Ransomware Attacks – a Story of Sanctions, Risks, Damages, and How to Prevent an Attack

Ransomware Attacks – A Story of Sanctions, Risks, Damages, and How to Prevent an Attack

Ransomware is malicious software or malware that is designed to prevent access to a computer network or to data through encryption to extort ransom payments from the victims in exchange for decrypting the data and restoring network access to the victim organization. Ransomware attacks can cripple an organization by halting operations, shutting down computer systems, and disconnecting networks. The Federal Bureau of Investigations (FBI) reported that ransomware attacks have increased 37% from 2018 to 2019, while losses have increased at an alarming rate of 147% during the same period. The antivirus software firm, Emsisoft, reported that the average ransomware demand has increased from $5,000 in 2018 to $200,000 this year.

Sanctions

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on October 1, 2020 to inform the public about the risks of sanctions associated with payments of ransom to cyber actors. Ransom payments could possibly violate the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA). Demand for ransomware payments has increased significantly due to the COVID-19 pandemic, which allows criminals to profit and advance their illicit activities. Funding ransomware demands may also enable cyber criminals to perpetrate activities that threaten our national security and foreign policy objectives. U.S. persons are prohibited from participating in transactions with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List) and those covered by country or regional embargos such as Cuba, North Korea, Ukraine, and Syria. Violations under these regulations create cause for OFAC sanctions, which include civil penalties that may exceed $1 million.

OFAC indicated within the advisory that they would be enforcing sanctions against organizations that paid ransoms to cyberattack criminals included on the SDN List or from an embargoed jurisdiction. The most recent individuals, organizations, and jurisdictions added to the designation list include –

• Evgeniy Mikhailovich Bogachev, developer of Cryptolocker, an early ransomware that infected more than 234,000 computers, half of which were in the U.S. • Two Iranian nationals behind SamSam, the ransomware that crippled the City of Atlanta in 2018 • Lazarus Group, sponsored by the North Korean government and responsible for the WannaCry attacks that shutdown computers worldwide • Evil Corp, Russian criminal gang that used Dridex malware to steal $70 million from US and European banks

Sanctions are levied using the “strict liability” principle, meaning that an organization can be sanctioned even if it was not aware that it was engaging in a transaction with a cybercriminal prohibited under OFAC laws and regulations. The sanctions also apply to organizations that help the victim entities recover from a cyberattack, including cyber insurance firms, financial institutions, and digital forensic and incident response firms. Sanctions can be severe if the ransomware attack is not reported to law enforcement in a timely manner. Cooperation with law enforcement’s investigation efforts is a significant mitigating factor during OFAC’s evaluation of a possible enforcement outcome. Other factors include the willfulness

or recklessness of the violation, awareness of conduct at issue, harm to sanctions program objectives, and remediation efforts.

Healthcare Ransomware Risks

Cyberattacks targeting healthcare organizations have increased 150% in 2020 according to a report by C5 Alliance. Recent attacks on healthcare organizations have prompted a warning from U.S. law enforcement agencies. On October 28, 2020, a joint cybersecurity advisory notice was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS). The alert notice advised that healthcare and public health sector organizations are being targeted by cybercriminals to infect systems for financial gain. CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. Attacks on healthcare organizations are threat to life crimes because they can affect a healthcare provider’s ability to provide patient care.

In October 2020, several hospital systems in Vermont and New York were attacked by a strand of ransomware called Ryuk, which has been linked to a Russian cybercriminal gang sometimes referred to as UNC 1878 or Wizard Spider. Ryuk is transmitted using a botnet known as Trickbot. Three other hospital chains in Oregon, Michigan, and Wisconsin have also been attacked by the same ransomware. Universal Health Services’ facilities were attacked by Ryuk, which affected all its 250 hospitals and clinics, crippling digital services and impacting patient care services.

Healthcare organizations are at increased risks for ransomware cyberattacks for the following reasons –

• Large number of patient records – On average, over 7,200 patient records are impacted during a ransomware attack. These records can be traded and sold on the dark web to criminals who are seeking to commit identify theft crimes or extort funds or information from individuals. • More likely to pay to recover data – Ransom demands are usually cheaper than efforts to recover data held hostage. Healthcare organizations are often unprepared for cyberattacks and are left with no options to recover data except to pay the ransom. The sense of urgency is increased due to sensitive nature of patient data. These factors play to the cyber attacker and make it more likely that the healthcare organization will pay the ransom demand. • Less sophisticated IT departments and controls in place to protect data – Small to midsize healthcare organizations often operate with less sophisticated data security protections and lack corrective action plans and resources to respond to cyberattacks that make recovery from an attack successful. • Fewer resources to invest in cyber protection - Nonprofit and public healthcare organizations operate on lean budgets, which may restrict resources that can be invested in data security measures and controls. Based on a survey by Keeper Security, a full 90% of healthcare organizations dedicate less than 20% of their IT budget to cybersecurity. • Complexity of networks and systems - Healthcare organizations are complex organizations where a broad range of technology, internet of medical things, operational technology, and internet of things devices are interconnected.

• Endless devices connected to networks – Healthcare networks include a wide array of endpoints, ranging from computer systems, surgical equipment, telemedicine platforms, medical sensors, and infusion pumps. Healthcare organization contain an average of 20,000 devices.

Payments of ransom perpetuate the crime and embolden criminals to continue their activities. Unfortunately, paying the ransom is often the fastest and least expensive way to recover your data if your organization did not have the proper data security measures in place to protect the system. Many organizations assume that paying the ransom will resolve the problem. However, this rarely results in the desired outcome. Reports from federal law enforcement agencies indicate that less than 30% of organizations that pay the ransom recover access to their data and network systems. Cybercriminals want money, not data. However, most will not decrypt data since it might lead investigators back to them.

Ransomware Attack Damages

Malware can enter a network system through a variety of way, but the most common method is through phishing emails that contain embedded links or attachments. On average, employees receive over 120 emails daily and all it takes is one opened attachment to compromise an entire network.

Ransomware attacks can cause damage in a variety of ways, including –

• Loss of reputation – Patients depend on providers to protect their sensitive health information and their lives via connected health devices. When that health information is compromised, the trust has been broken. • Downtime that leads to lost revenues – Cyberattack victims waste time and resources trying to recover from an attack instead of focusing on patient care. • Threaten the lives of patients – If the data being held hostage involves sick or dying patients, the cyberattack may threaten the lives of those patients. • Loss of sensitive patient data – Health information related to chronic illnesses and diseases, as well as personally identifiable information, may be lost if the data has not been backed up or is not recovered. • Delayed patient care – Urgent patient care is sometimes delayed until paper records can be obtained in place of digital records or until patient records are recovered from a backup or from the cybercriminal. • Ambulatory care reroutes – Network and system application compromises may render an emergency department inoperable, requiring ambulatory cases to be rerouted to other hospitals. The other hospital may be further away or may not have facilities to care for specific patient needs, which can result in patient deaths. • Cancelled appointments – If networks and systems are compromised, patient records cannot be accessed during scheduled appointments. Therefore, appointments end up being cancelled. • Refer patients to other facilities to receive timely care – Cancer patients or terminal illness patients may need to be referred to other healthcare facilities to receive lifesaving treatments.

• Stress and anxiety for management – The pressures of recovering data lost during a cyberattack puts a strain on management and reduces resources needed for effective management of the healthcare entity’s actual patient care objectives. • Weeks to months of time to recover – Recovery from the cyberattack may take weeks, months, or even years to complete. The forensic investigation will help to determine the extent of the breach and methods required to recover. If regular backups are available, recovery time may be significantly reduced. • Hundreds of thousands to millions of dollars to recover from attack – Cyberattacks are very costly. Patients will need to be notified that their sensitive health information has been breached. Forensic investigators will need to be hired to determine extent of breach. Legal representation will assist with reporting requirements to law enforcement, patients, and others. Lost revenues from damage to reputation may be last for years if the organization survives the cyberattack. Some organizations cannot afford to recover from a breach. • Force providers to use paper and pen to document and administer health services – Healthcare providers may be forced to use pen and paper to administer health services, which slow down processes, lead to errors, and reduce patient care effectiveness.

How to Prevent an Attack and Protect Your Organization

The best way to prevent ransomware attacks is to be prepared. Healthcare organizations can strengthen defenses, protect their systems and networks, patient data, and their operations by implementing some key safety protocols, including –

• Implement policies and procedures – Improve cyber defense by creating, documenting, and implementing information security policies and procedures. Communicate the policies to employees and business partners. • Perform risk assessment – Perform a risk assessment to identify specific cyber security risks and mitigation strategies. • Implement a backup and encryption strategy – Regularly backup critical data in multiple versions with different recovery points and at different locations. An effective guideline is the “3-2-1 rule”, meaning keep three separate backups, in two media options, and one offsite backup. Consider a cloud storage option as part of the “3-2-1 rule” strategy, but do not use it as sole method of backup. Ensure that all patient records and systems are encrypted both at rest and in transit. All backups should also be encrypted as well. • Firewalls – Confirm security systems and firewalls are appropriately configured and working properly. Limit traffic available directly from the internet. • Latest version of software – Ensure that all key applications, databases, and servers are running the latest versions of software and apply any patches for those that are not. In May 2017, the WannaCry ransomware infected millions of devices by abusing a vulnerability that had been identified by Microsoft, for which a patch had been issued two months prior to the mass attack. Organizations did not apply the patch, which would have protected them from a WannaCry infection.

• Segregated zones – Adopt network and device segmentation that require well-defined trust zones based on device identity, risk profiles, and compliance requirements to ensure effectiveness and reduce attack surfaces and the blast radius. • Virtual Private Network (VPN) – More employees are working from remote locations due to the pandemic. Ensure that they are using a secure VPN service to access systems during remote sessions. • Train staff – Continuously train staff on how to identify phishing emails and the proper method for disposing of those emails or reporting them to the IT security teams. Providing an annual security training is not sufficient to ensure that employees are mindful of phishing attacks. • Scan inbound email – Review inbound emails to identify malicious code and flag activity that may lead to malicious sites. • Restrict access to applications and devices – To maximize system security, restrict access to certain areas of the network and applications based on roles and responsibilities. • Anti-malware and anti-virus – Install effective anti-malware and anti-virus software to identify and prevent known threats from entering the network. Ensure that definitions are kept up to date. • Intrusion detection software – Add an intrusion detection software tool to quickly identify how and when the system has been compromised and monitor changes made to the system or data. • Penetration and vulnerability testing – Engage external third-party to perform penetration and vulnerability testing to identify any security gaps and vulnerabilities. Then, develop remediation plans to address the gaps and vulnerabilities to further reduce the risks of a cyberattack. • Develop incident response plan – Create a comprehensive incident response plan that identifies the specific steps that the organization will take in the event of a cyberattack.

Ransomware attacks can happen to any organization. The best way to mitigate the risk of a cyberattack is to be prepared by establishing policies, securing the network, and making plans to limit exposure and minimize the impacts of ransomware on your operations and the patients your organization serves. Healthcare organizations must continually evolve their cybersecurity processes and procedures to protect patient data and reduce the risks of a cyberattack.