sign in sign up
<<
Home , Adware, TorrentLocker

Ransomware in Healthcare Psychology, Anatomy & Prevention

A ClearDATA Security & Compliance eBook in Healthcare Ransomware Attacks Are On The Rise! Psychology, Anatomy & Prevention

Even though the average Volume of Ransomware Attacks Ransomware attacks are rapidly ransom demand is relatively becoming one of the fastest growing low, the volume of attacks, . And healthcare is a prime target. plus the rate of payment, make the attacks costly for The growth of Ransomware is due both you and lucrative for to the psychology of the method and cybercriminals. the sophistication of the attack. This eBook provides valuable insight that includes: The potential damage to your reputation, particularly • Attacks Are on the Rise in healthcare, may outweigh • The Psychology of Ransomware the financial cost. • Tools of the Trade • The Anatomy of an Attack • Recovery Strategies • Prevention Strategies

2 Attacks Are Costly Over $325M In 2015

Even though the average ransom demand is relatively low, the volume of attacks, plus the rate of payment, make the attacks costly for you and lucrative for cybercriminals.

Most Ransomware attacks are initiated by . The motive is money. If the ransom is paid, your data will most likely be restored. But you will be open to future attacks.

3 The Cybercriminal Spectrum

RECREATIONAL CRIMINAL HACKTIVIST ORGANIZED CRIME STATE SPONSORED • Fame and notoriety • Vandalism • Statement • Economic gain • Cyberwar, state secrets, • Limited tech resources • Limited tech capabilities • Relentless • Significant technical capability industrial espionage • • Known exploits • Emotionally committed • Established syndicates Highly sophisticated • • Vast networks • , , IP theft Nearly unlimited resources • • Targeted attacks • A lot of spamming/ Advanced persistent threats • Prominent in ransomware

Most Ransomware attacks are initiated by organized crime. The motive is money. If the ransom is paid, your data will most likely be restored. But you will be open to future attacks.

4 Less Risk, More Reward The Psychology of Ransomware

• Easy to buy and use the tools The psychology of a ransomware attack is somewhat similar to any ransom • Profit is predictable demand. Can you trust a criminal? But there is a significant difference. • Less risk: no direct contact or sale of data • Don’t have to find a data buyer The use of ransomware by organized crime is a for-profit business. Because • Can be automated globally it is a , attacks are easy to initiate and don’t require complicated • Less trackable using logistics. There is even a certain level of “customer service” provided, such as FAQ pages.

Also, it is usually in the criminal’s interest to restore your data after a ransom is paid. It keeps their “brand reputation” intact for the next attack.

Ransomware screens can be intimidating or transactional – like you are simply buying a key. 5 Top Ran s omware Tools Tools of t he Tr a d e

• CryptoWall Easy to Acquire • Ransomware tools are easily purchased from a variety of torrent sites • Locky Gaining Sophistication • TorrentLocker • Inflicted unwanted on files stored locally to a machine • CTB-Locker • Now fully able to traverse network drives, SANs and NASes, UNC paths • TeslaCrypt • Encrypts anything it can touch and access with the level of permissions granted to the user account under which the is executing. • Samsam • CrypVault Recent Attacks: https://ransomwaretracker.abuse.ch/tracker • PayCrypt

6 Anatomy of an Attack

1 The Bait 2 The Infection 3 Ransom Notice 4 Pay or Restore • • • Typically comes as an email User’s machine typically connected to Once done, it alerts the user and • Critical choices: attachment network, shared cloud services, etc. provides payment instructions. - Pay ransom • Such as: Invoice, shipment • Once open, ransomware silently • Payment is usually in tracking document, etc. begins encrypting all of the files it - Restore from backup • Some even provide “Customer can, without any user interaction or • Often very generic, but could Service” info. • Paying ransom increases risk of notification. include a real vendor name or future attacks even your company name.

7 How Does Ransomware Spread?

Email External Storage Emailing it to huge numbers of people, Mapped drives, Thumb drives, Dropbox, targeting particularly the US and UK Box, USB drives, storage shares

Browser Exploit Remote Desktop Protocol Browser exploit kits, drive-by RDP ports that have been downloads left open to the Internet

Backdoor Download Torrent Files May come on its own (often by email) or TorrentLocker’sauthors have been by way of a or downloader, both nimble and persistent brought along as an additional component

8 What Happens When You Are Infected?

There are three methods, depending Once infected, there are only two choices: on the particular ransomware infection

Files or Systems Pay Ransom Locked Files will most likely be restored, but you will become a prime target for future attacks

Files Encrypted Do Not Pay This is the best strategy if you are confident in having thorough, isolated backups. DELETE Files Threatened With Destruction

9 Recovery Strategies Process Steps

ENGAGE INCIDENT RESPONSE • Notify your Info Security Team • Notify authorities and regulatory bodies • ID Recovery Time & Point Objectives • Preserve evidence • Engage your legal team ASAP

ISOLATE THE DEVICE • Remove the impacted system from the network and remove the threat • Best done with the system off the networks to prevent any potential spread of the threat.

ATTEMPT DATA RECOVERY • Restore any impacted files from a known good backup. • Restoration of your files from a backup is the fastest way to regain access to your data. • Requires confidence in integrity of backup • Requires a reliable destination • May take some time

HYBRID RECOVERY • Stall for time by trying to negotiate • In meantime work on recovery from a backup • Requires confidence in integrity of backup

START OVER • Dispose of all infected devices • Rebuild from scratch • Expensive and time consuming • History lost 10 Applying Defense In Depth Defense In Depth & Breadth

DEFENSE IN DEPTH DEFENSE IN BREADTH Applied at each layer to appropriate level Applied across each use case at appropriate level

REDUCE ATTACK SURFACES Multi-level Security User, Process, Device

Physical Infrastructure

DEPLOY CRYPTO KEYS Air-tight & properly configured

System Security CREATE SECURE PEOPLE, PROCESSES & SYSTEMS Data &

11 Applying Defense In Depth Five Prevention Strategies

BACKUP & DISASTER • Employ a comprehensive and regular scheme RECOVERY • Identify your recovery point and recovery point objectives • Be sure backups are isolated from live data sources • Perform regular data integrity tests REDUCE ATTACK SURFACES EMAIL SECURITY TRAINING • Conduct regular security training • Emphasize common phishing schemes and current threats

SETTINGS & ACCESS • Conduct Show hidden file-extensions CONTROL • Disable files running from AppData/LocalAppData folders DEPLOY CRYPTO KEYS - %APPDATA% - %TEMP% • Disable RDP • Limit end user access to mapped drives • Install and block Tor, I2P and restrict to specific ports CREATE SECURE PEOPLE, ANTIVIRUS MANAGEMENT • Up-to-date antivirus is essential PROCESSES & SYSTEMS

PATCHES & UPDATES • Keep current on OS patches and Software updates

SECURITY RISK ASSESSMENT • Consider regular security risk assessments beyond HIPAA requirements

12 The Premier Additional Resources Healthcare Managed Cloud Visit our Knowledge Hub at www.cleardata.com/knowledge-hub/ for the latest thought Company leadership on security and compliance for healthcare cloud computing.

ClearDATA is the nation’s only healthcare-exclusive WHITEPAPERS cloud computing company. As the premier healthcare managed cloud company, our solutions Suggested Titles: are positioned to solve the three fundamental • challenges facing HIT: Defense in Depth: A Pragmatic Approach to Securing PHI in the Cloud • Developing a Secure, HIPAA Compliant Roadmap to the Public Cloud • Modernize the Infrastructure • Best Practices in Cloud Computing for the Healthcare Industry • Secure & Protect Patient Data • 7 Myths of Healthcare Cloud Security Debunked • Improve Data Interoperability • Five Ways Technology Vendors Put Protected Health Information At Risk Our intimate knowledge of healthcare data workflow, security and compliance is a key differentiator. Our “just right” solutions for ON-DEMAND WEBINARS enterprise healthcare as well as individual private practice provide flexible options that fit your customer’s budget. Suggested Titles: • www.cleardata.com 5 Ways to Protect Your Healthcare Organization from a Ransomware Attack • The Anatomy of a Healthcare Data Breach • Healthcare IT In the Cloud: Predicting Threats, Protecting PHI • Developing a Secure, HIPAA Compliant Roadmap to the Public Cloud

13