U.S. government agencies warn of impending coordinated ransomware attack against already pandemic-pummeled U.S. healthcare system

The Skinny:

  • A trio of U.S. government agencies have issued fresh warnings about the rising cyber-scourge of ransomware, stating they have intelligence that digital attackers are targeting the U.S. healthcare system, a callous and ill-timed attack that could cost lives during an uptick of coronavirus cases.
  • In a hefty and detailed alert, the FBI and other agencies stated they have “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” a warning made all the more dire as the country is still firmly in the group of the rampaging and ravenous COVID-19 pandemic.
  • The agencies are trying to warn hospitals, medical offices, outpatient facilities and every operation associated with the sector that illicit hacking collectives are looking to engage in “data theft and disruption” of services, including life-saving medical treatments, to lock down systems for multi-million dollar payments and pilfer data to open doors for further virtual fusillades or sell on darknet markets.
  • In recent years, the overall global costs and smoking virtual ruins left by ransomware attacks have soared, from an estimated $8 billion in 2018, to $20 billion in 2020, according to a 2017 report from Cybersecurity Ventures.

By Brian Monroe
bmonroe@acfcs.org
October 28, 2020 

A trio of U.S. government agencies have issued fresh warnings about the rising cyber-scourge of ransomware, stating they have intelligence digital attackers are targeting the U.S. healthcare system, a callous and ill-timed attack that could cost lives during an uptick of coronavirus cases.

In a hefty and detailed alert, the FBI, the Department of Homeland Security and Department of Health and Human Services stated they have “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” a warning made all the more dire as the country is still firmly in the group of the rampaging and ravenous COVID-19 pandemic.

The agencies are trying to warn hospitals, medical offices, outpatient facilities and every operation associated with the sector that illicit hacking collectives are looking to engage in “data theft and disruption” of services, including life-saving medical treatments, to lock down systems for multi-million dollar payments and pilfer data to open doors for further virtual fusillades or sell on darknet markets.

The result: operations must “ensure that they take timely and reasonable precautions to protect their networks from these threats.”

The expected attack also happens at a time when the U.S. is distracted by the presidential election, though both public and private sector entities have taken more precautions to prevent foreign election interference, a shadow that hung over the 2016 election.

The alert is also something bank financial crime compliance teams should be aware of as they could provide critical information to investigators tied to any payments from hospitals to attackers, including what virtual currency addresses and exchanges are being used.

Ransomware, previously a relatively minor threat in the cybercrime landscape, has become a high-profile problem in recent years.

Opportunistic organized crime groups, and even lower level foreign players, have been able to lock up larger companies, healthcare firms, hospitals, law firms and even the very law enforcement officials charged with investigating these types of crimes.

At its heart, ransomware is a type of malicious software that encrypts users’ files or blocks access to their computer systems until the user ponies up funds to pay the criminal a fee to finally release them – typically paid in difficult-to-trace virtual currency, such as Bitcoin.

This type of exploitation scheme targets and takes advantage of both inherent human weaknesses and more arcane technical vulnerabilities, such as an unpatched computer system, antivirus program or leaky firewall.

Data from Cybersecurity Ventures. Graphic via PurpleSec.

Ransomware costs soar as cyber criminals sell ‘ransomware as a service’ packages on the cheap

In recent years, the overall global costs and smoking virtual ruins left by ransomware attacks have soared, from an estimated $8 billion in 2018, to $20 billion in 2020, according to a 2017 report from Cybersecurity Ventures.

The group predicted ransomware damages would “cost the world $5 billion in 2017, up from $325 million in 2015 — a 15X increase in just two years,” according to an October 21, 2019 piece in Cybercrime Magazine. “The damages for 2018 were predicted to reach $8 billion, and for 2019 the figure is $11.5 billion,” according to the group.

A key culprit driving the explosion of growth in ransomware attacks is “the appearance of ransomware as a service and ransomware kits on the dark web, which can be purchased for as low as $175 and require little to no technical knowledge to deploy,” according to the group.

As well, if you think by being a diminutive operation, you won’t get on a scammer’s radar, think again.

“Small businesses, which account for 43 percent of all cyber attacks, make for the perfect target as they often can’t afford the investments into security,” the company stated.

This is also not the first time cyber brigands have targeted a region’s healthcare sector.  

“For example, the WannaCry ransomware attack was responsible for one of the largest healthcare breaches affecting the National Health Service (NHS) – locking out access to hundreds of thousands of patient files in hospitals in England and Scotland,” noted PurpleSec, adding that administration staff had to use paper, pens and pencils to chart, file and document.

Ransomware attacks cost U.S. healthcare organizations $157 million since 2016, with attacks against the sector expected to quadruple as early as this year and into 2021.

The individual ransom of 1,400 clinics, hospitals, and other healthcare organizations varied from $1,600 to $14 million per attack, according to PurpleSec.

Independent security analysts say the ransomware, called Ryuk, has already “impacted at least five U.S. hospitals this week and could potentially affect hundreds more,” according to the Associated Press.  

Four health care institutions have been reported to have been hit by ransomware in recent weeks, three belonging to the St. Lawrence Health System in upstate New York and the Sky Lakes Medical Center in Klamath Falls, Oregon, according to the report.

Several spokespersons for the operations stated they had, thus far, only had to make minor changes, such as rerouting ambulances for a few hours, according to the AP report.

Even so, many of the top minds in the field say the worst is yet to come.

Alex Holden, CEO of Hold Security, which has been closely monitoring Ryuk for more than a year, said the attack wave could be “unprecedented in magnitude for the U.S,” according to the report, while Charles Carmakal, chief technical officer of the security firm Mandiant, called the cyberthreat the “most significant” the country may have ever seen, according to the report.

Grpahic courtesy PurpleSec.

Some tips and tactics to bolster cyber responses, resilience and recovery

Whether you are a hospital, bank, or any small or large business, you need to start thinking, acting and reacting defensively when it comes to ransomware and other cyberattacks.

That’s why the Association of Certified Financial Crime Specialists (ACFCS) has put together this quick rundown of things you can do before, during and after a ransomware attack to help survive and get your data back, without paying a bogus fee and supporting a criminal network.

1.      Use firewalls and antivirus programs – and please keep them up to date: In some instances, hackers use security vulnerabilities in a system or weaknesses to get inside a system and hold it for ransom, particularly if they can’t find access to financial or bank account details. Some people even forget to simply click on their firewall in Windows or put off updating anti-virus software, which would be inviting disaster.

2.      Don’t click on what you don’t know – the email fail whale: Most people know they have to be wary of a strange email telling them to update their bank password. But criminals are increasingly creative. That email can look like it came from your IT person or Microsoft or some official sounding source. Right click on the source of the email and ensure it’s not just from a site similar to your company’s or Microsoft. If you are unsure, send an email to your IT specialist and ask it came from him or her. Most likely, it didn’t. Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine.

3.      Don’t click on what you don’t know, part 2 – browsing for a bruising: If you are doing normal things on the Internet, you shouldn’t get something that urges you to “immediately” update your chrome browser or, also in an urgent manner, update your Adobe PDF or something or other. Just close the window. Scan every executable file from the Internet before installing on your computer. And if the pop up box comes up asking you if you want to install system you aren’t trying to install, click no. You also shouldn’t get a page that pops up telling you that your bank account, Facebook and Instagram account have been compromised and you need to call a “Microsoft” engineer and they happen to have the number for you to call right on the page that won’t go away.

4.      Make sure you can move forward – by backing up: Use a third-party service or, better, yet back up your system and important files and programs in an external hard drive not connected to any of your networks. Make sure to test your backups regularly to ensure they are current. Do it monthly or at least every few months.

5.      During an attack fight back – by unplugging: If you do get attacked, unplug from the power and Internet. If the group is able to get access to your computer, unplugging will make it more difficult to pull more data from your system. If you see a ransomware note and you can’t click it away and your system is totally unresponsive, unplug as quickly as possible and reinstall from a backup.

6.      Know thine enemy – but do it from a clean system: if you want to try and find out what type of ransomware is attacking you, don’t use the same computer, or others on your network, as you can risk further infection to other systems. Use a clean computer on another network and try to see what others have done to break the encryption, clean their system or what solutions are available.

7.      Don’t pay – or you will end up paying more: In ransomware attacks, even if the person pays, the attackers may still hold some or all of their systems hostage or attack again at another time, starting the cycle again. Try to remember, as official and polished as these criminals may make their “tech site help” look, they are still criminals and just want your money.

8.      Don’t give attackers permission, by restricting permissions: Construct your system that only certain individuals with certain rights, privileges and passwords can access or make changes to more critical parts of the computer or network. That way you can limit users’ ability to install and run unwanted software, which may prevent the spread of malware to one or more computers. The mantra should be the lowest privilege gets least access to the system.

9.      They found flaws in your system – now look for flaws in theirs: If you didn’t back up your system, there could be some options to unlock and recover your data.Some variants of ransomware, though seemingly ironclad and airtight, have flaws in the way they implement the encryption used to lock your files.

10.    As a last resort, bring in the big guns – and say no to paying that ransom: A collaboration between Intel Security, Kaspersky Lab, and Europol called No More Ransom! has a collection of decryption tools for Ransomware that has been cracked by researchers. The site is www.nomoreransom.org.

In the eyes of investigators, regulators, when it comes to cyber, failing to plan is planning to fail

Similar to other more formalized counter financial crime plans, like anti-money laundering (AML) and anti-fraud, government agencies are urging companies to think of business continuity plans from more than the perspective of revenues, profits and costs – because a devastating ransomware attack could cost everything. .

“CISA, FBI, and HHS encourage HPH Sector organizations to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions,” according to the alert.

“Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations,” the agencies noted. “Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. “

CISA, FBI, and HHS suggest Healthcare and Public Health (HPH) sector organizations “review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors.”

But how does that look in practice? Here are some tips:

Network Best Practices

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and mediate those that are not needed.
  • Identify critical assets such as patient database servers, medical records, and teleheatlh and telework infrastructure; create backups of these systems and house the backups offline from the network.
  • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

Ransomware Best Practices

CISA, FBI and HHS do not recommend paying ransoms.

Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.

In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:

  • Regularly back up data, air gap, and password protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

User Awareness Best Practices

  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.

As more hospitals capture data, make everyday objects ‘internet-enabled,’ attack surface broadens

These tips, while helpful for all companies, must be taken to heart by the healthcare sector.

While rare, individuals have been physically harmed, even died, because of a cyberattack shutting down a hospital. Hacking collectives, foreign nation states and criminals of all stripes have learned that it is easy, and profitable, to attack hospitals and that they will pay a lot – typically millions of dollars – and pay quickly to get their systems back online.

Hospitals must realize that just as their devices are attached to internal systems and external online networks – a necessity to improve patient care – they must strengthen the virtual walls of these technologies.

The reason? 

To prevent a pulsating monitor or pumping machine from simply becoming another vulnerability and entry point for criminals who don’t care how sick your patients are, how overwhelmed your staffers are and how slim your profits are – as they only care about enriching their illicit coffers. 

*This story has been updated.