Providers need to prepare for virulent ransomware in 2018
Ransomware emerged as a significant threat on the worldwide stage in 2017, but new variants will challenge healthcare organizations well into 2018, with some versions of new malware not even needing a network to distribute themselves throughout an organization.
Previous variants of ransomware, particularly the WannaCry attack in May, showed the ability to self-propagate and spread across an organization’s network and on to other organizations’ networks via the Internet.
However, there are several other ongoing variations of ransomware and other malware that don’t even need a network to spread, says Kevin Haley, director of security response at Symantec.
For example, an attacker can pull up in a car to an organization and deliver malware into the facility in what is known as a “drive by” attack. Other forms of attack can be delivered simply because the victim visited a “safe” web site that unknowingly has been compromised.
However, the big problem with ransomware, Haley notes, is that there is no shortage of crooks getting in the game. New players may not be very competent—they may put the key in the encryption, which makes it really easy for an organization to decrypt its locked-up data, but the rookies but will soon figure out the mistake.
If someone wants to get into the ransomware business and doesn’t how to do it, there are “ransomware as a service” operations in which the person can learn the trade and about half of the profit.
Bitcoin generally is the preferred method for paying a ransom to an attacker, but some thieves will accept gift cards and others may give back an organization’s data simply if the organization completes a particular survey. In those cases, what the attacker really wants is personal information from the survey that can be used for identity theft.
Some attackers will give a tight deadline for the organization to get bitcoin and pay the ransom to get its data. It is important, Haley emphasizes, for healthcare organizations to have a supply of bitcoin on hand at all times. The first time an organization gets a ransom demand is not the time to start figuring out where to get bitcoin. That said, it’s pretty easy if it’s locally available. An organization can simply use Google to find nearby bitcoin shops or ATMs. Or, an attacker can put the victim on a phone with an operator at the attacker’s place of business who will tell the victim how to get bitcoin.
Matt Sherman, a malware outbreak specialist at Symantec, notes that while the healthcare sector is particularly vulnerable, ransomware is everywhere, including the business associates within healthcare and other industries.
Any time a healthcare organization selects a new partner, it must assess whether the security controls of the partner match the organization’s controls.
Some legacy operating systems may not be patchable, yet they continue to be used and that practice needs to stop, he counsels. Microsoft Windows XP, for instance, introduced in 2001 with support ended in 2014, is still widely used and very vulnerable. Sherman advises retiring legacy systems where possible and identifying and isolating those that can’t be retired so they can be quarantined quickly if something happens.
Implement Microsoft’s local account security policy, which includes a password unique to a particular machine, such as a local administrator’s computer. Also, lockdown “write” access to file shares when possible and discontinue File Server Resource Manager, which is a suite of tools for Windows Server 2008 that has shown vulnerability to attacks.
Educating a healthcare’s organization workforce on cyberattacks is necessary, but it’s not enough to bring them up to speed on phishing and other threats. Organizations need to harden their own email systems; for example, Sherman advises using secure email systems as a best practice along with two-factor authentication software. Email systems should scan links contained in incoming message to see where they go before, and it should enable automatic imaging loading in messages.
Providers, payers and business associates also should be verifying that data backups are complete for core systems, validating that backups can be restored and securing backup repository file-system permissions. Organizations also should employ incremental backup solutions for end points and back up to detachable media, Sherman says. “You need all five backup systems to save a lot of time and heartache.”