Compromise
• BEC refers to a group of attacks designed to trick businesses and/or their customers/vendors into redirecting payments to a criminal third party – Sometimes compromise legitimate business email accounts
– Sometimes spoof (pretend to be) legitimate business email accounts
– Sometimes use misspellings of business email accounts
• Healthcare email fraud attacks have increased 473% in the past 2 years
BEC Prevention
• Educate employees that make financial transfers – Implement a Two-Step Verification protocol in which all financial funds
transfers and modifications are approved by a second party preferably via phone
• Protect your email accounts from unauthorized access – Avoid using free email account services like Gmail or Yahoo
– Implement a Two-Factor Authentication solution
– Monitor email forwarding rules
• Protect from spoofed email – Utilize DMARC/DKIM to protect your domain from being spoofed
– Utilize email spam filters
• Protect from “similar sounding” domains – Consider buying rights to common domain misspellings
Malvertising/Cryptojacking
• Malvertising is a technique of using ad banners and pop ups to download and execute malware onto a victim system – Some require user to click ad and others are “drive by downloads”
– Another delivery mechanism for ransomware too!
– Best security is Pop Up/Ad Blockers with AV or Browser settings
• Cryptojacking is a means of forcing a user’s system to mine cryptocurrency when visiting a web site – A legitimate web server is compromised to host JavaScript file that
embeds in a footer on the site’s pages; executed when viewed
– The new malware threat of 2018-2019
– Best security is minimizing user accounts that can edit site content and using good authentication of those accounts
– Also look for suspicious JavaScript files and references to “Coinhive”
Contact Info and Q&A
CS-FO Thomas Gilchrist
[email protected] or [email protected]
405-290-3745
Main Office OKC-FBI
Ask to speak to the Duty Agent or an available Cyber Agent
405-290-7770
IC3.gov