Despite its introduction in the late ‘80s, ransomware has seen a substantial boom in popularity since 2011 due to several contributing factors including monetization of RaaS (ransomware as a service), spoofed websites and lack of consumer knowledge. This specialized form of malware utilizes encryption to hold important data for a ransom with the promise of decryption upon payment.
Ransomware is most commonly distributed via email and email attachments, but can also be contracted by abusing RDP privileges on a system. Upon activation, Ransomware will take different actions depending on the variant active. Some will only encrypt specific file formats such as Word (.docx) or Excel (.xlsx) documents, while more modern iterations usually encrypt entire hard drives. Keep in mind that the true nature of ransomware is to maximize its payday by attempting to infect as many machines as possible to gain a better foothold. If not contained quickly, ransomware can spread to encompass an entire network in no time.
After deployment, there is often a message offering to restore the encrypted data for payment. In the modern age of ransomware, these demands are often fickle and interminable.
With the introduction of cryptocurrencies such as Bitcoin, attackers have enjoyed relative anonymity, emboldening them to pursue as much profit as possible from victims. This means that more often than not, once a ransom is paid, the threat actor will attempt to blackmail the victim with the compromised files for further profit.
On top of losing out on the ransom money, both your data and reputation have been completely destroyed at this point.
In short, once the ransom is paid, there’s no guarantee that the ordeal will be over.
The first reported case of ransomware being utilized was incredibly indicative of its future applications. In 1989, AIDS researcher Joseph Popp distributed thousands of malicious floppy disks containing what is now called the “AIDS Trojan” to researchers across the globe [2]. After a 90-day incubation period, the virus would activate, requiring the user to pay $189 to unlock the data.
Due to the incredibly critical nature of this research, it was almost guaranteed that the victims would be desperate enough to pay the demanded amount. The inherent sensitivity of vital medical records has become an increasingly irresistible target for criminals looking for a more guaranteed payout.
In recent years, the American healthcare system has faced a drastic uptick in confirmed ransomware incidences. Of the approximately 80 attacks on healthcare providers in 2020, the most successful was an intrusion and deployment against Universal Health Services, a governing body of hundreds of hospitals in the United States [3]. This particular attack was responsible for the disruption of medical services, the loss of thousands of patient records, and weeks of operational downtime.
Though many of the affected institutions opt to pay the requested amount, there is still an inherent risk even after the decryption is carried out. Not only are these sensitive files encrypted upon the deployment of the payload, but they are often stolen by the attacker and sold for further profit. This poses an incredible privacy risk and creates a massive risk regarding identity theft.
When discussing thousands of potentially compromised patients, these health care providers now not only have to contend with the loss of millions from the attack itself but also the legal fallout that can come from the private victims.
The healthcare industry’s increasing vulnerabilities come as a result of several industry wide complications including vendor management and low budgets for security initiatives. The overwhelming point of contact for these attacks is malicious emails. The malware payload is usually distributed over email in a variety of formats including excel macros or URL redirection links.
This method of distribution relies heavily on user error, meaning the first and best line of defense is preventing the email delivery in the first place.
By educating employees and implementing concise information policies, employees will be empowered to make informed decisions regarding daily communications. These policies can incorporate assessing potential threats, identifying suspicious activity, reporting unauthorized activity or intrusion attempts, and even initiating appropriate incident response in the immediate aftermath of a breach.
Implementing policy alone will not stop ransomware, it takes constant reinforcement of training, patching of outdated systems, and a total acceptance of security into the company culture from the top down in order to stay ahead of malware.
When developing these policies, services such as CyGuard™ Horizon prove invaluable by providing effective threat intelligence and actionable reporting in order to develop informed and tailored security solutions. Horizon’s proactive reconnaissance approach provides intelligent threat analysis and lays the groundwork for creating a detailed overview of the unique threats an organization faces.
After identifying the inherent threats, Horizon provides predictive threat intelligence that monitors the Dark Web for new hidden threats and early indications of compromise. When providing an organization with the appropriate tools to ensure operational security, the battle is won with intelligence.
When the human factor and threat index have been appropriately bolstered, the next line of defense relies on active monitoring. Here at Digital Hands, our proprietary CyGuard™ solutions provide a robust tool kit that considers every unique aspect of an organization’s digital ecology thanks to our Composable Security approach.
When considering the method of infection for most ransomware, the need for email protection is paramount. CyGuard’s™cloud-based email security service scans incoming messages for malicious files preventing the potential point of contact from even materializing. To further ensure thorough threat detection, this tool employs Natural Language Processing, a type of machine learning, to identify language patterns that are indicative of phishing emails. In preventing the distribution of the malware, the threat is subdued. Lastly, The intuitive AI capabilities are programmed to observe and learn 1 entire year's worth of user email behaviors to create a baseline of what is considered “normal” in each environment. This ability gives CyGuards solutions the unique ability to detect abnormal activity and even impersonation type attacks.
Live monitoring and threat detection are imperative for incident prevention and mitigation. Using our Managed Detection and Response service, threats are detected rapidly allowing for the maximum response window to act.
When a ransomware script is initialized, the immediate response must be focused on isolation, damage assessment, and proper reporting.
As seen with the 2019 series of Ryuk attacks, a timely and focused response would have allowed some of the targeted organizations the opportunity to limit downtime if proper security controls were in place to minimize potential damage.
Many organizations neglect to incorporate incident reporting into the security policy, resulting in the loss of precious time during the immediate aftermath of an attack. Incident response can be a daunting and stressful process, which is why Digital Hands offers 24/7 proactive monitoring to provide teams with experienced analysts. These analysts notify of potential breaches and assist in the mitigation of the attack’s impact.
When assessing a breach, our analysts can identify the scope of the attack including breach indicators, that may elude to data that has been compromised.
With the incoming wave of progressively more sophisticated ransomware being leveraged against crucial services, it’s time to adapt with preventative policies and integrated services. The exponential increase in incidents indicates a need for thorough and diversified solutions that consider all aspects of this growing threat, not just stock antivirus software.
Security begins with the users, and empowering them to protect themselves must be considered a part of the solution. From there, partner with a cybersecurity service like Digital Hands for enhanced security peace of mind.
Sources
[3] https://healthitsecurity.com/news/560-healthcare-providers-fell-victim-to-ransomware-attacks-in-2020