There's a new ransomware variant making the rounds, and it may prove more productive for attackers and more problematic for healthcare security teams. Rather than the “spray and pray” type attacks we saw in the past, the new twist is focusing on select, high-risk targets.

“Spray and pray” ransomware attacks are a volume game. It works like this—target a very large audience with a spear phishing scheme and hope to fool a relatively small percentage of people. Encrypt their files and ask for hundreds of bitcoins/dollars to unlock them.

In “Spray and Pray” attacks, the messages are generic and often designed to trigger an emotion-based response. Take for example, the recent spate of emails pretending to be from the IRS or FBI. They look official and convey a fear inducing message—“You are in big trouble and better respond fast.”

Chances are you've already trained the high-value potential targets in your workplace, and they would look suspiciously on an email they get at work from the FBI. Even those of us trained to detect the tell-tale signs (like a hover over the link shows a url with .cz in it) still get a sinking feeling in our stomach when we read the subject line. It only takes a small percentage of people to respond for the attack to be successful, and training doesn't stick with everyone.

So what’s the new game in town? Focus on high-value targets. A high-value target has access to high-value data or performs a function that is critical to the business. Encrypt their data, and the payout is much higher.

The cybercriminal designing these attacks will spend more time on research and use that to craft a well-designed email. For example, they'll profile a company, research the organization and pick a target within a key department. Let's use the example of George in Patient Billing and Payments. Chances are that George has amassed some considerable data since his last backup and is critical to the cash-flow of his hospital.

They'll spend a little more time and look at LinkedIn. They find that people who searched for George on LinkedIn also visited the profile of Helen at InsurCo, a well-known health insurance carrier. Then, they will craft an email that appears to be from Helen that could be well within George's day-to day context. The email below might be quite successful in fooling George:

This example is straight out of the playbook of a Defray attack. Recently emerged in August and quite successfully targeting healthcare organizations, the attachment is a JavaScript file that executes on the opening the 7Zip archive attachment. The telltale signs of a phishing email are still there. The attachment is an unusual file type. The “from” email address isn't exactly correct (insurco vs insureco). But there is a pretty good likelihood that Helen and George are friendly and that George will want to help her out of a bind.

These new targeted ransomware attacks like Defray clearly demonstrate that the threat level is ratcheting up for healthcare companies. Protecting your organization is an imperative. Here are a few things you can focus on to be safe.

Know the difference between a hacker and a cyber criminal
The big difference between hackers and cybercriminals is the level of effort and persistence they are willing to invest for the reward. Cybercrime is an industry with criminal organizations run very much like businesses. Hackers can be viewed more like hobbyists.

Each week, your perimeter defenses, Intrusion Detection Systems (IDS), anti-virus software and other defense applications likely thwart thousands of hacker-based ransomware attacks. These attacks likely use known malware with known signatures. Many are of the “spray and pray” variety.

But cybercriminals know which signatures you can likely detect. They will invest resources to design around your defenses. They'll spend the time to know your organization and create a campaign with a high probability for success so they can achieve much bigger payoffs.

Backup with regularity
The single most consistent piece of advice you will find coming from the security community is to focus on backups. If you have quick access to a backup of data that was just encrypted in a ransomware attack, you significantly cut your losses. You should back up data daily, and you should have multiple backups in multiple locations.

Raise awareness throughout an organization
Instill a culture of suspicion regarding emails with attachments and links throughout your organization. Often, a 10-second pause to scan the email for funky “from” addresses, weird file types or suspicious URLs will help identify 99 percent of attacks. Make sure your employees are trained in how to identify these telltale signs of a spear-phishing attempt. A simple search for employee spear-phishing education will provide a number of reputable vendors who can help. The cost justification is a no-brainer when you consider the potential downside.

Keep systems updated
There is a continuous race for cybercriminals to identify and exploit security vulnerabilities in systems and software before they are identified by the vendor and patched. Keeping up to date with patches significantly improves your defenses.

The enemy gets smarter every day, and your organization can only be safe if you are one step ahead of them.

This article originally appeared on the Ipswitch web site. Other columns from company experts can be found here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access

Kevin Conklin

Kevin Conklin

Kevin Conklin is a vice president at Ipswitch.