From pirates to mobsters to petty criminals, kidnapping for ransom is nothing new. We’re all familiar with the process – a person is abducted, the abductor demands a ransom, the ransom is paid, and then the person is released.
Now this age-old form of extortion has evolved into the technological world as ransomware.
Ransomware criminals employ the same principles as their predecessors but with a twist: the kidnappee is data.
The kidnapper in this scenario is crypto ransomware, a malware variant programmed to encrypt and lock data. After a company’s records are locked, the infected computer displays a note that demands ransom.
The perpetrator will only unlock the files once the ransom has been paid in full.
Ransomware in Healthcare
The healthcare industry in particular has been struck by a recent spate of ransomware attacks.
With few exceptions, the companies are reluctant to release specific details, leaving the investigating to the FBI.
UMASS Memorial Medical Center
An employee at UMass Memorial Medical Center in Worcester opened an email laced with ransomware last fall, resulting in dozens of locked hospital files on several different computers.
A ransom note was promptly displayed on the hospital monitors.
The hospital chose not to pay ransom, removing all of the encrypted files instead.
Security professionals later restored the system with backup files.
In response, Chief Information Security Officer Bruce Forman outlines his plan to install advanced, persistent threat software that will identify malware based on its behavior.
Hollywood Presbyterian Medical Center
On February 5, 2016, hackers locked patient files at Hollywood Presbyterian Medical Center and demanded ransom for access.
The hospital opted to shell out 40 bitcoins – approximately $17,000 – for the encryption key before calling the FBI.
The hospital was off-line over a week.
Emergency room systems, and computers used for CT scans, lab work and pharmacy needs were were all affected by the attack.
Some 911 patients were even sent to other hospitals.
The International Business Times later reported that a group of Turkish hackers had claimed responsibility for the attack via the text-sharing site Pastebin, threatening more attacks as long as the U.S. supports Kurdish rebels.
The claim is unverified however.
Prime Healthcare Management
The Los Angeles Times reported ransomware attacks on March 27, 2016 at two Prime Healthcare Management, Inc. hospitals: Chino Valley Medical Center in Chino, CA, and Desert Valley Hospital in Victorville.
Spokesperson Fred Ortega said the attacks were “immediately addressed and contained,” and no ransom was paid.
The FBI is still investigating.
A third Prime Healthcare facility, the 306-bed Alvarado Hospital in San Diego, was also infected by a crypto virus on March 31, 2016.
On March 28, 2016 Columbus, MD based provider MedStar Health shut down its database and email after a viral attack.
The provider operates 10 various hospitals, serves hundreds of thousands of patients, and has over 30,000 employees.
MedStar Health claims no information was stolen, and hasn’t labeled the culprit as ransomware, but The Washington Post reported they received a screen shot of a ransom demand for 45 bitcoins – or roughly $19,000 – from a MedStar employee.
The shutdown forced staff to go old-fashioned, relying on paper charts and records. Appointments and surgeries were also delayed.
Other healthcare organizations targeted by ransomware attacks since February, 2016 include the Los Angeles Health Department, Ottawa Hospital in Canada, Methodist Hospital in Henderson, Kentucky, and King’s Daughter’s Health in Madison, Indiana.
In each case, spokespeople reported the systems were shut down, but later restored with back-up files.
Why is healthcare a target?
In general, ransomware attacks are becoming more prominent because they are successful.
In 2012, a server of 5,700 computers was locked – all on the same day according to United States Computer Emergency Readiness Team.
Symantec analyzed the data and determined 2.9% of the users with locked computers had paid an average ransom of $200 per computer.
While this may be true of ransomware overall, many healthcare organizations claim they actually aren’t paying ransoms.
But some are.
Medical professionals rely on computer access for everything, from critical patient information like allergies and lab results to operating schedules.
Locking access to records can literally be a life or death situation.
Healthcare organizations may be targets not because of their industry, but because of the types of applications they use according to Craig Williams of Talos Research in Arstechnica Report.
He suspects ransomware perpetrators scan the internet for vulnerable servers, finding many in the healthcare trade.
The increase in crypto virus attacks is also caused by the antiquated security systems employed by many companies according to Zach Forsyth at Comodo.
Healthcare organizations are relatively new to the digital game, and their security systems lack the maturity of those in the financial and technology industries.
Criminal attacks on healthcare organizations increased 100 percent between 2009 and 2013 according to the Ponemon Institute.
The trend of attacks against the vulnerable healthcare industry shows no signs of slowing. In fact, ransomware is emerging as a popular crime , states Ben Desjardin’s post on Radware.
How do ransomware attacks happen?
Some ransomware attacks gain access through phishing, or luring a user to click on a contaminated email or link. Vulnerable servers can also be targeted remotely.
A recent ransomware campaign against the healthcare industry in March, 2016 was under the scope of Cisco Talos Research.
Perpetrators used the open source tool JexBoss to gain traction in a server. Upon access, a ransomware variant named SamSam encrypyted multiple Window systems.
Another malware distribution method, Ransom as a Service (RaaS), emerged in 2015.
Criminals download the ransomware app builder and customize it according to the Microsoft Malware Protection Center.
Ransom MLIS/Samas also emerged early in 2016, with criminals using a penetration testing attack server that searches to exploit vulnerable networks, and uses a publicly available tool called reGeorg for tunneling.
MSPs and VARs Beware!
It’s not just healthcare providers who should worry about their records being locked. Managed Service Providers and Value Added Re-sellers that service the healthcare industry are also at risk.
HIPAA Regulations for IT Compliance instruct that any business involved in the creation, maintenance or monitoring of electronic protected health information (ePHI) is subject to the Security Rules of HIPAA.
Compliance requires that the confidentiality and integrity of ePHIs remain intact.
Because ransomware locks files rather breaching their integrity, the jury is currently out on whether HIPAA-affected organizations have to report crypto virus attacks to the Department of Health and Human Services’ Office for Civil Rights.
It’s possible that attackers have determined ransomware victims might pay up if they can be assured the data has not been stolen, and therefore they may not have to report the breach.
What can you do?
A simple solution is to back up your files. If you can access what a criminal has encrypted, you can continue to do business.
Train your employees to never click on suspicious emails or links. In addition, a strong password policy should be implemented throughout the company.
Third Tier produced a ransomware protection kit they’ll mail to you in return for a donation that supports females who want to work in the IT field.
Other remedies include installing a multi-tier defense architecture that checks software multiple times for vulnerabilities.
Web scanning can stop your system from accessing malicious sites as well.
Whitelisting is an effective tool that only allows specific, approved programs to run.
Employees can be granted a “least privilege user account,” which means they are not given administrative privileges to their computers.
Ransomware Prevention can also include blocking malicious TOR IP addresses, and testing restores.
Once your security system is set up, do not ignore it – maintain it. The Red Hat-supported JBoss server application was reported vulnerable in 2007 according to The HIPAA Journal.
A patch to correct the vulnerability has existed for almost ten years, and had it been applied, a number of ransomware attacks could have been prevented.
Ah, those pesky passwords. If you work in the corporate world or in an office, you have one for your PC/Network and, unless there is a password synchronization application that combines them, you probably have more than one for other applications. Add those to the ones that you have for your home Internet, your banking and other websites that require passwords, and before you know it you have a nightmare on your hands in trying to manage them. How easy a target are you for business and identity theft?
Part of the frustration has to do with the different requirements for password formatting. Some systems only require four characters, some require eight. Some need a combination of alpha and numeric characters and others do the same with the addition of a few capital letters thrown in for extra security. It can be positively maddening.
The worst thing you can do with your passwords is to place them in a text document which can be accessed on the hard drive of your computer. Your files are vulnerable to business and identity theft- even if you think they are not. If someone is intent on finding them, they can. Even if you place them into a password protected document, those can be cracked, too.
Writing them down has its own vulnerabilities, too, and there are varying opinions on this practice. If you do write them down on a piece of paper, put the document in a locked location whether it is in your home or at work.
Here are 6 tips on how to handle your passwords to protect against business and identity theft:
1. Make them complex. People who use easy to remember or short passwords are inviting disaster. Use a little imagination and pick a password that is very difficult to attach to your life. Stay away from birth dates, phone numbers, house numbers, or any other number that is associated with your life.
2. Keep passwords unique. When you change your passwords, make them unique from each other. Do not use the same password on all of your sites. If you do, then you are open to having every site that you have a password to being vulnerable to hackers to log on and steal your identity, money or destroy your reputation.
3. Be obscure. Use a combination of letters, numbers, capital letters and special characters if possible. The more you do this, the more secure your passwords will become. Create an alphanumeric version of a term you can remember. Using this technique the word “Spaceship” becomes “Sp@ce5h!p”.
4. Change regularly. This is the singular tip that can save you if you do not heed any of the other tips. How often should you change your password? How secure do you want to be? The frequency with which you change your password will determine how secure you are from becoming a victim. The more often you change it, the better you are. The longer you leave it the same, the more vulnerable you become. Three months is a good cycle for a password, but certainly if you fear for the security of your identity, then a monthly change is not out of the question.
5. Password-protect your PC. Be sure to give your PC a password on power-up. This will help protect your files unrestricted access to your PC.
6. Password-protect your wireless home network. If you have a wireless home network, be sure to password protect it as well. Use the same principles above in order to secure your wireless network. This will prevent others from accessing your connection and using it maliciously to hack the personal or business PCs and laptops you and your family use at home.
Finally, there are password programs that can help with this important task, but the best advice is to start with the tips above right away. Password software can be useful as an organizational tool, but it is no match for using sound methods to manage and make your passwords difficult to crack.