By Terry Ray, Chief Product Strategist, Imperva, Inc.
In early 2016, the Hollywood Presbyterian Medical Center became the “poster child” for ransomware when an attack shut down the organization’s IT systems for more than a week before hospital officials agreed to pay $17,000 in bitcoin to their attackers. What we didn’t know was it would be usurped a year later when the WannaCry ransomware hit the U.K.’s National Health Service (NHS). WannaCry impacted more than 40 of the NHS’s hospitals and up to 70,000 devices including computers, MRI scanners, surgery equipment, and refrigeration units, resulting in hospitals turning away non-critical emergencies and diverting some ambulances.
Surging in popularity, ransomware is now one of the most profitable types of malware attacks in history and the FBI said they expect ransomware extortion payments to hit $1 billion in 2016. Cybercriminals have discovered how financially rewarding — and easy to use — it can be, especially against larger targets with business-critical data stored on file shares. In the decade since its initial appearance, the ransomware extortionate has evolved from a collection of ad-hoc tools implementing an unripe idea and run by callow hackers, to a smooth and highly-efficient ecosystem run by professionals and filling the hacker’s most desired void: the path from infection to financial gain.
In the past, ransomware did not appear on the threat list for organizations, mostly due to their backup systems and recovery procedures for data loss situations, which were designed with natural disasters in mind, but could be useful for ransomware as well. This situation has changed drastically with the recent explosion of ransomware attacks. Now it is hard to tell whether these infections occurred randomly (such as when an individual opens an infected personal e-mail), or if the attack has been carried out intentionally by someone deliberately looking to cause damage to a company. Another possibility is a bad actor could enlist a user-friendly ransomware service that can be easily deployed with very little technical skill, known as Ransomware-as-a-Service.
Ransomware And Healthcare
The healthcare industry has been heavily impacted by ransomware in the last year. There have been numerous headlines about major hospitals across the world being brought to a standstill following a ransomware infection, and unfortunately in most of the cases the hospitals have been left with no choice but to pay the ransom.
The reason healthcare is such a key target for ransomware is they need the information — drug histories, surgery directives — to provide care to their patients. Lack of this information means treatment gets delayed and attackers know they have the potential to inflict the maximum amount of damage which almost always results in a payout. As we saw in the U.K. when the WannaCry Ransomware hit the NHS, an active An active ransomware attack can bring business operations to a halt until systems and files are restored. In addition to this, even where the data has a proper backup, the time it would take the hospital to identify the problem and run the recovery procedure may last hours or even days.
When the Hollywood Presbyterian Medical Center came under attack, workers discovered they were unable to access their computers or network because hackers had seized control using the infamous Locky ransomware variant. When hackers demanded money to get the files back, the hospital was left with no choice but to comply. However, before they paid the fine, computers were offline for more than a week while hospital officials struggled to find an alternative solution. This is just one of many ransomware incidences against medical institutions and highlights just how big a threat ransomware infections are for hospitals.
What many don’t understand is, following infection, the ransom demand is only the beginning. Once an organization is infected — whether they choose to pay the ransom or rely on backup files — there will be downtime that affects employees and systems. For example, a report from The AC Group stated it takes physicians double the time to perform admin tasks manually when their EHR system is down. All downtime time translates directly into the cost of an attack of this nature. Therefore it isn’t surprising The Ponemon Institute found unplanned downtime at healthcare organizations may cost around $8,000 a minute, per incident.
In a slight twist to healthcare ransomware attacks as extortionists are constantly searching for new ways to force payment, ransom demand notes were recently placed in online databases irrespective of the business or industry after extortionists deleted and/or copied data from tens of thousands of cloud based big data platforms. The attacks exploited misconfigurations of the environments rather than relying on infectious ransomware software. Regardless, the result was the same, in that customer data was made unavailable and notes were left describing how to pay for the return of the data.
In many of these cases, the data was never returned —whether payment was received or not. Of course, just like the ransomware against healthcare organizations, it’s important to remember that if data can be deleted or encrypted there is a very real possibility it was also stolen for use later. This later point is likely to impact data privacy regulations and it often falls to the victim organization to prove the data was not stolen to avoid data breach penalties and corresponding patient, employee or consumer notifications.
However, the good news is there are in fact a number of effective ways to defend against ransomware. The history of cyber events has taught us that as good as perimeter and endpoint protection may be security officers should assume attackers will find their way in. Data breaches and ransomware attacks both have a common meeting point, which is the place where data resides.
A critical line of defense for both types of attacks is the security controls where this data is stored — databases, files, and cloud applications — and in the applications through which it is accessed. Such security controls, which include monitoring access specifically around data modification and detection of suspicious anomalies in access patterns, will facilitate early detection of ransomware attacks and immediate isolation of the suspicious endpoint to prevent the encryption or hostage of the files.
About The Author
Terry Ray is the Chief Product Strategist for Imperva, Inc. where he consults directly with Imperva’s strategic global customers on industry best practices, threat landscape, data security implementation, and industry regulations. He also operates as an executive sponsor to strategic customers who benefit from having a bridge between both company’s executive teams. During his 14 years at Imperva, he has worked hundreds of data security projects to meet the security requirements of customers and regulators from every industry. Terry is a frequent speaker for RSA, Gartner, ISSA, OWASP, ISACA, IANS, CDM, NLIT, The American Petroleum Institute, and other professional security and audit organizations in the Americas and abroad. Since 2003, Terry has specifically focused his efforts on data security and risk, working with companies to help them discover and protect sensitive data, and create controls to minimize risk for regulatory governance, data security strategy and best practices.