FBI Warns of Healthcare Ransomware: What Hospitals Can Do

The U.S. hospitals hit by a recent spike in ransomware attacks are scrambling to restore their systems, while other hospitals are scrambling to enhance their cybersecurity by filling gaps in their security controls to help defend against becoming the next ransomware victim.

U.S. hospitals and healthcare providers were warned about “an increased and imminent cybercrime threat” this past Wednesday in a joint alert issued by the FBI, the U.S. Cybersecurity and Infrastructure Agency (CISA) and the Department of Health and Human Services (HHS).[1] The alert identifies the family of malware used to carry out the ransomware attacks, which encrypt a company’s data, making it unreadable and any system that depends on it unusable. Cybercriminals then attempt to extort large amounts of money from their victims, usually in Bitcoin, in exchange for restoring the organization’s data.

By targeting hospital systems, ransomware criminals are going where they believe the financial payoff will be the highest and easiest to obtain. “They’re looking for ease of entry combined with a high willingness and ability to pay,” observed Matthew Gardiner, Principal Security Strategist at Mimecast. Hospitals are especially attractive targets as they shift focus to devote increased resources to fighting the COVID-19 pandemic.

How the Ransomware Targeting Hospitals Works

The FBI alert identifies a ransomware infection as a two-step process. Trickbot or Emotet trojans are often first introduced into a system, most often through email phishing schemes. The trojans then drop Ryuk ransomware, which is currently a very popular type of ransomware, into the infiltrated system, where Ryuk goes about encrypting data using AES-256. Ryuk also deletes any backup files and Volume Shadow Copies it can find to prevent the organization from easily restoring the data. Furthermore, the malware attempts to uninstall or disable security programs that could prevent Ryuk from executing.

Sonoma Valley Hospital in California, two hospitals in the St. Lawrence Health System in New York, and Sky Lakes Medical Center in Oregon were all victimized in the last week. These attacks follow last’s month’s intrusion at United Health Services that crippled its 250 U.S. facilities.

A recent study by Mimecast found that 90% of healthcare facilities have been victims of an email-borne attack and that 72% of those organizations were negatively affected by those attacks. “It remains absolutely critical that hospital and medical facilities honestly assess their security programs and fill key gaps. Otherwise, these terrible stories will continue to be a daily occurrence,” Gardiner said.

Key Ransomware Defenses

The following recommendations to help all organizations — hospitals included — to guard against ransomware infections come from Carl Wearn, Head of Threat Intelligence, Risk and Resilience, Mimecast.

• Cybersecurity awareness training. A key, sometimes overlooked defense against email phishing is employee training on social engineering attacks and the implementation of safe practices. Of course, blocking the phish before it can be delivered is best, but combining great technical controls with improved user awareness and understanding is a great combination. Cybercriminals infect systems by enticing users to click links or open attachments to read more about current events or to make charitable contributions. For example, cyberattackers are exploiting the current resurgence of COVID-19 infections to get clicks — and it’s working; a 55% surge in unsafe email clicks seen early in the pandemic has persisted. With the increased number of employees working from home, cyber hygiene is even more critical.
• Strong passwords. It may sound worn or cliché, but strong passwords are still critically important, especially given the significant portion of ransomware that is dropped by Emotet. Once embedded, Emotet tries out its list of weak and common passwords to gain access. Organizations can guard against this attack by implementing strong password policies and ensuring that all administrative passwords are changed from system defaults. Further, organizations should encourage employees to create unique passwords and, even better, implement two-factor authentication where possible. Employees using their home systems should lock their screens when not in use to prevent family members or roommates from inadvertently compromising the system.
• Keep software updated. The timely updating and patching of systems is another critical defense against these sorts of attacks. Important VPN and other software to keep up to date is Apache Tomcat/Ghostcat, Pulse VPN servers, Citrix servers, Telerik UI and Windows. Avoid using these particularly vulnerable software systems altogether: Windows 2007, Internet Explorer and Flash.

Above all, the FBI advises not paying the ransom because payment does not guarantee that the files will be restored and, of course, only rewards hijackers’ antics. The FBI strongly recommends storing backups offline or offsite where ransomware cannot find, encrypt or delete the files. This allows the victim company to quickly restore its data without needing to pay the ransom.

The Bottom Line

Many healthcare organizations need to step up their security programs. Employee education and awareness training about potential attacks can improve defenses notably. Strong password practices along with two-factor authentication are an excellent second line of defense. Most critical is the regular backing up and storing of data offline or offsite where the ransomware cannot reach it.

[1] “Ransomware Activity Targeting the Healthcare and Public Health Sector,” U.S. Cybersecurity & Infrastructure Agency