We have talked about ransomware warnings time and again in the almost 5 years of this podcast. Interestingly, the first episode specifically about ransomware was in March 2016, Ransomware Response Planning Ep 43. We have mentioned it over and over to the point it shows up in a search on 56 different episodes before this one. That means we’ve talked about ransomware warnings in 24% of our episodes. Guess what – clearly we need to talk about it again!
In this episode:
Ransomware Warnings Everywhere – Ep 238
2020 Spring Session Dates
March 24, 25, 26
2020 Fall Session Dates Coming Soon
For info go to TheHIPAABootCamp.com
Share Help Me With HIPAA with one person this week!
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
Ransomware Warnings Everywhere
It isn’t that we don’t have plenty of other topics to discuss, it is just there are so many ransomware warning signs flashing red all around us we need to get the word out. The ransomware warnings and advice we gave you in previous episodes are no longer enough for what ransomware attacks look like in 2020. First, let’s look at where we started so we can explain what is so different today.
Ransomware warnings have evolved since 2016.
With variants like CryptoLocker that made a name for itself in 2013 the rise of cryptocurrency provided the method for paying these ransoms that never existed before options like Bitcoin. The attacks then were addressed with backup plans and stopping it from spreading.
In the Fall 2019 OCR Cybersecurity Newsletter, What Happened to My Data?: Update on Preventing, Mitigating and Responding to Ransomware, they did mention that prior to 2018 ransomware was different. I recall how the drop in attacks in 2018 made a lot of folks feel like the worst was over with ransomware attacks. It was a rough patch in 2016 & 2017.
In 2016 when we started talking about these attacks it was very different than now. Back then, (yeah back then so long ago) it usually happened because someone got an email and opened an infected attachment. That would run a program that encrypted that device and anything it had mapped on a network drive. Most of the time these attacks were “spray and pray” spam email blasts. The targets were more hapenstance than planned.
As they noted in the 2016 ransomware fact sheet, we were seeing a 300% increase over the number of attacks in 2015 from 1,000 attacks per day to 4,000. HA, we had no freaking idea where we were headed.
In 2017, the DOJ estimated 100,000 computers were infected every day and payments would exceed $1 billion annually which they saw a global threat and a new cybercrime business model. Little did we know then just how successful the business model would become.
When WannaCry hit in May 2017, OCR resent the ransomware fact sheet out reminding everyone what they should be doing. WannaCry was a big turning point, however. Later that year we also saw NotPetya which only reiterated what this kind of software can do when unleased in a viral manner.
In Jan 2018, OCR released another newsletter about the topic but used the term Cyber Extortion instead of ransomware in the title because they also talked about some of the other ways your systems could be held hostage. The drop in attacks did not mean there weren’t attacks happening in healthcare. SamSam was rampant in early 2018. When crypto currency became super valuable criminals focused on that for a while which slowed down the ransom economy. It didn’t last long though.
At the very end of 2018 the guide called Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients was released as a result of the Cybersecurity Act of 2016. The 405d task force took the approach of defining the top 5 threats facing healthcare today. What was in the top 5? Ransomware. Phishing, which is the way ransomware often comes in. Insider unintentional or intentional data loss, which is another way ransomware could be launched.
We started talking about Ryuk targeting businesses in March 2019, Ransomware is getting scarier. That is when the tide really started turning. Until 2019 consumers were the top victims. There was a 400 or 500% increase in business attacks with a huge drop in consumer attacks over the year. The criminals have learned where they can get in and how much money they can make.
In August 2019, DHS’s Cybersecurity & Infrastructure Security Agency (CISA) released CISA INSIGHTS: Ransomware Outbreak. Yes, they used the word outbreak in the title. They get right down to business with the first paragraph.
It is pretty nice how they put together the information. It used titles that had the formal form along with the one that makes sense. Actions for Today – Make Sure You’re Not Tomorrow’s Headline, Actions to Recover If Impacted – Don’t Let a Bad Day Get Worse, and Actions to Secure Your Environment Going Forward – Don’t Let Yourself be an Easy Mark. Yet, another government entity issuing warnings about the risk of ransomware we all face. In the latest Emsisoft ransomware report, The State of Ransomware in the US: Report and Statistics 2019 just released in Dec 2019, they made a very specific statement as to how things have gotten this bad.
It is pretty nice how they put together the information. It used titles that had the formal form along with the one that makes sense. Actions for Today – Make Sure You’re Not Tomorrow’s Headline, Actions to Recover If Impacted – Don’t Let a Bad Day Get Worse, and Actions to Secure Your Environment Going Forward – Don’t Let Yourself be an Easy Mark. Yet, another government entity issuing warnings about the risk of ransomware we all face.
In the latest Emsisoft ransomware report, The State of Ransomware in the US: Report and Statistics 2019 just released in Dec 2019, they made a very specific statement as to how things have gotten this bad.
The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) has a list of 234 different ransomware variants they have tracked since June 2015. The list is growing. The good news is there are 98 that we have decryption tools.
With ransomware warnings everywhere are we complacent?
One problem we face today is that most people think they are the same today as they were back then. Nothing could be further from the truth. It has to be frustrating for people who suffer from cybersecurity alert fatigue. It definitely comes from all areas
In November 2019, Malwarebytes Labs released a report that looked specifically at cybercrime impact on healthcare CYBERCRIME TACTICS AND TECHNIQUES: the 2019 state of healthcare which had some sad but funny headlines on it’s release: Labs report finds cyberthreats against healthcare increasing while security circles the drain.
The report was created to attempt to educate healthcare. But the message doesn’t sound promising.
As much as you want to roll your eyes and ignore these latest warnings take the time to listen. The cybercriminals are ramping up their efforts plus healthcare security continues to lag behind where it needs to be. Notice that you aren’t hearing about a bunch of banks being hit with this stuff and having to pay like you do healthcare. That is because they have invested in the protections that were not addressed for a litany of reasons in healthcare.
It ain’t yo mama’s ransomware.
Ransomware warnings should not be ignored as if it is just the same song different verse. This stuff has gotten way more real than ever before. As the OCR’s latest newsletter points out, today ransomware attacks are targeted. It isn’t completely random any longer. The tools the criminals use have advanced much faster than any of our protections have improved. Today the attackers make specific efforts to get into municipalities and healthcare entities.
Since 2018, there have been active attacks aimed at MSPs to infiltrate them for access to all of their client sites. We have discussed this issue repeatedly. Unfortunately, we have to continue to discuss it because it isn’t slowing down any time soon.
All this information means that criminals are coming at healthcare entities directly plus through their vendors. They are determined to be successful. The business model first mentioned above in 2017 discussions has expanded well beyond those simple attacks.
Today there are gangs working together on these attacks. Ransomware-as-a-Service has become a very successful business model, also. In fact, it appears they were running “sales” around black friday just like many of our businesses. Their motivation wasn’t the same, however, they were looking to make their malware spread faster.
Recent actions by the gangs that run the Maze and Sodinokibi ransomware variants have taken things to a whole new level. They have exfiltrated data from the networks they attacked. If the victims don’t pay they started by publishing their names. If they still don’t pay they are releasing data.
This means the old school attacks where some program runs when it is first installed must be assumed that they no longer exist. You would know you had it instantly back then. Today, the criminals are using the tools that used to be how they launched the ransomware encryption routines to launch tools that give them access to the network. Once they are in the network they do their recon work pulling data from your network. Once they are done, they launch the ransomware encryption routines.
That is bad enough but we are beginning to see them demand payment to prevent them from doing other things. Getting access to your network means they could take over something like a PACS system and use it to get to connected imaging devices. They may get to your HVAC system or the increasing number of IoMT devices. Once they control them they can threaten to cause harm to your patients or your facility.
Risks are growing even if you are not changing your plans. At least two practices have closed due to a ransomware attack in 2019. A company shut down after they paid when it took months to try and bring them back online but never got there before the company ran out of money.
An Alabama health system was down long enough to get them involved in a federal case relating to the lack of care they were able to provide to the community.
These are not things we heard in 2016, nowhere near that level of damage or risk.
What should you do?
All of the information found here is included in the HICP guides. Get them and use them.
Talk to your vendors who have access to your systems. Especially any IT vendor you use. Make sure they are aware of the attacks coming at businesses through their third-parties.
Shut down RDP or secure it with several levels. There are too many cases that RDP is the way in to launch these attacks to make any assumptions today. If you must have the login to RDP open on public IPs then you must constantly test, review, monitor on a constant basis. Like daily not once a month or quarterly.
Security awareness programs for your team need to be regular reminders not occasional training.
- They need to understand the threat and the risk is that companies are shutting down.
- They should know to mention things that are unusual or if they think they made a mistake that could have opened a door.
Finally, make sure they know what to do if they think they see something happening. Don’t just send an email to the help desk if you know that isn’t going to be answered immediately.
Phishing testing on a regular basis not just once a year can make a huge difference.
Patch everywhere and often. If your MSP thinks you shouldn’t patch regularly, understand when they will patch. Patching vulnerabilities before they are used is a simple defense mechanism.
Be sure you have a plan if you are hit. You have to know the risk now can be the release of your information even if you can recover. Backups have been deleted and encrypted in many cases. Don’t assume your vendor has it covered.
Pay attention to what people say because sometimes they think it isn’t suspicious activity but isn’t just something weird it is an indication of trouble.
Install tools like Cryptoprevent, Malwarebytes Anti-ransomware, etc.
Monitor logs and access to patient records looking for inappropriate activity. A small change in access patterns can be the difference between shutting down an attack vs surviving an attack.
The cases are rapidly growing. If you do not heed these flashing signs screaming ransomware warnings everywhere then you may soon join a group where no one wants to be a card carrying member. Please, take the time to understand these threats and your protections in place. It may take a couple of hours here and there but those could be worth it to save your business.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!