Why providers need to brace for ransomware attacks this fall
When it comes to cybercrime, online attacks often follow seasonal trends. So as the kids head back to school, it’s safe to assume that cybercriminals have learned and developed some new ransomware tricks that will be coming to a computer near you this fall.
Most healthcare organizations are probably not prepared to deal with this new wave of attacks. Among the endless flow of sensational cyberattack headlines including NotPetya and the Erie County Medical Center, it’s easy to become numb to the threat of ransomware—choosing to believe that your organization is either too small to be a likely target or that your existing cybersecurity measures provide adequate protection. Unfortunately, this optimism has led to the peril of many healthcare providers and, in turn, the patients they serve.
The biggest cybersecurity concern used to be hackers invading healthcare systems to steal sensitive patient data and then selling it to the highest bidder. But today, one of the easiest assaults on a computer system is ransomware—a debilitating attack through which an anonymous criminal encrypts your files and then forces you to pay them whatever amount they request in order to regain access to your system—and all the important files it may contain.
SonicWall recently reported there have been 181.5 million ransomware attacks during the first six months of 2018, which marks a 229 percent increase over this same time frame in 2017. Encrypted threats are up 275 percent over last year.
Why has ransomware become the primary cyber threat out there? Most experts point to four primary factors:
- Finding a buyer. The key to any successful transaction is finding a buyer that is willing to pay to acquire whatever it is that you are selling. When it comes to selling data on the dark web, searching for a buyer is tricky and comes with many risks. Selling something directly to the person you stole it from improves the odds of getting paid quickly and quietly.
- The U.S. government. In 2017, Shadow Brokers compromised government security defenses and delivered to the world the tools the NSA had been using to break into computers of its adversaries. Created at a huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and are being used against businesses and civilians. The WannaCry attack was born from these tools, as was the Petya attack which shut down millions of computers across the globe with demands for payments to restore access.
- Cryptocurrency. In the old days, collecting a ransom involved suitcases full of cash (containing bills that could be marked) or wire transfers (which could be tracked). The cash then had to be laundered, which meant only large criminal organizations typically had the necessary resources. Today, anyone can sign up for a cryptocurrency wallet in a matter of minutes—some criminals even provide their victims with simple to follow instructions. With cryptocurrency, neither the wallet nor the resulting transactions can be easily connected to any real-world identities.
- Ransomware as a service. Once upon a time, cybercriminals had to develop their own malware, which required coding skills and at least some knowledge of operating systems, networking and hardware. Now, easy-to-use “ransomware as a service” can be purchased cheaply on the darknet. Some vendors even offer customer support for buyers of their malware. And would-be hackers who want customized ransomware can hire black-hat coders for its development.
Smaller healthcare organizations are an easy target for hackers because most don’t have adequate financial or technical resources to defend themselves against the onslaught attacks. According to Cryptonite, healthcare organizations have reported an 89 percent year-over-year increase in ransomware attacks.
No healthcare provider wants to be a victim of a ransomware attack, but cybersecurity is a complex problem that requires multiple layers of defenses. Many healthcare organizations feel they can’t afford to keep their practice safe because it typically requires deploying sophisticated endpoint technologies such as antivirus, anti-malware software and firewalls to keep intruders out and then hiring resources to keep up with frequent software, data backups and equipment security updates, as well as providing security training for staff.
Industry experts estimate that an organization with 50 employees may have to spend upward of $50,000 to have the best possible protection against cyberthreats and then thousands of dollars each year to keep everything up to date. But even when organizations make this investment in security, they might still have a breach.
Hackers are becoming extremely resourceful and have found ways to circumvent even the most advanced antivirus and anti-ransomware solutions. These solutions cannot protect against Fully UnDetectable (FUD) threats that were conceived by cyber criminals to directly evade existing security layers and harm data.
Recent Tenable research reveals, “cybercriminals have a median seven-day window of opportunity during which they can exploit a vulnerability to attack their victims.” Ponemon’s 2017 State of Endpoint Security Risk Report suggests that 69 percent of organizations don't believe their antivirus can stop the threats they're now seeing. Even FireEye reports “…in 100 percent of the breaches to which [they] responded… firewalls and antivirus protections were up to date.”
Antivirus software monitors for the signatures of known threats, so it can’t deal in real-time with all of the fresh attacks constantly evolving in dark web incubators. Other behavior-based security approaches use machine learning to identify threats. For example, if an email attachment tries to access a large number of files quickly or an unexpected file starts encrypting files, a behavior-based approach tries to shut it down. Today’s attackers simply avoid detection by changing the predictable characteristics of ransomware—slowing down or randomizing encryption or lying dormant for a period of time before executing the attack.
To close this gap, healthcare organizations are adopting new forms of defenses that use Mirror Shielding technology, which enables users to recover files when other malware defenses, like antivirus and anti-ransomware software, fail. Unlike antivirus tools, new Mirror Shielding technologies aren’t dependent on signatures of known threats and don’t require users to download software updates to effectively protect and prevent malicious attacks.
Mirror Shielding makes an attacker believe he or she has taken control of an organization’s data files, but the attacker is seeing a mirror image of the system and does not have actual possession of the data. In the event that a user receives a ransom demand or notices that the files have been unintentionally altered, the user simply clicks a button and reverts back to the original files. Multiple revisions of the file are stored so that users can go back to the right version. This groundbreaking technology doesn’t require a backup procedure, so there is virtually no impact on computer performance.
As attackers get smarter, so must defenses. Taking a wait-and-see approach is becoming too risky. While there aren’t any silver bullet solutions that will complete eradicate all cyberthreats, healthcare organizations finally have the equivalent of a do-over button when things do go wrong because of a ransomware attack. With this assurance, healthcare organizations can continue to focus on treating patients and revenue generating activities instead of scrambling to recover their files if they get caught by the latest ransomware threat this fall.