Ransomware Trends, the $64,000 Question, and Preparedness

ransomware

By the EHRA Privacy & Security Workgroup

One of the latest ransomware variants making the rounds is Ryuk. It’s deployed using malware believed to be managed by Russian criminal groups with code names “Wizard Spider” and “Grim Spider” (learn more here).

Ransomware Trends

The Crowdstrike 2019 Global Threat Report highlights disturbing new trends that make cyberattacks increasingly difficult to detect and block without more advanced tools. These include:

  • “Malware free” attacks – these attacks are typically deployed in memory, meaning that there is no file for traditional anti-malware/anti-virus product to scan and block.
  • Living off the Land (LotL) – These groups “live off the land,” using scripts, powershell, PSExec, and other standard IT tools to move around, gather credentials, use brute force to uncover passwords, and ultimately gain access to servers. 
  • Maintaining Persistence – using registry edits and scheduled tasks.
  • Use of stolen or brute forced credentials – The activity of legitimate accounts must be monitored for anomalous behavior.
  • Use of Remote Desktop, VNC, and PuTTY – Again, using stolen or brute forced credentials.
  • Use of Admin Shares – These are necessary for many common IT functions. Hackers find ways to exploit these as well, making it more important than ever before that organizations lock these down as best they can.
  • Network reconnaissance – Attackers are taking the time to explore your network before launching a cyberattack, enabling them to deploy ransomware as widely as possible, targeting backup systems too so that paying the ransom may become the only option.

Intrusion Methods

Ryuk ransomware typically is distributed via email, using Trickbot or Emotet malware. Often, Emotet will is used to download Trickbot, adding complexity to the process. However the malware is distributed, victims are usually targeted via phishing emails. Malware and ransomware can lurk in seemingly innocent Word documents, PDFs, and executables attached to emails disguising themselves as — among other things — receipts, shipping notifications, and past due invoices.

Historically, hackers have historically relied largely on phishing, malvertising, and malicious websites for initial intrusion. But a number of major incidents in 2017 and 2018 were traced to servers that were open to the internet for remote access; when attackers are able to connect to a server in this manner, they are often able to steal privileged account credentials, spread throughout the entire network, and initiate ransomware all at the same time. Often those hackers intentionally chose an inconvenient time for the ransomware to begin encrypting files —  most frequently around midnight on a weekend or holiday, when IT staff may not be immediately available.

Recent attacks seem to use a combination of techniques. Phishing emails or a malicious website may deliver the initial payload, but from there they work via remote desktop to access other systems to spread the ransomware widely.

When considering how to secure remote access to your servers and network, don’t forget that third parties may also have access to your network. What are their security practices like? Do they have simple or easily guessed passwords for access to your systems? Do they require remote access to servers from the internet? 

Don’t forget about past vendors as well. Old support accounts may still be around from vendors you no longer use.

The $64,000 Question – To Pay or Not to Pay?

In the case of ransomware, should the organization pay the ransom? That decision is one that every organization must make for itself. As is frequently pointed out, ransomware payouts go to fund criminal activities, and in some cases, terrorism. Consider that every payment also allows attackers to improve their capabilities, and attracts additional criminals. With the introduction of Ransomware-as-a-Service, the barrier for entry has been significantly lowered. 

Paying the ransom does not protect you from future attacks, and may even encourage it. Some organizations have experienced more than one ransomware incident. 

Paying the ransom may not even save time. TV dramatizations of ransomware often show someone paying the ransom and magically all of the devices in the hospital immediately come back online. In real life it doesn’t work that way. You may be able to automate some of the process through scripting, but decrypting every machine still takes time. 

While many of these criminals have a good track record with restoring data when the ransom is paid, results vary. This is where the FBI and a good security IR firm can provide guidance. Identifying the variant of ransomware and the group behind it are important for a variety of reasons. Does this group also exfiltrate data? Do they provide the keys when the ransom is paid? Do they leave backdoors behind? What methods do they use for maintaining persistence on your network?

Defense in Depth —  10 Strategies to Prevent, Protect and Restore

aged architectural design castle clouds

Defense in Depth is well-illustrated by an image of a castle, with its many layers of defenses: outer walls, gates, inner walls, soldiers. If an enemy is able to penetrate one layer of defense, there is another layer which may stop them. 

Organizations can employ several strategies and tactics to help mitigate the threat of ransomware. These are based on the idea of “defense in depth” which is a long accepted approach to respond to cyber-threats. 

1. Security Information

First, it is important to retain a staff member that dedicates all or most of their time to security. It may not be possible to hire someone with a security certification (CISSP, CEH, etc.), but perhaps an existing staff member can be developed as a security expert. 

Participation in Information Sharing organizations, such as the Health ISAC, the Cyber Health Working Group, and InfraGard, will help your organization stay up-to-date on evolving threats.

2. Lock It Down

By “lock it down” we do not mean “make life difficult for end users.” There are many areas that are commonly left open or vulnerable.  

  • SMB Shares – Scan your network and find all such shares. Are the shares still needed? Can they be made read-only? Can the shares be further restricted (e.g. by user, server, password)?
  • Remote Desktop Access (aka remote desktop protocol, or RDP) – Are RDP ports open to the outside world? Are strong passwords used?
  • Firewall Rules 
  • Network Segmentation – Segment the network. Make it difficult for hackers to easily move around within the network.
  • Word Macros – Are macros regularly used within the organization? If not, disable macros. Educate staff about the dangers of malicious MS Office attachments.
  • Microsoft LAPSInstead of having the same Local Admin Password on every endpoint (servers and clients), LAPS make it easy to assign complex random passwords for each local admin. It leverages existing Active Directory (AD) infrastructure to do this.
  • Application Whitelisting allows only reputable applications to run on your devices.

3. Patched and Up-To-Date OS

This cannot be stressed enough. Many attacks use Operating System (OS) exploits that have had fixes available for a year or more. By then, it can be a long, painful process to take a year’s worth of updates at once. Moving off an out-of-date and unsupported OS —  for example, Windows XP or Server 2003 — is also very important. These older operating systems have existing vulnerabilities that are commonly exploited by malicious actors.

4. Think Like an Attacker

  • Read about hacking – learn about the techniques that hackers use.
  • Know your network – Map out your network. Curtis Dukes, former Deputy National Manager for the National Security Systems at the NSA, asked the question “How can you protect what you don’t know?”
  • Penetration test your network – Look for holes. Bring in an outside organization to regularly perform a PEN test.

5. Security Awareness

Security Awareness training doesn’t have to be slick. It doesn’t have to be perfect. It does however need to incorporate the following elements if it is going to be effective:

  • Interesting 
  • Regular updates (weekly or monthly)
  • Variety – Provide updates in a variety of formats – emails, intranet posts, videos, posters in the break room, in person meetings, etc. This will allow you to reach the most people.
  • Relevant and practical – tips users can use in their everyday life

Provide staff with a Security Contact — someone they will feel comfortable going to with questions. And encourage staff members to speak up, even if they made a mistake.

6. Audit Logs

Audit logs should be reviewed for inappropriate access. Some organizations will review the logs on a monthly or quarterly basis. However, this won’t detect all unusual behaviors.

  • Is someone accessing more records than they should? 
  • Are they reviewing a relative or neighbor’s medical records?
  • Are they snooping on a VIP’s record?

7. Privileged Users

  • Reduce Privilege – if the staff member does not need the privileged access, it should be revoked.
  • Train Privileged Admins – These staff and their credentials are special targets for hackers. 

8. Multi-Factor Authentication (MFA)

Multi-factor authentication is a major protection. It is a commonly accepted best practice that any critical systems accessible from the internet should employ more than one factor of authentication. 

9. Business Continuity: Disaster Recovery, Incident Response

Disaster Recovery and Incident Response are two areas that must be planned, practiced, and tested in advance.  

  • Backups 
  • Incident Response
  • Back to Paper procedures for Clinical Staff
  • Practice – Incident Response and Disaster Recovery must be practiced regularly.

10. Email Security

Phishing remains one of the most serious threats to organizations today. Hackers want access to your network. Your staff members have access. Phishing and social engineering are the tools that hackers use to essentially trick your staff into giving them access.

  • Train your staff about phishing and social engineering in general. This includes educating them about the techniques criminals may use over the phone or in person to gain access.
  • Test Your Staff with phishing emails.
  • DKIM (DomainKeys Identified Mail)DKIM utilizes a digital signature which allows others to validate the origins of the email.
  • SPF (Sender Policy Framework) – SPF protects your domain from spoofing. Spammers and phishers will be less likely to send emails pretending to be from your domain if you have SPF in place.
  • Domain-based Message Authentication, Reporting and Conformance (DMARC) builds upon SPF and DKIM. Ideally you will have implemented both SPF and DKIM, though you could implement just one and still implement DMARC.
  • Use Spam Filtering. Many email products come with this.
  • Scan all email attachments, as this is a major vector for malware.

Cyberattack techniques are constantly evolving, which means that IT staff must constantly evolve too. To learn more about cybersecurity concerns and best practices, visit these resources:

This blog is the fourth in the Privacy and Security Workgroup’s series for National Cybersecurity Awareness Month. Earlier blog posts told a story of Ransomware: Lessons from the Front Lines,  explained why Strategic Healthcare Leaders Recognize Cybersecurity As A Patient Safety Risk, and how Preventing Malware Infections Starts with Good Cyber Hygiene.

 

Leave a comment

Share your thoughts on this topic!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Categories

  • Follow EHRA on Twitter

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 154 other followers

  • Contact Us

    Sarah Willis-Garcia
    EHRA Program Manager
    swillis@himss.org
    312-915-9518

    Elinore Boeke
    Communications and Media
    elinore @ kecommunications.net
%d bloggers like this: