This has been a wild year in terms of imminent disasters and extenuating events that lead to disruptions across the board. If it weren’t enough that organizations have had to face the fallout and effects of a global pandemic, cybercriminals have not slowed down their efforts to compromise business-critical data and disrupt business operations. It seems that healthcare organizations have long been a favorite target of attackers in ransomware and other types of attacks. Just last night, the FBI issued a stern warning that U.S. hospitals are in the sights of attackers in an “imminent cybercrime threat”. In this post, we will take a look at how U.S. Hospitals can protect against imminent ransomware threat, warned about by the FBI.
What is the Imminent Threat?
If it weren’t enough that healthcare officials are dealing with the effects of a global pandemic at the hands of COVID-19, they now have another potential challenge – cyberattack. The official release by the FBI is Alert (AA20-302A) and describes “ransomware activity targeting the healthcare and public health sector. Specifically, there has been noted credible evidence pointing to an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.
It appears that cybercriminals are targeting healthcare providers with Trickbot malware. This malware is closely associated with ransomware attacks, data theft, and other unscrupulous activities.
Trickbot has been around and observed since around 2016 when it began as a type of banking trojan that could harvest credentials, perform data exfiltration, cryptomining, and deploy ransomware. Ryuk ransomware has been used closely with the Trickbot malware.
A new part of the Trickbot toolset is something called anchor_dns which is a tool for sending data from victim machines using DNS tunneling. This backdoor allows the victim computers to communicate with command and control servers over DNS to evade typical network defenses.
Ryuk seems to be the ransomware of choice among cybercriminals as of late and has been a favorite of those using Trickbot. Ryuk moves throgh the network laterally and can use commercial products such as Cobal Strike and PowerShell Empire to dump credentials. Ryuk actors generally start mapping the network to enumerate the environment to understand network topologies.
Using built-in networking tools such as ping, netview, PowerShell, and others, helps to avoid detection by cybersecurity programs as these common tools are generally seen as normal executables.
Ryuk makes use of AES-256 encryption to lock up victim’s files and an RSA public key to encrypt the AES key. It also attempts to delete backups such as ShadowCopies, SystemRestore points, and others to make it more likely the ransom will be paid.
How U.S. Hospitals Can Protect Against Imminent Ransomware Threat
The FBI has laid out several mitigations noted as being important to protect against the looming threat of imminent ransomware attacks on the healthcare sector. It is worth noting; these steps are worth taking a look at no matter what business sector your organization operates in. These include the following:
- Implement business-continuity plans and policies
- Protect the network
- What to do if hit by ransomware
- Train end-users and make them aware of threats
- Further mitigation steps
Let’s briefly take a look at each of these and add some context and further notes.
1. Implement business-continuity plans and policies
Planning ahead for disruption will help to think through business-continuity if any disruption of business-critical systems are experienced. This means executing essential functions through emergencies such as active cyberattacks. Planning for the unexpected is essential.
This is where your business-continuity plan and risk analysis all start coming into play for your organization. If you don’t have those as of yet, make it a priority!
2. Protect the network
The network plays a key role in either spreading an infection or protecting your environment. How it is maintained and architected can make the difference. What network best practices are recommended to help offset the imminent threat?
- Apply any and all critical security patches
- Check end-point configurations
- Have good password management hygiene, change passwords regularly, avoid weak, reused, and breached passwords
- Make use of multi-factor authentication
- Disable unneeded or unused remote desktop protocol (RDP) servers. Closely monitor the absolutely necessary ones.
- Implement application whitelisting
- Audit user accounts and admin privileges
- Audit logs for account creations
- Scan for open or listening ports and close ones that are unneeded down
- Have backups of all business-critical resources and store backups in a separate physical location offsite
- Employ network segmentation
- Regularly update antivirus and anti-malware solutions
Most of the above are generally accepted security best practices for the network as well as business-critical systems on the network. To make the best use of time, if there were a few of these I had to pick to ensure they are completed – backups, backups, backups. Also, apply any patches to critical systems ASAP. Make sure security services are up-to-date and signatures, program versions are the most recent.
3. What to do if hit by ransomware
What happens if you are hit by ransomware? What are the “best practices” to use in this case? If you are hit with ransomware, all of the federal organizations recommend against paying the ransom demanded by cybercrime groups. There are a number of reasons for this:
- Payment does not guarantee you will get the files back
- It can embolden cybercriminals
- It can encourage further cybercrime against your organization and others
The only way to mitigate a ransomware attack is by having good backups. Implementing the 3-2-1 backup best practice methodology is the key to ensuring you have at least (1) good copy of your data that you can restore in the worst case.
Keep in mind that if you have cloud data that is involved, such as data stored in Software-as-a-Service offerings like G Suite or Microsoft 365, you want to have good backups of your cloud data as well. Cloud is often forgotten when it comes to ransomware threats. However, your data there is susceptible to a ransomware attack as well. Using a robust tool like SpinOne allows having unlimited versions of your data, stored in a different cloud environment altogether.
Another excellent capability of SpinOne is the ransomware protection module that uses AI-based intelligence to proactively identity and stop ransomware as it begins attempting to encrypt all cloud data that it can access. Once the attack has been ended and blocked, SpinOne proactively restores the files the ransomware may have initially encrypted automatically.
4. Train end-users and make them aware of threats
Arguably the weakest link in any cybersecurity plan is the end-user. No matter how many cybersecurity protections you have in place, if an unsuspecting end user makes a bad decision and clicks a link, sends credentials via a phishing form, or some other action, your entire environment can be compromised.
It is imperative that organizations alert end-users to potential dangers of cybersecurity threats. These include how to recognize harmful links, emails, and other unscrupulous programs before they make the wrong decision.
With this looming threat, share some general refresher guidance with end users on what to look for, what NOT to do in certain situations and how to proceed cautiously and carefully as cybercriminals may be bearing down on the organization with a pinpointed attack.
5. Further mitigation steps
Other than the above listed steps, what other things do you need to do? Look for any indication of Trickbot infection in your environment. Take the needed steps to secure business-critical systems including taking extra backups and precautions to protect those backups. Pay close attention to DNS traffic and logs for any indication of DNS tunneling.
The next few days will be interesting to see if the imminent threats that have been warned come to fruition. When looking at How U.S. Hospitals can protect against imminent ransomware threat that has been detailed by the FBI, healthcare organizations need to stay vigilant and implement the necessary precautions and protections to ensure their networks and data are reasonably safe. Much of this is part of good security practices across the board. However, it is worth organizations taking a closer look at the recent threat to take a quick stock of all of the procedures and practices that are assumed to be in place to make sure those are there.