Ransomware has been an Internet scourge for more than a decade, but only recently has it made mainstream media headlines. That’s primarily due to a new trend in ransomware attacks: the targeting of hospitals and other healthcare facilities.
The malware works by locking your computer to prevent you from accessing data until you pay a ransom, usually demanded in Bitcoin. Hospitals are the perfect mark for this kind of extortion because they provide critical care and rely on up-to-date information from patient records. Without quick access to drug histories, surgery directives and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.
“If you have patients, you are going to panic way quicker than if you are selling sheet metal,” says Stu Sjouwerman, CEO of the security firm KnowBe4. Hospitals are a good target for another reason as well: they “have not trained their employees on security awareness … and hospitals don’t focus on cybersecurity in general,” he says. Instead, their primary concern is HIPAA compliance, ensuring that employees meet the federal requirements for protecting patient privacy.
Last month, attackers took computers belonging to the Hollywood Presbyterian Medical Center in Los Angeles hostage using a piece of ransomware called Locky. Computers were offline for more than a week until officials caved to the extortionists’ and paid the equivalent of $17,000 in Bitcoin.
Earlier this month, Methodist Hospital in Henderson, Kentucky was struck by Locky as well, an attack that prevented healthcare providers from accessing patient files. The facility declared a “state of emergency” on a Friday but by Monday was reporting that its systems were “up and running.” Methodist officials, however, said they did not pay the ransomware; administrators in that case had simply restored the hospital’s data from backups.
Then this week, news broke that MedStar Health, which operates 10 hospitals and more than 250 out-patient clinics in the Maryland/Washington, DC area, was hit by a virus that may be ransomware. MedStar wrote in a Facebook post that its network “was affected by a virus that prevents certain users from logging-in to our system,” but a number of employees told the Washington Post that they saw a pop-up screen appear on their computers demanding payment in Bitcoin. The organization responded immediately by shutting down large portions of its network. Employees were unable to access email or a database of patient records, though clinics and other facilities remained open and operating. MedStar did not respond to a call from WIRED.
A Profitable Business
Ransomware is rampant because it works. The digital extortion racket has been around since about 2005 and began in Eastern Europe, but attackers greatly improved on the scheme in recent years with the development of ransom cryptware, which encrypts files on a machine using a private key that only the attacker possesses, instead of simply locking the keyboard or computer.
Generally, victims get infected with ransomware through phishing attacks that carry a malicious attachment or instruct recipients to click on a URL that downloads malware to their computer. But victims can also get infected through malvertising if they visit a web site that is serving up compromised ads.
The payoff for hackers can be huge. The FBI estimated in 2014 that the extortionists behind the CryptoLocker strain of ransomware swindled some $27 million in just six months out of people whose data they took hostage.
And ransomware attackers have upped the ante in recent months with attacks that encrypt not just files on an individual computer but on core servers, to prevent an entire organization from accessing shared files and databases. The really malevolent attacks also go after backup repositories that victims might ordinarily use to restore data.
The FBI has released flash alerts warning about an uptick in attacks that use a strain of ransomware called MSIL/Samas—one such warning as recently as last Friday. The FBI first warned about Samas last year, stating that it “encrypts most file types with RSA-2048 [a strong encryption algorithm]. In addition, the actor(s) attempt to manually locate and delete network backups.”
The ransomware known as Locky does this as well, and much more, says Sjouwerman. Locky searches for Volume Shadow Copy files, a feature in Windows systems that backs up copies of files automatically, even while people are working on them. Locky erases them.
Locky attacks are different for another reason; they’re a hybrid of standard ransomware infections—which involve spray-and-pray phishing campaigns that deliver a mass email to a lot of people with the hope that some will click get infected with the ransomware—and traditional network breaches that involve lateral movement through a network to gain control of key servers. While the email portion of the attack is “mass market, low cost, and fully automated,” he says, the lateral movement requires the attacker to use tools like backdoors and keystroke loggers to steal administrative credentials and gain access to core systems. Once they do, they’ll lock up file-share servers where hundreds of employees in the organization might access shared files.
“You don’t have to lock an entire network,” Sjouwerman says. “You just need to find where are the critical files in a network—what servers are serving up the millions of files that most workers use…. And you only need to lock maybe two or three file servers to essentially block the whole network.”
Organizations often discover they’ve been infected with malware only after workers start complaining that they can’t access files on a shared server. “The [administrator] goes through the file server and sees [files with names like] ‘decrypt.html’ and ‘decrypt.txt’ with instructions on how to pay. And then they know that they’ve been hit.”
Worse, not only can attackers lock out all workers who need access; they could also use those shared files as a means of infecting anyone who accesses them, in order to spread malware to more machines.
“All-employee access groups are the exact type of data under attack by Ransomware,” says Adam Laub, a senior vice president at STEALTHbits. “It’s like getting a key to your hotel room and discovering that it actually gives you access to many other rooms as well. All a would-be intruder needs to do is try it in each door…. If access rights to file shares were better controlled via groups with only the proper users, the ability for ransomware to rapidly spread far and wide would be drastically reduced.”
How Hospitals Can Protect Themselves
When ransomware strikes a hospital, the first reaction is often panic. After MedStar got hit with what is believed to be ransomware, it immediately shut down most of its network operations to prevent the malware from spreading. This meant health-care professionals could not access email or easily schedule patient visits or surgeries. The hospital reverted to paper records for communication and scheduling.
This was actually the proper response, says Sjouwerman, whose firm distributes a 20-page “hostage manual” (.pdf) instructing ransomware victims on what to do after an attack and how to prevent one.
The company advises victims to disconnect infected systems from a network and disable Wi-Fi and Bluetooth to prevent the malware from spreading. Victims are also told to remove any USB sticks or external hard drives connected to an infected computer to prevent those from being locked as well.
It helps to know what strain of ransomware is on your system; if it’s well-known, there may be information published online by security firms or even tools that can bypass the encryption—if the attackers designed it poorly.
Barring this, a victim has two options: pay the ransom or restore data from backups. If formal backups don’t exist, it may be possible to restore data using Shadow Copy files and other methods. The best action, of course, is for hospitals to take steps to prevent attacks and maintain what he calls weapons-grade backups.
Sjouwerman says security awareness training for employees is also key to prevent them from clicking on phishing emails. With good training “you can actually truly get a dramatic decrease in click-happy employees,” he says. “You send them frequent simulated phishing attacks, and it starts to become a game. You make it part of your culture and if you, once a month, send a simulated attack, that will get people on their toes.”
Over the course of a year, measuring some 300,000 users, his company saw a drop in clicks from 15.9 percent to just 1.2 percent on average in companies that had training.
Or hospitals could whitelist their machines to prevent ransomware installing. This involves scanning a machine to note all the legitimate applications on it, then configuring it to block any other executables. This can involve hundreds or thousands of machines, each with different applications, which is why few organizations actually take this step. It can be laborious and easily run aground by office politics.
“Doctors are gods and don’t let anybody tell them what to do, so enforcing whitelisting in an organization [and telling doctors they can’t run certain applications] is a political exercise not just a technical one. It is fraught with organizational ‘challenges’” he says.
His company also recommends configuring mail servers to block zip or other files that are likely to be malicious. Most importantly, they tell organizations to restrict permissions to areas of the network. Instead of having thousands of people accessing files on a single server, they recommend breaking into smaller groups so that if a server gets infected, it won’t spread ransomware to everyone. It also forces attackers to work harder to locate and lock down more servers.
“You need to protect every damn layer [of your network] within an inch of your life,” Sjouwerman says, to make attackers work harder. Hackers are looking for a quick and easy return on their investment. And if you can turn your network into a hard target they’ll “simply go away,” he says, and search out an easier mark.