What Kind of Health Care Ransomware Do Attackers Use?
How Health Care Ransomware Gains Initial Access to Victims
REvil ransomware also goes by the name of Sodinokibi. It has been linked to GOLD SOUTHFIELD, a financially motivated threat group.
Manipulating the Environment
Once these groups establish a foothold, they quickly map the victim’s network and attempt to obtain admin privileges. Compared to traditional infections, their campaigns are human-operated. This allows them to be more adaptive and get around protection measures. Attackers have a variety of ways to achieve their goals once inside. They can use existing operating system tools, such as WMI and PowerShell, exploit weaknesses in legacy systems or abuse a lack of segmentation in flat networks. In addition, they can take advantage of poorly secured active directory domains or use common security testing tools.
Health Care Ransomware’s Objectives and Impact
Because humans operate these attacks, intrusions happen very fast. Human-led attacks are more focused and effective compared to hands-off ones. Ryuk ransomware infections are known to move from a phishing email to domain-wide ransomware in five hours.
Health care ransomware does not only pose risks for regular IT systems, but it is also a risk for the safety of patients. When nurses no longer have access to patient information they may be unaware of patients’ allergies. They may not be able to access schedules and prescription information for giving medicine. Doctors and anesthesiologists have no information for planned surgeries. Surgery schedule software can no longer plan interventions, and connected medical instruments can malfunction. Remote medical monitoring software may go down.
These gangs don’t just want to prevent access to data. They also cue a ‘blame-and-shame’ game. Apart from locking up the systems, they exfiltrate the data and extort their victims, threatening to publish the patients’ information. Needless to say, such data breaches can have severe financial and regulatory consequences. From a criminal point of view, this blackmailing approach has proven to be even more lucrative. In a ‘traditional’ ransomware scheme criminals have less means to blackmail once the victim has restored their systems. However with a data breach, criminals can come back after a first payment. Things can even take a catastrophic turn if the data gets sold on the black market and different gangs ‘compete’ for a payment.
Unique Challenges in the Health Care Sector
Defending Against Health Care Ransomware
- Get the basics right with a robust data backup policy, including remote or offline patient data backups.
- Map your networks and segregate clinical tools from IT environments, as well as from internet-connected devices. This mapping, or asset inventory, should be done automatically at regular intervals.
- Implement a vulnerability identification and management process and set up pen tests, including the physical aspects. Review exposed services and disable those that are not needed.
- Include security in the procurement process. Establish relationships with vendors, set clear expectations and work out processes for addressing risks. Ensure that you understand which medical devices are dependent on which software and include those in your asset inventory.
- Integrate the cyber and physical response teams and develop repeatable and scalable response processes.
- Learn from others by joining an Information Sharing and Analysis Center, such as H-ISAC. These groups provide helpful and relevant information on vulnerabilities and mitigation strategies. They also boost defenses right away by providing threat information with indicators of compromise, tactics, techniques and procedures of threat actors.
- At some point, an incident will probably happen. Appoint 24/7 duty officers and develop a response and communication strategy. This strategy is not only for internal use, but also to inform to patients and the general public. Set up a process to have lessons learned after each incident to improve your responses every time.
Health Care Ransomware: Another Virus to Handle
The best way to deal with health care ransomware is to be sure it never gets past your walls at all. That way, health care professionals can focus on stopping the spread of a different kind of virus.
If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.
The post Health Care Ransomware Strains Have Hospitals in the Crosshairs appeared first on Security Intelligence.
This post appeared first on Security Intelligence
Author: Koen Van Impe