HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

New Attack Vector Used to Spread Locky Ransomware

This year, hospitals throughout the United States have been targeted by cybercriminals using ransomware. The malicious file-encrypting software is used to lock files that are critical for healthcare operations in the hope that a ransom payment will be made in order to regain access to locked data.

In February, Hollywood Presbyterian was attacked and its computer systems were taken out of action for more than a week while the infection was removed. A ransom demand of $17,000 was issued and was paid by the Medical Center after attempts to recover files from backups failed. The attack is understood to have involved Locky ransomware.

Locky encrypts a wide range of file types including office documents, pdf files, databases, and images. Files are renamed and new extensions are added to make it harder for victims to identify which files have been encrypted. Windows Shadow Copies are also deleted. Locky can spread laterally through a network and is capable of encrypting files on portable storage devices, such as those used for backing up data.

The actors behind Locky distribute the ransomware using exploit kits, spam email, and malvertising campaigns. Exploit kit activity has fallen in recent months with spam email now the main attack vector. However, this month has seen exploit kit activity increase. Locky is now being distributed using the Bizarro Sundown exploit kit. Two versions of Bizarro Sundown have been identified that are being used to distribute two versions of Locky – Odin and Zepto – via the Shadowgate malvertising campaign.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Hospitals are also being targeted via spam email. The latest campaigns use social engineering techniques to lure end users into opening malicious email attachments. One of the latest email variants appears to have been sent by the organization’s Internet service provider. The emails claim computers are being used to distribute spam email. If the attached zip file is extracted and the executable file is run, Locky will be downloaded.

Malvertising, exploit kits, and spam email have been used to distribute Locky ransomware since its release in February; however, now the actors behind the ransomware have changed tactics once again and are using a new vector to infect users: Facebook Messenger.

The Facebook Messenger campaign bypasses whitelisting and other security controls used by the social media giant. Messages are sent containing an image – a Scalable Graphics (SVG) File – that has malicious JavaScript embedded. Opening the image file will direct the user to a spoofed YouTube site. The user will be required to install a codec (a Chrome extension) to allow the video to run.

Installing that codec/Chrome extension will result in Nemucod being downloaded to the victims computer. Nemucod is a malware downloader that can install a wide range of malicious software, including Locky.

The attackers are constantly changing Locky and releasing new variants. Attack vectors and delivery methods are also frequently changed. Protecting against Locky ransomware attacks therefore requires multi-layered defenses to be deployed, including next generation firewalls, intrusion detection systems, and antivirus and antimalware software.

Healthcare organizations can reduce the risk from exploit kits and malware by implementing a web filtering solution to control the websites that can be visited by end users. Web filters can also be used to block Facebook Messenger. Spam filters can be used to intercept malicious email messages and prevent them from being delivered to end users. Security awareness training is also essential to ensure end users are taught security best practices.

However, these controls are not infallible. It is therefore essential that organizations segment networks to reduce the damage that is caused if ransomware is installed. All critical data should be regularly backed up on air-gapped devices or in the cloud, and multiple backups should be performed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.