US, Canada issue national alerts on ransomware

Attacks on healthcare organizations are rising, and the joint special alert offers guidelines for thwarting attacks. The alert also urges organizations to not pay ransom demands, as Hollywood Presbyterian did in February.


The United States Computer Emergency Readiness Team within the Department of Homeland Security and the Canadian Cyber Incident Response Centre have jointly issued a special alert for both nations on the threat of ransomware and recent variants of the virus.

The alert highlights the threat to the healthcare industry in the U.S. and worldwide, as well as threats to other businesses and individuals, outlining important steps to help organizations from falling victim to a ransomware attack, and guidelines for responding in incidents in which an organization is fending off ransom demands.

The alert takes a hard line on whether organizations should pay to unlock information or computers, suggesting that there is no guarantee that paying a ransom will result in the release of information.

Over the last few weeks, about a half dozen ransomware incidents have been reported among U.S. and Canadian hospitals, and in most cases, the organizations have been able to work around the attacks without paying a ransom. In February, Hollywood Presbyterian Medical Center reported that it paid the equivalent of $17,000 to unlock its information after a ransomware attack crippled the facility’s systems for about a week.

The federal alert warns that ransomware is being spread via phishing tactics, as well as through “drive-by downloading,” which occurs when a user unknowingly visits an infected web site and malware is downloaded to the computer.

“Additionally, newer methods of ransomware infection have been observed,” according to the alert. “For example, vulnerable web servers have been exploited as an entry point to gain access into an organization’s network.”

Also See: Lower cyber insurance costs for better defenses

The alert explains how a financially successful ransomware attack in 2012 likely led to the proliferation of variants. “In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,000 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.”

That attack led to new and more destructive variants of ransomware in 2013, and by early 2016, a new variant called Locky was found to be infecting healthcare computers in the United States, New Zealand and Germany. Another new variant, Samas, also is being used to compromise healthcare networks.

The alert discourages organizations from paying ransoms, contending that meeting the demands for payment does not guarantee that organizations will get their files back. “It only guarantees that the malicious actors receive the victim’s money and, in some cases, their banking information.”

The alert concludes by recommends seven preventive measures that organizations can take. These include:

  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. “Ideally, this data should be kept on a separate device, and backups should be stored offline,” it advises.
  • Use a list of approved applications to help prevent malicious software and unapproved programs from running. This approach, called application whitelisting, is one of the best security strategies because “it allows only specified programs to run, while blocking all others, including malicious software.”
  • Keep computer operating systems and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks, and ensuring that these crucial applications are regularly updated “greatly reduces the number of exploitable entry points available to an attacker.”
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet before it is executing.
  • Restrict users’ ability, through the use of permissions, to install and run unwanted software applications. Organizations such apply the principle of “Least Privilege” to all systems and services, which seeks to greatly limit users’ ability to install applications on computers. “Restricting these privileges may prevent malware from running or limit its capability to spread through the network,” the alert says.
  • Avoid enabling macros to run from email attachments. If a user opens an attachment and enables macros, embedded code will execute the malware on the machine. “For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources.
  • Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks for more information.

The alert also contains links to nine references provided by security companies, including Kapersky, Sophos, Symantec and McAfee.

The alert is available here.

More for you

Loading data for hdm_tax_topic #care-team-experience...