Since my first post on the topic of ransomware targeting hospitals, we’ve seen an almost weekly influx of ransomware attacks — becoming so prevalent that the Department of Homeland Security (DHS) and the Canadian Cyber Incident Response Centre (CCIRC) released a joint alert in late March on the nature of the threat and what organizations can do to “protect” themselves. We first saw “Locky”— a ransomware that upon execution encrypts certain file types present in the user’s system. The compromised user has to then pay the attacker to get the files decrypted (McAfee).
How it works: Essentially, Locky is a malware variant that takes advantage of even just one user unknowingly opening a malicious email attachment. An example being a typical Word or Excel file along for the ride with a phishing/spam email that, when opened reads “dkasfjdlsakjfdlsskdlfjladfjldsfja … ewerplhncvcxvmdn…”. But… Since you don’t speak cryptography, the sender has “kindly” suggested for you to “enable macros” in case your device encoded the data incorrectly. They even built in a nice toolbar that allows you to do so — problem solved!
(picture courtesy of Sophos)
But… instead of decoding that document, you’ve now instead infected yourself with Locky, encrypting/scrambling and locking almost all files on your device to an indiscernible language that only the sender has the “Rosetta Stone”, or encryption key, for. Unless you have recently backed up your files, you have two choices:
1.) Your files will remain this way until you pay the hacker the requested ransom amount to decrypt the files back to their original state, or
2.) Your files and data could be wiped, gone forever, and/or systems locked down for the foreseeable future. In a hospital’s case with networks down, patient safety and treatment becomes a quickly escalating issue…
More recent attacks, most notably of multiple hospitals under the 10-hospital MedStar Health system in the Washington, D.C. area, were the product of a different ransomware variant – samsam (also referred to as Samas). Samsam infects organizations not by user error or activity, but instead through open vulnerabilities in the organization’s network itself – to be specific, JBoss application server vulnerabilities, some of which have been widely known and published for nearly a decade. Ever since Locky first targeted hospitals a few months ago, many have assumed the subsequent hospital attacks have also been a result of phishing scams or malvertising utilizing Locky – the attackers relying on an insider’s “mis-click” to lead to infection, with the attack extent depending on access privileges of affected individuals/devices (admin-level being the attacker’s “wishful” target).
According to an Associated Press article earlier this week, “The U.S. government, Red Hat and others issued urgent warnings about the security problem and a related flaw in February 2007, March 2010 and again earlier this week. The government warned in 2007 the problem could disrupt operations and allow for unauthorized disclosures of confidential information.”
The samsam infection process is thoroughly covered in a recent analysis blog from Dell SecureWorks. Essentially, hackers are exploiting vulnerabilities, often using the JexBoss tool (an open source exploitation tool), that allow them to gain remote shell access to install samsam on network servers, then maneuver through the network to infect individual machines. Security researchers at SecureWorks stated that most of the vulnerable servers analyzed were initially compromised months before samsam ransomware was introduced. Decade-old vulnerabilities, breaches “cloaked” for months ..
Additionally, researchers from Cisco Talos Labs uncovered more than 2 million servers around the world vulnerable to samsam and easily exploitable by JexBoss, and stated that samsam deployments had successfully “raked in” around $115,000 ransomware for hackers in the month of March.
MedStar specifically saw system outages, the attackers demanding MedStar pay 45 btc (~$18,500), new FBI warnings issued as a result, and again, my favorite saying — “no evidence that patient or employee records were compromised”. MedStar reportedly did not pay the ransom, and the systems were back up and running a little over a week later. Even if MedStar didn’t pay, they brought in at least one large security firm (not cheap), face possible fines if it’s deemed they failed to “exercise reasonable diligence to protect their systems”, and, if patient data was indeed compromised, potential HIPAA fines down the road.
But why is healthcare the target over and over again as of late? Minimal effort, high reward. Easy targets susceptible to unsophisticated attacks, and high value financial incentives. I’ve said it before and I’ll say it again, the significant increase in adoption of EHRs and digital technologies over the past 5-10 years has created a digital “treasure trove” of information including PHI, insurance details, and financial information, while existing security solutions have remained only modest obstacles in the way of cyber criminals.
And in the specific case of ransomware, the sensitive information found in health records creates a situation of “double indemnity”—if the victim organization won’t pay the ransom, hackers can still make a profit, easily exfiltrating records and data to sell on the lucrative black market (if they so choose). Mikhail Sosonkin, Senior Security Research Engineer at Synack weighed in on whether or not attackers could actually be stealing patient data, regardless of the denial by hospital officials:
“If you think about it, ransomware is technologically no different from any other malware. In order to hold something in ransom, the malware needs to gain access to a valued asset, whether that’s an individual computer, an entire network, or in a hospital’s case, medical records and protected health information (PHI). Then, the malware encrypts the device files/data or network access keys, remaining that way until the ransom for the decryption key is paid, or backups and systems are restored (if possible). I can’t speak for what the attackers’ intentions in these cases are, whether they’re solely after a ransom, or much, much more… With that in mind, even if organizations/ individuals are paying the ransom, there’s no reason to think that the attackers aren’t exfiltrating any data, and that they won’t sell it after the fact. Unlike physical ransom exchanges, here an attacker can replicate whatever valuable data they get out of the target network (PHI, PII, PCI, etc.) – who’s to then stop them from selling that data on the black market for a second payday after the fact?”
Ransomware is no new trick, it’s an attack method that has existed for years. With variants like samsam emerging that target vulnerabilities in an organization’s network, not just relying on individuals’ “user error” in clicking malicious links or downloading/enabling malicious content, ransomware risk has reached a new “organizational level” for companies in any industry vertical. And, remember, samsam is just one variant targeting one server group… Hackers may also be after more than just a ransom payment, any industry protecting valuable information and data is at risk. Healthcare just happens to be the industry we are hearing about most right now. Just one quarter into 2016, a year in which Forrester’s top prediction was that ransomware would hit the healthcare space, we’ve seen dozens of hospitals hit by the attacks– attacks showing just how easily attackers can cripple an institution in hopes of a quick payday, or maybe more. What comes from that attack, ransom, patient data, neither, or both, we’ll just have to continue to wait and see as investigations unfold…
– Patch Early, Patch Often – Attackers are taking advantage of “low-hanging fruit”, or known vulnerabilities easily exploitable via open-source exploit kits. An easy solution – stay up-to-date on patch releases and updates, and institute frequent patch cycles.
– Test Early, Test Often – Applications and networks are under constant attack from increasingly complex threat actors; perform penetration and application security testing proactively and frequently to find and fix holes in digital systems before the adversaries do first. Too often organizations are simply hoping a breach does not occur, and reacting to the consequences after the fact…
– Educate, Train, Encourage – Build awareness of phishing, malvertising, and general threat campaign practices across the organization’s entire user base. Train users in basic defense practices such as detecting suspicious emails and using caution when clicking on external links or downloading attachments. Encourage users to report any suspicious emails, activity, etc. Employees should feel comfortable approaching IT/security personnel with questions, a “do-it yourself” mentality to detecting suspicious activity is clearly not working…
– 3-2-1 Rule – A timeless security/backup adage:
- Maintain at least 3 copies of data at all times
- Ensure backups in at least 2 different formats
- Always store 1 backup off-site