Ransomware in Healthcare - ClearDATA...Anatomy of an Attack • Critical choices: - Pay ransom - Restore from backup • Paying ransom increases risk of future attacks 1 The Bait •

Ransomware in HealthcarePsychology, Anatomy & Prevention

A ClearDATA Security & Compliance eBook

Ransomware Attacks Are On The Rise!Ransomware in HealthcarePsychology, Anatomy & Prevention

Ransomware attacks are rapidly becoming one of the fastest growing cybercrimes. And healthcare is a prime target.

The growth of Ransomware is due both to the psychology of the method and the sophistication of the attack. This eBook provides valuable insight that includes:

• Attacks Are on the Rise• The Psychology of Ransomware• Tools of the Trade• The Anatomy of an Attack• Recovery Strategies• Prevention Strategies

Even though the averageransom demand is relativelylow, the volume of attacks,plus the rate of payment,make the attacks costly foryou and lucrative forcybercriminals.

Volume of Ransomware Attacks

The potential damage toyour reputation, particularlyin healthcare, may outweighthe financial cost.

2

Over $325M In 2015Attacks Are Costly

Even though the average ransom demand is relatively low, the volume of attacks, plus the rate of payment, make the attacks costly for you and lucrative for cybercriminals.

Most Ransomware attacks are initiated by organized crime. The motive is money. If the ransom is paid, your data will most likely be restored. But you will be open to future attacks.

3

The Cybercriminal Spectrum

STATE SPONSORED• Cyberwar, state secrets,

industrial espionage• Highly sophisticated• Nearly unlimited resources• Advanced persistent threats

ORGANIZED CRIME• Economic gain• Significant technical capability• Established syndicates• Adware, crimeware, IP theft• A lot of spamming/phishing• Prominent in ransomware

HACKTIVIST• Statement• Relentless• Emotionally committed• Vast networks• Targeted attacks

CRIMINAL• Vandalism• Limited tech capabilities

RECREATIONAL• Fame and notoriety• Limited tech resources• Known exploits

Most Ransomware attacks are initiated by organized crime. The motive is money. If the ransom is paid, your data will most likely be restored. But you will be open to future attacks.

4

Less Risk, More Reward

• Easytobuyandusethetools• Profit ispredictable• Lessrisk:nodirect contact orsaleofdata• Don’t havetofindadatabuyer• Canbeautomatedglobally• LesstrackableusingBitcoin

The Psychology of RansomwareThe psychology of a ransomware attack is somewhat similar to any ransom demand. Can you trust a criminal? But there is a significant difference.

The use of ransomware by organized crime is a for-profit business. Because it is a cybercrime, attacks are easy to initiate and don’t require complicated logistics. There is even a certain level of “customer service” provided, such as FAQ pages.

Also, it is usually in the criminal’s interest to restore your data after a ransom is paid. It keeps their “brand reputation” intact for the next attack.

Ransomware screens can be intimidating or transactional – like you are simply buying a software key.

5

Top Ransomware Tools

• CryptoWall• Locky • TorrentLocker• CTB-Locker• TeslaCrypt• Samsam• CrypVault• PayCrypt

Tools of the TradeEasy to Acquire• Ransomware tools are easily purchased from a variety of torrent sites

Gaining Sophistication• Inflicted unwanted encryption on files stored locally to a machine

• Now fully able to traverse network drives, SANs and NASes, UNC paths

• Encrypts anything it can touch and access with the level of permissions granted to the user account under which the malware is executing.

https://ransomwaretracker.abuse.ch/trackerRecent Attacks:

6

Anatomy of an Attack

• Critical choices:- Pay ransom- Restore from backup• Paying ransom increases risk of

future attacks

The Bait1• User’s machine typically connected to

network, shared cloud services, etc.• Once open, ransomware silently

begins encrypting all of the files it can, without any user interaction or notification.

The Infection2 Ransom Notice3 Pay or Restore 4• Once done, it alerts the user and

provides payment instructions.• Payment is usually in Bitcoins• Some even provide “Customer

Service” info.

• Typically comes as an email attachment

• Such as: Invoice, shipment tracking document, etc.

• Often very generic, but could include a real vendor name or even your company name.

7

8

How Does Ransomware Spread?EmailEmailing it to huge numbers of people, targeting particularly the US and UK

Browser ExploitBrowser exploit kits, drive-by downloads

Torrent FilesTorrentLocker’s authors have been both nimble and persistent

Backdoor DownloadMay come on its own (often by email) or by way of a backdoor or downloader, brought along as an additional component

Remote Desktop ProtocolRDP ports that have been left open to the Internet

External StorageMapped drives, Thumb drives, Dropbox, Box, USB drives, storage shares

9

What Happens When You Are Infected?There are three methods, depending on the particular ransomware infection

DELETE

Files or Systems Locked

Files Encrypted

Files Threatened With Destruction

Once infected, there are only two choices:

Pay RansomFiles will most likely be restored, but you will become a prime target for future attacks

Do Not PayThis is the best strategy if you are confident in having thorough, isolated backups.

Process Steps

ENGAGE INCIDENT RESPONSE • Notify your Info Security Team• Notify authorities and regulatory bodies• ID Recovery Time & Point Objectives• Preserve evidence• Engage your legal team ASAP

ISOLATE THE DEVICE • Remove the impacted system from the network and remove the threat• Best done with the system off the networks to prevent any potential spread of the threat.

ATTEMPT DATA RECOVERY • Restore any impacted files from a known good backup.• Restoration of your files from a backup is the fastest way to regain access to your data.• Requires confidence in integrity of backup• Requires a reliable destination• May take some time

HYBRID RECOVERY • Stall for time by trying to negotiate• In meantime work on recovery from a backup• Requires confidence in integrity of backup

START OVER • Dispose of all infected devices• Rebuild from scratch• Expensive and time consuming• History lost

Recovery Strategies

10

Defense In Depth & BreadthApplying Defense In Depth

11

REDUCE ATTACK SURFACES

DEPLOY CRYPTO KEYS

CREATE SECURE PEOPLE, PROCESSES & SYSTEMS

DEFENSE IN BREADTHApplied across each use case at appropriate level

DEFENSE IN DEPTHApplied at each layer to appropriate level

Multi-level SecurityUser, Process, Device

Physical Infrastructure

System Security

Network SecurityAir-tight & properly configured

Data & Application Security

Five Prevention StrategiesApplying Defense In Depth

12

REDUCE ATTACK SURFACES

DEPLOY CRYPTO KEYS

CREATE SECURE PEOPLE, PROCESSES & SYSTEMS

BACKUP & DISASTER RECOVERY

• Employ a comprehensive and regular scheme• Identify your recovery point and recovery point objectives• Be sure backups are isolated from live data sources• Perform regular data integrity tests

EMAIL SECURITY TRAINING • Conduct regular security training• Emphasize common phishing schemes and current threats

SETTINGS & ACCESS CONTROL

• Conduct Show hidden file-extensions• Disable files running from AppData/LocalAppData folders- %APPDATA%- %TEMP%

• Disable RDP• Limit end user access to mapped drives• Install Firewall and block Tor, I2P and restrict to specific ports

ANTIVIRUS MANAGEMENT • Up-to-date antivirus is essential

PATCHES & UPDATES • Keep current on OS patches and Software updates

SECURITY RISK ASSESSMENT • Consider regular security risk assessments beyond HIPAA requirements

Additional Resources

13

ClearDATA is the nation’s only healthcare-exclusive cloud computing company. As the premier healthcare managed cloud company, our solutions are positioned to solve the three fundamental challenges facing HIT:

• Modernize the Infrastructure

• Secure & Protect Patient Data

• Improve Data Interoperability Our intimate knowledge of healthcare data workflow, security and compliance is a key differentiator. Our “just right” solutions for enterprise healthcare as well as individual private practice provide flexible options that fit your customer’s budget.

www.cleardata.com

Healthcare Managed CloudThe Premier

Company

• Defense in Depth: A Pragmatic Approach to Securing PHI in the Cloud• Developing a Secure, HIPAA Compliant Roadmap to the Public Cloud• Best Practices in Cloud Computing for the Healthcare Industry• 7 Myths of Healthcare Cloud Security Debunked • Five Ways Technology Vendors Put Protected Health Information At Risk

WHITEPAPERS

Visit our Knowledge Hub at www.cleardata.com/knowledge-hub/ for the latest thought leadership on security and compliance for healthcare cloud computing.

Suggested Titles:

• 5 Ways to Protect Your Healthcare Organization from a Ransomware Attack• The Anatomy of a Healthcare Data Breach• Healthcare IT In the Cloud: Predicting Threats, Protecting PHI• Developing a Secure, HIPAA Compliant Roadmap to the Public Cloud

ON-DEMAND WEBINARS

Suggested Titles: