It’s easy to be distracted by the flood of other distressing news each day, but the FBI, CISA and HHS recently urged the health care industry to stay on high alert for malware; especially ransomware attacks. The FBI’s warning included the statement, “We found that 66 percent of hospitals do not meet the minimum security requirements as outlined by the NIST.” The latest ransomware strikes hit more hospitals than previously known, and the culprit in almost every case appears to have been Ryuk.
TrickBot and Ryuk are considered imminent threats; Ryuk is responsible for one third of ransomware attacks globally, and TrickBot operators are using BazarLoader to deploy Ryuk ransomware. US-CERT advisories have also been issued, specifically about threats originating from Iran and China. Iranian threat actors are targeting VPN vulnerabilities – a high-risk point for the health care telework community.
The authorities advise users to take all necessary precautions to guard their networks. Hundreds more hospitals could be at risk, especially since they’re already under stress from the COVID-19 pandemic.
No Warning, Malware Detonates on Impact
Ransomware strikes without warning. Attackers don’t need a target – just toss it into a business environment, and the malware detonates on impact. Everything comes to a screeching halt until a ransom is paid. The destruction is permanent, irreversible and offers victims no opportunity to mount a defense. It’s simply game over – save the decision of whether or not to pay the ransom.
Malware Targets Applications Deep Inside Networks
Ransomware operators are continuously devising new techniques to avoid detection. These hackers find their way stealthily into networks, often via endpoints. Endpoints can be user devices – user laptops, workstations and devices often used to access networks remotely via a virtual private network (VPN). Ransomware wreaks havoc either by locking a victim’s device or by encrypting the victims’ files. Either way, the user is locked out of their system and must pay to get back in.
Phishing attacks are the most common and successful means of entry, by which a local user becomes infected after engaging with an email containing a malware-laced link. Reportedly, more than 90% of ransomware attacks are launched this way.
“Drive-by downloading” is another ransomware attack method, in which a user accesses an infected website and becomes infected themselves. Whatever the method, once infection occurs, it can spread across networks, even via Wi-Fi, and at incredible speed. Often, when businesses realize they’ve been infected, staff will literally run from office to office, turning off machines to try and beat the infection.
Any device – authorized or unauthorized – can be a conduit for malware. The large quantity of outdated medical devices and other critical systems that can’t be patched pose significant risks. This underscores the importance of protecting the avenues of remote access, as well as the workloads, to prevent damage before it happens.
Once they’ve gained entry, the attackers’ target destination is deep inside the network. They seek critical data residing on applications running on workloads wherever they reside – from servers to the cloud. Ransomware and associated malware are intended to run in stealth mode during runtime. By design, malware looks like normal operations, which is how they are able to dwell inside networks for weeks and months, carrying out nefarious tasks, undetected.
Mainstream Ransomware Strains
Several individual ransomware groups have made a name for themselves, each with unique traits.
Ryuk is the crypto ransomware behind one of the largest health care cyber attacks in U.S. history, and is known for its destructive encryption of users’ files. In a matter of seconds, access to victims’ entire system, or systems, is shut down. Ryuk is one of the worst ransomware strains circulating, and it’s reported to have bugs that damage roughly one in eight of the files it encrypts.
Maze earned its reputation by being the first ransomware group to publish stolen data if ransom wasn’t paid. Other ransomware groups have since followed suit, and this is now common practice. Maze has attacked many medical sites, including Medical Diagnostic Labs. Maze demanded $832,880 from the facility, and when ransom negotiations fell apart, Maze published 9.5GB of their research data.
The NetWalker operators have also attacked health care organizations and universities involved in COVID-19 research. NetWalker, aka Mailto and Koko, launched fake COVID-19 health alerts to entrap people. One such campaign attacked the Champaign-Urbana Public Health District (CUPHD), bringing down the website and blocking employees’ access.
Effective Ransomware Defense
There are two kinds of organizations: those who’ve already been hit by ransomware, and those who will be. One user; one wrong click is all it takes to bring a whole network down.
The most effective way organizations can ensure that ransomware doesn’t detonate is to enforce better defense, not only at endpoints, but further inside, at their application workloads. Endpoint, perimeter and threat hunting security tools are not sufficient to keep ransomware from getting inside. We should assume that malware already resides inside the system and will seek to execute during runtime.
All healthcare organizations should follow security best practices, which are multi-tiered and multi-solution oriented, including:
- Maintain current software releases and updates where possible
- Continue implementing traditional solutions, such as antivirus
- Educate employees about phishing
- Enable two-factor authentication on network devices and systems
- Follow password management policies that enforce regular updates and strong password requirements
- Ensure your third-party vendors follow your security standards
- Implement a reliable backup and recovery system, protected from network access
Application-Aware Workload Protection
Beyond these basic best practices, security practitioners should realize that the attack surface has moved to the workloads themselves, which must be defended from within. This requires application-aware workload protection that provides comprehensive coverage during runtime and secures applications, hosts and all supporting files, libraries, processes, and binaries.
Runtime protection puts guardrails around applications and workloads that harbor organizations’ critical data. Endless threat chasing and trying to seal off porous perimeters is a failed tactic. Enacting application-aware workload protection ensures that applications do not execute malware during runtime.