While some security researchers noted in fall of 2018 that ransomware attacks were in decline, much of healthcare continued to be targeted by these attacks throughout the year. And by mid-2019, attacks leveraging the encryption-based malware have already doubled with an increase in brute-force attacks.
The latest Coveware analysis of the threat actor shows the price of ransomware payments have increased by 184 percent to $36,295 during the second quarter of 2019, compared to just $12,762 during Q1. The researchers explained the increase directly tied to the prevalence of new ransomware variants drastically increasing their ransom demands.
What’s more, the average downtime increased to 9.3 days from 7.3 days during the same time period, driven by the rise in Sodinokibi variant attacks that target IT managed service providers. Considering multiple providers have experienced extended periods of downtime and disruptions to patient care, the statistic is not too surprising.
Coveware also found that Ryuk and Sodinokibi variants are predominantly targeting larger organizations or the distributed networks of organizations through their IT MSPs or hosting internet service providers. In October, the DCH Health System in Alabama fell victim to a Ryuk ransomware attack and paid the undisclosed ransom to restore patient services, after patient care was disrupted for several days.
There’s also been a steady increase in providers admitting to paying the ransom demands in order to restore service, given the ransom demand was less expensive than continued care disruptions. But Coveware showed that 8 percent of data is still lost, even after hackers provider the decryptor after the payment.
“Data loss is typically a result of a flawed encryption process where files are partially encrypted or wiped,” researchers wrote. “Some clients reduce the expense of running inefficient decryptor tools and simply archive non-essential encrypted data for a rainy day.”
The healthcare sector has seen several examples of providers losing data after a ransomware attack. Just this week, Brooklyn Hospital Center reported a patient data breach, after malware encrypted some patient data and officials were unable to recover some the data. Two other providers have opted to shutter after ransomware attacks rendered permanently inaccessible.
For Michael Sechrist, head of Booz Allen’s cyber threat intelligence team, these incidents are “par for the course.”
“There are plenty of attacks to go around, and I don’t see it decreasing,” Sechrist said. “There was a lull in activity last year, but it’s sped back up. And more attacks are affecting or disrupting different companies and their operations. It’s trending upwards.”
“I don’t think it’s as high as 2016, but it’s still a significant amount,” he added.
ARE PROVIDERS MOVING FAST ENOUGH?
Much of the attacks from the past year have been directed at potentially less mature sectors, including healthcare and municipalities, Sechrist explained. Those organizations might not have the available resources to combat these types of attacks, which are generally focused on targeting critical access.
“Securing these workloads and data is a task of shared responsibility between all parties.”
The Institute for Critical Infrastructure Technology has reported there have been an alarming number of these types of “disruptionware” attacks, aimed at disrupting business and continuity using malware to halt operations, damage reputations, extortion, or other malicious goals.
“While IT environments are suffering from increased sprawl, hackers are getting more and more sophisticated,” said Emil Sayegh, CEO, Ntirety. “Cybercriminals are experts at shifting and evolving their attack vectors to create maximum damage and return. In some cases, hackers are interested in ease of effort.”
“It’s a never-ending struggle in an industry where security risks exist everywhere, and attacks can come from any location—including the inside of the organization—and at any volume,” he added.
The difference between the early onslaught of ransomware attacks in 2016 and the increase in disruption from ransomware today is that hackers are planning their attacks over the course of months and sometimes years, Sayegh explained.
Hackers will lurk, testing perimeters and often laying dormant until the right vulnerability is found to then launch an attack. Sayegh stressed that sophistication of the threat actors have amplified, as well: many hackers are backed by “hacking factories” in countries like Russia, China, and North Korea.
“Cloud sprawl, shadow IT, and a lack of governance throughout the industry and across multiple levels of services, including hybrid public cloud scenarios, is making it easier for cybercriminals,” Sayegh said. “Hackers are able to get in through secondary services and backdoors due to the lack of governance in some cases.”
“Most healthcare organizations are not prepared to take on their cloud sprawl, and they haven’t made optimization a priority due to lack of resources or lack of understanding of the real consequences,” he added. “Powerful, modern cloud technologies have never been easier to deploy and consume, but organizations have a responsibility to launch these technologies securely and maintain that security throughout their lifecycle.
HEALTHCARE MUST BE PROACTIVE
The crux of healthcare’s issues lies with a lack of understanding around the criticality of assets. Hackers are launching attacks to hold those assets hostage, but many providers are failing to proactively assess what the potential impact will be if certain technologies go down in the event of a cyberattack.
“If you don’t have an ultimate grasp on your asset inventory, or a grasp of the different ways attacks can impact open ports or protocols known to be leveraged by ransomware, you’re putting yourself at a disadvantage when dealing with a cyberattack,” Sechrist said.
“It’s about the feasibility of data access and recovery,” he added. “The number one requirement is to truly identify where critical data and critical assets are in terms of reportable risks for your company. That’s the hardest party, but it’s incumbent on the businesses you serve.”
“Security isn’t easy when resources like funding, personnel, tools, expertise, and leadership are a challenge to obtain.”
Security leaders will need to come to an agreement with all equitable parties within the healthcare system to determine that criticality. Sechrist stressed that it’s a challenging but necessary part of protecting against ransomware.
To get there, organizations can leverage security events and incidents to highlight to the board how these assets could be affected in the event of an attack. He suggested leadership ask those crucial questions: If an attack were to occur today, how would we detect it, prepare for it, and remediate it after the fact?
“Those types of circumstances allow you to pull in parties that might not be initially interested in talking through the ways a ransomware attack can affect an organization,” Sechrist said.
Using tabletops, an organization can determine the stability needed to ensure the data and assets are protected, including through sound, offline backups. Sechrist noted there are several companies that handle offline backups and certify that data is protected in the event of ransomware.
Organizations can also secure data offline or through an air-gapped, controlled way with encryption keys, he explained. Several firms such as Forrester, even have a guide to ransomware payments. Asset inventory, routine patching of vulnerable technologies, and segmenting tech showing signs of infection are also crucial to shoring up defenses.
“But it’s something you have to do,” Sechrist said. “The gaps are likely going to be there, but it’s understanding how to close it and ensuring you have the risk tolerance to accept that gap.”
“Security isn’t easy when resources like funding, personnel, tools, expertise, and leadership are a challenge to obtain,” Sayegh said. “It becomes even more difficult when security vectors keep changing. Like security threats, compliance standards are always evolving.”
Sayegh stressed that compliance is not enough to tackle modern security challenges. Instead, organizations need to proactively combat these threats and “make security much more actionable.” Continuously training employees and critical personnel is one of the most tangible steps.
“If you don’t have an ultimate grasp on your asset inventory, or… the ways attacks can impact open ports or protocols known to be leveraged by ransomware, you’re putting yourself at a disadvantage.”
Organizations should also leverage expert resources from NIST, HITRUST, and other security researchers to gain insight into how to tackle threats like ransomware, insiders, and password safety.
“They should partner with qualified, experienced organizations that understand the healthcare industry, and the challenges it faces,” Sayegh. “Healthcare IT departments also need to go through the exercise of classifying data, identifying which systems and information are critical and where data exists.”
“Organizations should run through data recovery scenarios, evaluate, and re-evaluate routinely,” he added.
Much like the majority of security leaders and the FBI, Sayegh reminded organizations that paying the ransom is not a great idea. But if providers don’t shift into a “what if” mindset, paying the hackers’ demands is what organizations will end up doing.
“It’s our responsibility as leaders to treat technology as inherently vulnerable because, over time, the window of risk shifts, and sooner or later, risk will come knocking,” Sayegh said. “Security incidents such as ransomware attacks are somewhat inevitable in the healthcare industry due to the high value target it represents, so it is imperative to plan and practice how you are going to react to these incidents.” “Again, proactive security and actionable practices make all the difference. An ounce of prevention is worth a pound of cure,” he added.
For Sechrist, it boils down to basic cyber hygiene. In that way, if an event occurs, there are ways to remedy the issue without massive interruptions to patient care. Organizations need to put emergency plans in place to handle potential security incidents.
“In the industry it’s important to be always up: downtime is seen as significant problem,” Sechrist said. “By having a plan in place, it ensures something won’t leave you in the lurch when an event occurs.”
“We’re witnessing a rapid technological revolution as organizations combine the structure of the enterprise with the flexible advantages of the cloud,” Sayegh said. “Securing these workloads and data is a task of shared responsibility between all parties… and critical to optimizing security goals, achieving compliance, and together, achieving the successes of protecting all of our privacy as patients, as well as the reputation of the healthcare providers.”