Copyright 2016, Symantec Corporation Reuben Koh Industry Manager - IoT Cybersecurity 1 The Rise of Ransomware in Healthcare
Copyright 2016, Symantec Corporation
Reuben Koh Industry Manager - IoT Cybersecurity
1
The Rise of Ransomware in Healthcare
Copyright 2016, Symantec Corporation
In 2009 there were
2,361,414
new piece of malware created.
That’s
1 Million 179 Thousand a day.
In 2015 that number was
430,555,582
3
Copyright 2016, Symantec Corporation
What is Ransomware?
• A computer malware that installs covertly on a victim's computer, executes a cryptographic attack that adversely affects it, and demands a ransom payment to restore it.
• Non-encrypting ransomware may lock the access to a system in a way similar to a denial of service attack and display a message requiring payment to unlock it.
• Encrypting malware encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. The ransomware may also encrypt the computer's entire hard drive, rendering usage impossible without the decryption key.
4 Ransomware and Businesses 2016
Copyright 2016, Symantec Corporation
Why Should You Care?
5 Ransomware and Businesses 2016
2015 was a record year for new ransomware – 100 new types identified in 2015. In 2014 that number was 77.
Ransoms are increasing. A US hospital paid $17,000 just to unlock their critical data.
Organizations are firmly in the sights of attackers – Employees in organizations represent 43% of infections
– There are ransomware families designed to infect organizations – Organizations are actively being targeted by ransomware attackers
Targeted ransomware attacks use advanced attack techniques
Copyright 2016, Symantec Corporation
Victim organization profile
Services 37.8%
Manufacturing 17.2%
Public Administration 10.2%
Finance, Insurance, & Real Estate
9.8%
Wholesale 8.9%
Transportation, Comms, & Utilities
6.6%
Retail 4.3%
Construction 3.9%
Mining 1.0%
Agri, Forestry, & Fishing 0.5%
6 Ransomware and Businesses 2016
Copyright 2016, Symantec Corporation
35% Increase in Crypto-Ransomware Attacks
7 2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation 8
Ransomware Families
• Desktops/Laptops • Servers • Smart Devices
Copyright 2016, Symantec Corporation 9 Ransomware and Businesses 2016
Healthcare as a Ransomware Target
• Healthcare has long been regarded as “soft targets”
• Hospitals are perceived to be more willing to pay ransoms due to criticality of data and sensitive nature of healthcare operations
• Healthcare patient records are one of the most coveted in the underground black market
• A very lucrative business providing huge financial benefits for hackers
Copyright 2016, Symantec Corporation
Recent Healthcare Victims
Victim Date Ransomware Type/Variant
Hollywood Presbyterian Medical Centre
February 2016 Locky
Los Angeles County Department of Health Services
February 2016 Locky
Chino Valley Medical Center March 2016 Locky
Kentucky Methodist Hospital March 2016 Locky
Desert Valley Hospital March 2016 Locky
Kansas Heart Hospital March 2016 Undisclosed
Ottawa Hospital March 2016 Locky
Norfolk General Hospital March 2016 TeslaCrypt (Carrier)
MedStar Healthcare Group April 2016 SamSam
Benewah Community Hospital June 2016 Undisclosed
10 Ransomware and Businesses 2016
Copyright 2016, Symantec Corporation
Where are the victims?
11
3% Canada
8%
5%
United
Kingdom
Belgiu
m
Netherlan
ds
Ind
ia 3%
Ita
ly
3%
4% Germany
2% Austra
lia
4%
8% Japa
n
United
States 31%
Copyright 2016, Symantec Corporation
Growth factors
• Easy access to encryption
• Effective infection vectors
• Adoption of advanced attack techniques
• Ransomware as a service
12 Ransomware and Businesses 2016
100 new types of Ransomware identified in 2015 compared to 77 in 2014
Copyright 2016, Symantec Corporation 14 Ransomware and Businesses 2016
Ransomware sold on underground forums for $200
Copyright 2016, Symantec Corporation
How are they getting in?
15 Ransomware and Businesses 2016
Email Exploit Kits Other Vectors
• Distributed through large spam runs
• Masquerades as invoice, unpaid bill or delivery notice
• Attached directly to email • Attachment launches
downloader which installs ransomware
• Link to exploit kit
• Hosted on compromised websites and exploit vulns in popular software
• Links sent through email, social media or malvertisements
• Angler was most popular kit in 2015 but is now believed to be offline
• Malvertisements • Other malware • Brute-force attacks • Server-side vulnerabilities • Worm techniques • SMS messages and app
stores (Android)
Copyright 2016, Symantec Corporation 16 Ransomware and Businesses 2016
Locky (Trojan.Cryptolocker.AF)
Copyright 2016, Symantec Corporation
Advanced attack techniques
17 Ransomware and Businesses 2016
Recent ransomware attacks use tactics and techniques typically seen only in highly sophisticated type of attacks
Infiltration Exploit server-side vulnerabilities to gain access to the network.
Reconnaissance Attackers gather information that may help in later stages of the attack, such as back-up policy. Information gathered may also be used in the ransom note.
Lateral movement Attackers use publicly available tools to plot out and traverse the network and gain access to strategic locations.
Stealth Once the attack has been successfully carried out the attackers attempt to hide their tracks by removing any tools used.
Copyright 2016, Symantec Corporation
CASE STUDY: Inside an advanced ransomware attack
• Entry point was unpatched web server; attackers exploited a known vulnerability to gain access
• Once in, attackers used publicly available tools to traverse the network
• Deployed SamSam strain of ransomware
• Malware spread quickly to network drives and connected data repositories
• Deleted back-ups to make recovery difficult
• Removed copies of malware and associated tools to hide tracks
• Ransom was 1.5 Bitcoin (US$989 at the time of writing) for each computer
18 Ransomware and Businesses 2016
Copyright 2016, Symantec Corporation
CASE STUDY: Lessons learned
• Regular patching would have blocked off the point of incursion
• Users were not following company policy and stored files locally instead of on file server
• Organization relied mainly on traditional signature-based anti-virus and intrusion detection capabilities
19 Ransomware and Businesses 2016
Copyright 2016, Symantec Corporation
The ransomware protection story
20 Ransomware and Businesses 2016
• Email Security • Intrusion Prevention • Download Insight • Browser Protection • Proactive Exploit Protection • Application Sandboxing • Phishing awareness
• AVE • SONAR behavior engine • Intrusion Prevention • Sapient machine learning • Emulator
• Symantec Managed Security Services
• Symantec Incident Response Services
Symantec offers protection at every stage of the Ransomware attack chain
Prevent Contain Respond
Copyright 2016, Symantec Corporation
How Can We Help? Achieve a higher level of security from endpoint to the cloud
21
THREAT PROTECTION
Block, detect and quickly
respond to the most
advanced threats, including
Ransomware.
STAY AHEAD OF TOMORROW’S THREATS
INFORMATION PROTECTION
Keep your sensitive patient and
medical information protected
while keeping your employees
productive.
PROTECT YOUR CRITICAL DATA WHEREVER IT LIVES
CYBER SECURITY SERVICES
Stay ahead of emerging threats
by extending your team with the
help of our team, around the
clock, around the world.
RELY ON EXPERTS TO WATCH OVER YOUR SECURITY
WEBSITE SECURITY
Deploy comprehensive
website security for your
internal and external
healthcare web portals.
TAKE ONLINE TRUST TO A WHOLE NEW LEVEL
Thank you!
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Industry Manager, IoT Cybersecurity
Reuben Koh