It seems in media today, the rise of ransomware has plateaued and remained painstakingly prevalent , targeting the most critical of data. Committed through financially motivated efforts, these organizations still wake to the sorrowful sound of their assets being hijacked and held for ransom. So, while new threats such as crypto miner botnets and third-party application exploits drown our feeds, why are we suddenly desensitized to ransomware?
Well, for one, we’re not. Just because ransomware is no longer the flavor of the month in the media and in turn reported less, this doesn’t mean that ransomware is any less prevalent. Small and medium sized organizations are still very active on this front, as they serve to face the threat regularly. In exploring one specific industry as an example, these extortion methods are increasingly aimed towards, is the healthcare sector. A sector that, ridden with legacy systems, an exploding IoT environment, and a few portals for business partners, customers, and employees alike, has enough security projects on their plate. This leaves the time dedicated to ransomware at a general reactive level with only a few occurrences of runbooks and response plans to save the day.
A Recent Example of Ransomware in the Healthcare Sector
In past news, a malicious actor under the handle The Dark Overlord publicized his crimes through media sources. The hacker stated to have individually stolen up to 10 million patient records which were sold on the black market. Post exploitation, if the demanded ransom was not paid by these healthcare providers, consignments of data would be packaged with the price tag of up to $134,000, generally less than the ransom itself. But it doesn’t stop there. This one actor extorted PilotFish Technology, a firm that develops and markets the software that many healthcare systems use, for a ransom in retrieval of proprietary information such as source code, signing keys, and their licensing database. This particular package cost $537,000 on the commercial market. The threat had progressed from coercion to complete corruption of a widely utilized application.
The above instance was over two years ago. But today, The Dark Overlord is no longer a one man show but a more matured hacker group, that maintains the goal of costing U.S medical clinics major moolah through ransomware attacks. The group uses social media outlets to threat, taunt, and ensure “hacker business as usual” for its demand efforts. And clearly their business is expanding.
This doesn’t just impact these providers’ livelihood but ultimately affects unsuspecting civilians, as their personally identifiable data and healthcare records are auctioned off by deadlines. As the clock ticks down and these companies refuse the pay, batches of data quickly go up for sale on the dark net for as low as a foreclosed house. Ransomware has pushed malware to an evolutionary point, where officially your identity is no longer just yours.
Prevention: Fighting Fire with Fire
Just looking at only the single threat above reveals three core weaknesses within this sector:
- Complex and outdated systems
- Lack of information security personnel
- Rise in IoT and cloud-based computing inheriting new risks
- Trusting HIPPA compliance requirements alone
Most organizations within this sector maintain legacy applications deficient of engineers who are often preoccupied with a constant flow of patch deployments. A story too often told, healthcare providers allocate little towards employing cybersecurity professionals who should be the ones monitoring the front lines. Lastly, although compliance is a beneficial baseline measurement for continuous improvements, prepared business continuity plans and cyber training for spotting anomalies in the first place are frequently overlooked.
Ransomware is not a sophisticated attack necessarily. The malware is deployed to interact with the unsuspecting user components leading to opportunities for access control and data harvesting. Deployment is as common as targeted email spamming to an organization bypassing filters while carrying seemingly trusted links or attachments for infection. Whether through Locker Ransomware or Crypto Ransomware, the concept is to lock you out until you pay. This new emergence into the healthcare sector will have a more treacherous outcome due to the criticality of the information.
The systems in the healthcare sector have the commonality of outdated applications requiring strict patch management. Meaning, that if the critical servers have not been patched and backed up dutifully, that one exploit can help create the exact hosting environment necessary for a backdoor into the system. The business continuity of your assets is not only dependent upon regular backups but also having incident response procedures in place or even cyber insurance activated.
Lastly, employing information security personnel is the foundation for safeguarding. Although training your security team on understanding the threats and methodology of the attacker can assist in identifying the footprints of a penetration, this training needs to be ongoing due to constantly changing threat vectors.
Let’s first weigh the worth of decisive action. The healthcare industry is more expensive compared to the average data breach cost. To get a general idea of the overall average cost of a data breach, each record costs $148 to maintain, and a breach of 1 million records costs $40 million and increases to about $350 million with 50 million records compromised. In the Healthcare industry alone, the average price jumps to $408 per record. This is a significant difference yet only takes into account operational costs of a breach. What about the company’s reputation that is on the line or the employees whose livelihoods are at stake?
Defending against malicious attacks is almost second nature for an organization. Yet vital databases with patient records being hacked is a smoke signal for an impending widespread cyber epidemic. The FBI has their hands full investigating these particular breaches in hopes of staying ahead of the game. In an attempt to be proactive, they have released basic guidance for businesses both large and small in regards to ransomware; however, there is a separate main concern. We need to step back and properly evaluate the current threat in order to stop the bleeding of a secondary infection on those same systems that were initially infiltrated.
More often than not, the motive is for financial gain, although there are definitely some that are political in nature. However, State Sponsored attacks are generally less public and aimed at higher economic compromise of individuals versus pure financial gain. In either case, the downstream victims IE the customers of the attacked organization, may have used biographical information in security questions and passwords and are inherently at risk of additional account compromise aimed at financial or individual exploitation. This could cause the original company to bear liability that is not thoroughly vetted in the courts yet. Prevention is a responsibility and the trained response is the key. Without having these two in place and funding the cause, more critical sectors such as this will be targeted in much the same way. Cyber threats that gamble identifying and personal data at this level can be influential politically and economically.
Your company or organization needs to have a plan in place. Period. Assuming that, if there is no warning sign correlated with your database so all is right with the worl, is ignorance at best. If referring to the healthcare sector and summarizing years of past medical related data breaches, then the threat is inevitable. Therefore, it is imperative to review, implement, and consider the following mandatory elements:
- A Robust Security Unit – In today’s world, not having some degree of an information security team is inept management. The threats are mutating and the directed assets are highly valuable, resulting in a influx of steadfast professionals within an ever-changing market. It’s not as simple as implementing analysts and architects but rather focusing on the continuous education of your workforce itself. In order to defend against ransomware, it requires elevated and ongoing training. So in addition to the more traditional defensive measures, applying some offensive concepts utilized by red-teams in training your internal staff can greatly advance your network monitoring and analysis efforts. An analyst should also study hacking techniques in order to better identify, isolate and prevent the attack. Timely discoveries of attacks are advantageous towards remediation.
- Incident Response Management – The foreseeable assault against your network infrastructure is unavoidable. This is 101 of understanding cybersecurity framework implementation. One imperative part of this design is maintaining an incident response (IR) program. This means developing your organization’s IR plan and training all IR members annually. Assessing your risks and the probability of attacks is the foundation for your IR plan. Law enforcement and security experts both agree that paying into a ransomware threat is not a valid call of action. 50% of victims have paid their attackers and 40% have stated they would most likely pay under the circumstance. By meeting these demands, we are fueling the motivation for cybercriminals to further develop the malware while also provoking an intention to infect the same compromised systems. Train your first responders and execute tabletop exercises in the event that the threat is valid.
- Outsourcing – At this point in the game, if you are a healthcare provider and do not have both defenders and responders, it’s time to reevaluate your risks. There is no choice between founding a security team or fulfilling an incident management program. You need both or you need to highly consider third party resources. Many healthcare organizations lack the proper employment of security professionals, let alone capability of identifying anomalies on their networks. Budgeting to contract cybersecurity firms for protection is often the elite option when your security posture is limited. Firms can provide risk assessments, penetration tests, training to end users, and most importantly an incident response outlet.
Waving the White Flag
Be brave and admit where you have deficiencies and be able to answer the tough questions. If you can’t, someone else will. That could be another employee in your place or another company giving your customers the protections they require and deserve.
Start right now. Where does your company or organization stand? Can you effectively measure your risk posture and security team’s capability? And when the timer starts to ring, how prepared are you? Most of all, there is no excuse for critical sector organizations that haven’t addressed these key points. There lies a profound responsibility when personal data is involved, and it’s time for society to value those assets at a human right versus an expendable accident to clean up.
MacKenzie Brown brings both technical and research experience to her position as an Enterprise Incident Management Consultant, where she focuses on providing clients with proactive and reactive services in order to assess their incident response capability, effectively navigate through breaches, and ultimately design a strategic program roadmap for improved overall posture maturity. In her previous role as a Research Principal at Optiv, Brown focused on developing enterprise security program frameworks and strategic deliverables which provide model, direction, and development for implementing security solutions against emerging threats. Brown is a subject matter expert in compliance and risk management, policy implementation, incident response, and cybersecurity program deployment. Brown also has practical experience in ICS/SCADA security protocols and assessment. She leverages her program development skills with her expertise and charismatic disposition for developing business, partner, and client relationships. Brown is a member of many information security community associations and regularly contributes to security organizations, holds industry certifications, has been regularly published writing on topics specific to business needs in cybersecurity, and has founded and runs an Idaho non-profit, The Ms. GreyHat Organization, that focuses on transforming the culture of cybersecurity through the empowerment of women and initiatives for developing early year cybersecurity education.brownhealthcarehighlightincident responseransomware