Ransomware basics
Ransomware is a serious form of cyber extortion that employs malware to prevent users from accessing their systems or data, either by locking the system or encrypting critical files until a ransom is paid. The hacker holds the key to unlock the system and usually demands payment in cryptocurrency.
Ransomware has been a known cyber threat vector for over a decade. In recent years, hackers have embraced increasingly sophisticated methods to exploit vulnerabilities and introduce ransomware into systems. They have also expanded the scope of impact by targeting enterprise-wide systems and databases, crippling many companies across industry sectors, including healthcare. Recently, the Federal Bureau of Investigation (FBI), U.S. Department of Health and Human Services (HHS) and the Federal Cybersecurity and Infrastructure Security Agency (CISA) released a report calling attention to the rampant ransomware activity targeting the healthcare sector.
Lessons learned from impact in healthcare
Ransomware affects companies of all shapes and sizes across all industry segments, but there have been several high-profile cases where healthcare companies were infected by ransomware and held hostage for millions of dollars in ransom. These companies were temporarily forced to shut down operations, turn away patients, and attempt to work on paper-based records. Ransomware is uniquely problematic in healthcare settings where disruption of IT systems can directly harm patient safety.
The human factor
Human error is still one of the primary reasons ransomware infects systems.
Ransomware attacks typically begin by phishing or spoofing, fooling users into downloading malware by opening infected emails, clicking on attachments, or visiting illegitimate webpages. Hackers similarly entice users to click on catchy banner ads that may appear legitimate, but actually trigger a download of ransomware. One predominant example of ransomware is called “Ryuk” and you can read about how it works here.
Requested ransom has been known to vary greatly, and can increase dramatically depending on the target and sensitivity of the systems or files that have been encrypted.
What can you do to protect against ransomware?
In the past, ransomware focused on localized attacks like locking down a target’s keyboard or computer, but more recently hackers have expanded to encrypting enterprise-wide networks and file shares, rather than individual endpoint devices.
Key mitigation activities may include:
-
Employ reputable antivirus software and strong firewall. A company should maintain a strong firewall, and keep its security software patched and updated at all times. This prevents ransomware from entering the system. Companies should also use strong next generation antivirus software, which regularly scans the networks for signature-based malware as well as uses behavioral analysis to ferret out ransomware.
-
Back up often. A company should regularly back up files to minimize risk of data loss. This reduces the impact of ransomware, as impacted systems can be disconnected, shut down, wiped and restored using backups.
-
Enable website popup blockers. Popups are a prime tactic used to conduct ransomware attacks. Company web browsers are configured to prevent popups by default. Company personnel should also be trained on phishing and malware prevention.
-
Enable proxy blocking. A company should set website filtering rules to block website software and access to certain domains. Proxy blocking also has the ability to block downloadable content from websites. This approach prevents users from inadvertently visiting malicious website or downloading malicious files.
-
Limiting file sharing. A company’s sensitive data should be segregated from its organizational and operational data. Sharing of sensitive data has been restricted to the highly secure production environment.
-
Patching and installing the latest versions of critical software: Companies should apply security patches on an ongoing basis, which can significantly reduce vulnerability and blunt the impact of ransomware.
-
Employ secure Internet and email practices. Organizations should block certain file extensions sent by email, especially executable files like .exe, .js, and .wsf. They should also scan contents of certain compressed files like .zip files. Users can be trained not to click on links inside suspicious emails and to avoid visiting suspicious websites.
-
Conduct ongoing security training. A business should routinely train its personnel on malware, hacking threats, and best cybersecurity practices. Employees should be trained to be cautious with emails and requests for personal data (especially login information). Personnel should also be careful when opening email attachments or clicking on links in emails, no matter the sender, and should check that the website they are visiting is secure (look for a URL that starts with https://”—”s” for security—rather than just http://).
What do you do if you suspect a system is infected with ransomware?
-
First, report the suspicious activity to the Legal Department and IT security.
-
Follow incident response policies and procedures.
-
If possible, disconnect from the internet immediately to reduce the risk of the hacker remaining in the system, spread of the ransomware in the network, and exfiltration of sensitive data.
-
Shut down the computers or servers that have been infected.
-
Do NOT negotiate or pay the ransom amount. This should be determined by your organization’s leadership in consultation with legal counsel, law enforcement, and its insurance company.
-
Cooperate fully in any follow up investigations conducted by the company as well as government agencies like the FBI Cybersecurity Task Force.