Ransomware Attackers Target Hospitals

THREAT SUMMARY

Friday afternoon -- hospitals have been besieged by ransomware attacks.
Law enforcement and government authorities have issued warnings to US hospitals.

Your hospital can implement cyber defenses, starting with an urgent cyber threat awareness campaign. You can distribute warning instructions digitally and manually to all departments.

WHY THIS MATTERS

• Time is of the essence to increase cyber threat awareness, cybersecurity measures, and incident response plans for your hospital.
• These real-time ransomware attacks can shut down your hospital’s computer systems, impacting patients’ health and safety.
• Law enforcement and government authorities have published warnings about recent ransomware attacks on US hospitals.

DESCRIPTION

Ryuk Ransomware Attacks

Several US federal agencies have published warnings of an increased and imminent cyber threat to US hospitals, particularly from a gang that uses a strand of ransomware called Ryuk.

Ransomware is a type of malicious software (aka malware) that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until you pay a ransom. Once the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) to obtain a decryption key.

Some cybersecurity experts report on what appears to be a coordinated attack designed to disrupt hospitals around the US. It appears that this is the first time we have seen six hospitals targeted on the same day by the same ransomware actor.

According to NBC News, as many as 20 medical facilities have been hit by the recent ransomware wave, including multiple facilities within the same hospital chain.

Ultimately, these attacks can cause physical harm to patients cared for in these facilities, diverting patients to other hospital emergency rooms, or even death. We will be addressing these risks to patients in a subsequent article next week.

Cyber Solutions

Your hospital or healthcare facility needs to follow three essential steps:

• Raise awareness of all staff that connects to your computer systems of the potential ransomware attack risks
  • Distribute the warning manually and digitally: Stop & Think Before You Click or Provide Information.
  • Double Check with Two-Factor Authentication (2FA) if you are not sure about an email, text, or phone call.
•  Create an incident response plan
  • Conduct a walkthrough or dry run of a hypothetical ransomware attack scenario to work out who does what, when, and how.

• Implement cybersecurity measures
  • If you do not have security in place, start now.
  • If you do have security in place, confirm that it is current.

Here are more-detailed recommendations regarding the Ryuk Ransomware Attacks suggested in The Joint Cybersecurity Advisory from October 28, 2020.

Network Best Practices

• Patch operating systems, software, and firmware as soon as manufacturers release updates.
• Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users cannot fix due to having local administration disabled.
• Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
• Use multi-factor authentication where possible.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Implement application and remote access only to allow systems to execute programs known and permitted by the established security policy.
• Audit user accounts with administrative and least privileges in mind.
• Audit logs to ensure new accounts are legitimate.
• Scan for open or listening ports and mediate those that are not needed.
• Identify critical assets such as patient database servers, medical records, and telehealth and telework infrastructure, create backups of these systems, and house the backups offline from the network.
• Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
• Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

Ransomware Best Practices

In addition to implementing the above network best practices, the FBI, CISA, and HHS also recommend the following:

• Regularly back up data, air gap, and password protect backup copies offline.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location

CISA, FBI, and HHS do not recommend paying ransoms:

• Payment does not guarantee that you will recover your files.
• Payment may also embolden adversaries to target other organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.

User Awareness Best Practices

• Focus on awareness and training. Since end-users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered.
• Additionally, provide users training on information security principles and techniques and overall emerging cybersecurity risks and vulnerabilities.
• Ensure that employees know who to contact when they see suspicious activity or believe they have been a cyberattack victim. This preparation will ensure that the proper, established mitigation strategy can be employed quickly and efficiently.

Recommended Mitigation Measures

• System administrators who have indicators of a TrickBot network compromise should immediately take steps to back up and secure sensitive or proprietary data.
• TrickBot infections may be indicators of an imminent ransomware attack.
• System administrators should take steps to secure network devices accordingly.
• Upon evidence of a TrickBot infection, review DNS logs and use the XOR key of 0xB9 to decode XOR encoded DNS requests to reveal the presence of anchor_dns, and maintain and provide relevant logs.

Incident Response Plan Resources

• Review available incident response guidance, such as CISA’s Technical Approaches to Uncovering and Remediating Malicious Activity.
• The Ransomware Response Checklist, available in the CISA and MS-ISAC Joint Ransomware Guide, serves as an adaptable, ransomware-specific annex to organizational cyber incident response or disruption plans.

If your healthcare organization wants to obtain cyber insurance, a specific, tailor-made cyber insurance policy (aka a Stand-Alone Cyber Insurance Policy) will put you on surer footing.

Examples of some cyber insurance coverages and support include:

• Scanning and monitoring your network 24/7 with cybersecurity alerts
• Security experts to help you prevent cyber incidents
• Employee cyber risk awareness training and support (phishing email testing) to help prevent or reduce human error in the form of clicking on a malicious link or website URL
• Incident Response Team, pre-selected and put into action during a cyberattack, including a breach coach, forensics experts, PR consultants, and crisis managers
• Ransomware attacks, including ransom payments and negotiations and data recovery support
• Data breach costs, including a data disclosure in conjunction with a ransomware attack
• Business interruption costs if you experience a partial or complete shutdown, including lost profits and extra expenses incurred
• Damages sought by third parties in a claim or lawsuit.

TAKEAWAYS

• Report all potentially related cyber incidents to the FBI 24/7 CyberWatch Command Center.
• Government authorities, law enforcement, insurance companies, insurance brokers, and cybersecurity companies are working collaboratively to help hospitals prevent further cyberattacks by sharing news updates, warnings, and instructions.
• In the meantime, your healthcare organization can raise cyber threat awareness, create an incident plan, and increase cybersecurity measures.
• You are not alone in this battle. We are here to help you, 24/7. Reach out to us if you need help or further information.