Get Ready for Hospital Ransomware Attacks 2.0
View the original article by Jack Danahy here at Becker's Hospital Review. Image courtesy of the LA Times.
On February 5, 2016, staff members at Hollywood Presbyterian Medical Center began having difficulty accessing the hospital's computer network. The IT department was called in to investigate, and quickly, their worst fears were confirmed — the hospital's network had been infected with ransomware.
Shortly afterwards, hospital staff declared an internal state of emergency, and IT systems were forced offline, knocking out access to electronic health records. This decision triggered a chain reaction of service delays and outages that spread throughout the organization with serious effects: Staff reverted to communicating via fax machines. Paperwork was completed by hand. Lab work and test results were inaccessible. CT scanning and the radiation oncology department were temporarily shut down. Some emergency patients had to be diverted to other hospitals for care.
What had started out as files getting encrypted had quickly snowballed into hospital-wide operations grinding to a halt.
The disruption lasted for 10 days. In the end, the hospital determined that paying a ransom of $17,000 was "the quickest and most efficient way" to get things back up and running. Yes, they were paying to restore the encrypted data, but more importantly, they were paying to be back in business.
Still think the primary threat of ransomware is data loss?
Make no mistake — the ultimate objective of hackers targeting institutions like hospitals isn't to encrypt their files. The true goal is to frighten the victim into paying by creating widespread disruption. File encryption has simply been a common means to that end. As the attack becomes more debilitating to the victim's operations, it grows more and more likely that the attacker will be able to demand, and receive, a bigger ransom payment.
Hollywood Presbyterian wasn't the only healthcare provider to suffer through ransomware attacks and pay ransoms in 2016. Marin Medical Practices and Kansas Heart Hospital were two other prominent cases. Educated by these successes, criminals are now tailoring their attacks to make them even more effective. Here are three tactics we've seen in the wild that are likely to become more widespread in 2017.
Beyond encryption: 3 ways criminals are making their attacks more disruptive
1) Developing ransomware strains that spread like a virus
Imagine a ransomware attack that not only encrypts files but also turns them into ticking time bombs, designed to spread their infection to more machines and users as soon as it executes. That's the direction new variants like Virlock are taking to expand the scope of their disruption. By adopting traditional parasitic virus techniques, it does more than simply encrypt victim files, it also injects them with malicious code that kicks off new attacks to replicate itself from one machine to another.
The latest version of Virlock can even spread through cloud storage and collaboration applications, making it possible for one infected user to spread it across an entire enterprise network.
2) Creating new versions of ransomware that disable the victim systems
The popularity of file encryption as the primary threat in ransomware began, at least in part, because that type of transformation is straightforward, leaving the system capable of connecting to the network for payment and decryption, and showing the victim the comforting, if frustrating, local presence of their valued files. As the frequency and public reporting of ransomware has increased, organizations have moved to improve their recovery strategies, particularly in the form of more comprehensive and tightly managed backups. In the presence of these backups (a common best practice in any case), paying the ransom is much less likely, since restoration of data is a sure thing without paying criminals.
Seeing this, some attackers have changed their tactic to disabling the system entirely. Ransomware variants such as Petya attack systems at the boot-level, preventing rebooting to any but the Petya screen, and encrypting the tables which describe the locations of all of the data on the disk. An attack like Petya, combined with parasitic expansion capabilities like Virlock, would create campaigns that could routinely cause the kind of debilitating breach that would take days or weeks to resolve.
3) Turning ransomware attacks into data breach events
Threatening to permanently destroy encrypted files is a common ransomware tactic. Many variants even incorporate a countdown element, adding a sense of urgency to the victim's decision to pay.
New strains are taking things a step further. Instead of threatening to destroy encrypted information, they're threatening to release it publicly — a tactic known as doxxing. An example is Jigsaw, which not only encrypts a victim's data, but threatens to send copies of those stolen files to all of the victim's contacts. This shift in tactics is especially relevant for hospitals and other healthcare service providers who are required to report exposures of private patient medical records, and who can be fined extensively for violations.
This changes the ransom equation completely, since the very best backup will not be able to put the private data genie back into the secure storage bottle. Criminals are raising their demands accordingly. On January 11, an Indiana-based cancer services agency received a demand for $43,000 in exchange for the hackers not releasing the data of thousands of cancer patients. This was done interactively, by a human, but with tools like Jigsaw available, the automation and anonymization of this tactic is not far off.
Prescription: A tight focus on prevention
The best way for healthcare organizations to avoid extensive damage from the next evolution of ransomware attacks will be to avoid them in the first place.
While attack tactics and technology change constantly, one relative constant has been the entry point that criminals target most often — users and their endpoints. By committing to improving user training and establishing better endpoint security that protects users even if they do make a mistake, hospitals can reduce their risk considerably and block attacks before they spiral out of control.