The healthcare industry has been extensively targeted by ransomware gangs and victims often see paying the ransom as the best option to ensure a quick recovery, but the payment does not always put an end to the extortion. Many victims have paid the ransom to obtain the decryption keys or to prevent the publication of stolen data, only for the ransomware actors to continue with the extortion.

The advice of the Federal Bureau of Investigation (FBI) is never to pay a ransom following a ransomware attack, as doing allows the threat actors to put more resources into their attacks, it encourages other threat groups to get involved in ransomware, and because there is no guarantee that paying a ransom will allow the recovery of data or prevent the misuse of stolen data.

A recent survey conducted by the cybersecurity firm Venafi has helped to quantify the extent to which further extortion occurs. The survey has provided some important statistics about what happens when victims pay or do not pay the ransom demands. The survey was conducted on 1,506 IT security officers from the United States, United Kingdom, Germany, France, Benelux and Australia and explored the rapidly growing risk of ransomware attacks.

Venafi said ransomware attacks increased by 93% in the first half of 2021 and by the end of the year ransomware attacks were being conducted globally at a rate of one every 11 seconds. 67% of companies with 500 or more employees said they had experienced a ransomware attack in the past 12 months, and 83% of ransomware attacks involved double or triple extortion tactics, where sensitive files are stolen and payment is required to decrypt files, prevent the publication of data, and prevent attacks on customers and suppliers.

According to the survey, 38% of attacks involved threats to extort victims’ customers using stolen data, 35% involved threats to expose stolen data on the dark web, and 32% involved threats to inform customers that their data had been stolen.

16% of customers who did not pay the ransom had their data exposed on the dark web. 35% of victims said they paid the ransom but were still unable to recover their data, and 18% of victims said they paid the ransom to prevent the exposure of stolen data, but the information was still exposed on the dark web. 8% said they refused to pay the ransom and then the attackers attempted to extort their customers.

Many ransomware gangs now operate under the ransomware-as-a-service (RaaS) model, where affiliates are recruited to conduct attacks for a cut of any ransoms they generate. While the RaaS operators often provide playbooks and issue guidelines for conducting attacks, there is little enforcement of compliance. Ransomware gangs often operate for short periods and try to extort as much money as possible from victims before shutting down their operations and rebranding and starting again. There have also been cases of ransomware gangs providing stolen data and access to networks to other cybercriminal groups regardless of if the ransom is paid, showing quite clearly that ransomware gangs cannot be trusted. Some ransomware gangs have taken over negotiations with victims from their affiliates and have cut the affiliates out and have not issued payment, showing there is also no honor among thieves.

“Organizations are unprepared to defend against ransomware that exfiltrates data, so they pay the ransom, but this only motivates attackers to seek more,” said Venafi vice president, Kevin Bocek. “The bad news is that attackers are following through on extortion threats, even after the ransom has been paid!”

The post Paying a Ransom Doesn’t Put an End to the Extortion appeared first on HIPAA Journal.

Now that the build-up of Russian troops on the border of Ukraine has progressed into a full invasion, warnings have been issued about the elevated threat of cyberattacks on organizations in the United States and other countries that have imposed economic and military sanctions on Russia.

Russia has a history of using destructive cyberattacks on its adversaries. In 2015 and 2016, the Russian General Staff Main Intelligence Directorate (GRU) conducted cyberattacks on the Ukrainian electricity grid, the Ukrainian financial, energy, and government sectors were targeted in a series of cyberattacks in 2017, and 2017 also saw the use of the NotPetya wiper in attacks on Ukrainian businesses. In January this year, a wiper malware dubbed WhisperGate was used in attacks on the country, and Distributed Denial-of-Service DDoS attacks have recently been reported, along with the use of a new wiper malware in the past few days. Russia was also behind a series of disrupted attacks on Georgia in 2019.

This week, FBI Cyber Section chief David Ring reportedly briefed private executives and state/local officials about the increased threat of ransomware attacks from hacking groups backed by Russia and urged them to consider how critical services could continue to be provided in the event of an attack. There is also concern that recent DDoS attacks in Ukraine could be extended to NATO members and other foreign targets and pro-Russia hacking groups increasing their attacks on organizations in countries that are showing support for Ukraine.

CISA recently issued a “Shields Up” warning to critical infrastructure entities in the United States due to the elevated risk of destructive cyberattacks. CISA urged all organizations to take a proactive approach to defend their digital environments, and the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning about the use of misinformation, disinformation, and malinformation (MCD) tactics to shape public opinion, undermine trust, amplify division, and sow discord, which could undermine security in the United States.

On February 23, 2022, the American Hospital Association (AHA) issued a warning to hospitals and health systems that they may be directly targeted by Russian-sponsored cyber actors, become incidental victims of Russian-deployed malware and destructive cyberattacks, and that those attacks have the potential to disrupt the mission-critical service providers of hospitals. While hospitals and health systems may not be the primary targets of cyberattacks, there is still potential for collateral damage, as was the case with the spillover of the NotPetya wiper malware attacks in Ukraine in 2017, which spread globally and disrupted operations at a large U.S. pharmaceutical company, a major U.S. health care communications company, and several U.S. hospitals.

Hospitals and health systems have been advised to review the security alerts published by CISA, the FBI, NSA to better understand the threats they face and implement the recommended mitigations to prepare for possible attacks, enhance their cyber posture, and increase organizational vigilance. The Health Information Sharing and Analysis Center (Health-ISAC) has said it will be increasing its reports and intelligence for its members and will provide strategic analysis and information about the implications of the Russia-Ukraine conflict on the healthcare industry and pharmaceutical firms.

The post Hospitals and Health Systems Warned of Elevated Risk of Destructive Cyberattacks appeared first on HIPAA Journal.

Expanding security capabilities is possible with a tight budget by using free cybersecurity tools and services. Many tools and services have been developed by government agencies, the cybersecurity community, and the public and private sector that can be used to improve defenses against damaging cyberattacks, detect potential intrusions rapidly, and help organizations respond to and remediate security breaches.

Finding appropriate free cybersecurity tools and services can be a time-consuming process. To help critical infrastructure organizations reduce cybersecurity risk, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has compiled a list of services provided by CISA and other government agencies, open source tools, and tools and services developed and maintained by the cybersecurity community that can be adopted to improve protection, detection, response and the remediation of cyber threats.

The list of free cybersecurity tools and services is divided into four categories, based on the four goals detailed in previously published guidance: CISA Insights: Implement Cybersecurity Measures Now to Protect Against Critical Threats.

1. Reducing the likelihood of a damaging cyber incident;
2. Detecting malicious activity quickly;
3. Responding effectively to confirmed incidents; and
4. Maximizing resilience.

All of the tools and services added to the list were assessed by CISA using neutral principles and criteria; however, CISA does not attest to the suitability of any product or service, nor the effectiveness of any solution for any particular use case. While some commercial products and services have been included in the list, CISA does not endorse or provide any recommendations for using those products and services. The list will be periodically updated by CISA to include new products and services and CISA welcomes any suggestions of additional products and services for future inclusion in the list.

While all included tools and services could be of benefit for improving or adding new security capabilities, they are no substitute for developing and implementing a strong cybersecurity program. It is vital to develop such a program and ensure certain foundational cybersecurity measures are implemented, including addressing known flaws in software and operating systems, setting strong passwords, implementing multi-factor authentication, and putting an end to bad cybersecurity practices such as the continued use of legacy solutions that have reached end-of-life and are no longer supported. CISA recommends signing up for its Cyber Hygiene Vulnerability Scanning service and taking steps to get sensitive Stuff of Search (S.O.S) to reduce Internet attack surfaces that are visible to anyone using a web-based platform.

The post CISA Publishes List of Free Cybersecurity Tools to Advance Security Capabilities appeared first on HIPAA Journal.

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center has issued a threat brief warning about the risks associated with electronic health record systems, which are often targeted by cyber threat actors.

Cyberattacks on EHRs can be extremely profitable for cyber threat actors. EHRs usually contain all the information required for multiple types of fraud, including names, addresses, dates of birth, Social Security numbers, other government and state ID numbers, health data, and health insurance information. No other records provide such a wide range of information. The information contained in the systems has a high value on the black market and can be easily sold to cybercriminals who specialize in identity theft, tax, and insurance fraud. Malware, and especially ransomware, pose a significant threat to EHRs. Ransomware can be used to encrypt EHR data to prevent access, which causes disruption to medical services and creates patient safety issues, which increases the likelihood of the ransom being paid. Phishing attacks to gain access to the credentials required to access EHRs are also common.

A cybersecurity strategy should be developed to protect against malware and ransomware attacks. Malware and ransomware infections often start with phishing emails, so email security solutions should be implemented, and end users should receive training to help them identify phishing emails and other email threats. Regular security awareness training for the workforce can improve resistance to cyberattacks that target employees, who are one of the weak links in the security chain. Attacks on Remote Desktop Protocol (RDP) are also common. Consider using a VPN solution to prevent exposing RDP. Threat actors often exploit unpatched vulnerabilities, so it is vital to patch promptly and to prioritize patching to address critical vulnerabilities first, especially vulnerabilities that are known to have been exploited in cyberattacks. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a Known Exploited Vulnerabilities Catalog that can guide IT security teams on prioritizing patching efforts.

Many healthcare organizations encrypt EHR data. Encryption protects data while it is transferred between on-site users and external cloud applications, but there could be blind spots in encryption that could be leveraged by threat actors to avoid being detected while they execute their attack. Cloud services are now commonly used by healthcare organizations, including cloud-hosted EHRs. All data sent to cloud services must be properly protected to comply with HIPAA. Cloud access security broker technology can help in this regard.

Steps need to be taken to prevent attacks by external cyber threat actors, but there are also internal threats to EHR data. Healthcare employees are provided with access to EHRs and can easily abuse that access to view or steal patient data. Employees should receive training on internal policies concerning EHR use and data access and how HIPAA prohibits the unauthorized accessing of records. The sanctions policy should be explained as well as the potential for criminal charges for unauthorized medical record access. Administrative policies should be implemented to make it difficult for employees to access records without authorization and policies for EHR need to be enforced.

There should be monitoring of physical and system access, audits should be regularly conducted to identify unauthorized access, and device and media controls should be implemented to prevent the unauthorized copying of EHR data. An endpoint hardening strategy should also be developed that includes multiple layers of defense on all endpoints. The strategy will also ensure that any intrusion is detected and contained before attackers can gain access to EHRs and patient data.

Healthcare organizations should engage in threat hunting to identify threat actors who have bypassed the security perimeter and infiltrated endpoints. Penetration testers should be used for ‘Red Team’ activities involving the tradecraft of hackers to identify and exploit vulnerabilities. Cybersecurity professionals should also be engaged for the Blue Team, which is concerned with guiding the IT security team on improvements to prevent sophisticated cyberattacks. “These exercises are imperative to understanding issues with an organization’s network, vulnerabilities, and other possible security gaps,” says the HHS.

There are considerable benefits that come from EHRs, but risks to data must be properly managed. The HHS suggests healthcare leaders change their focus from prevention to the creation of a proactive preparedness plan to understand vulnerabilities in their EHRs and then implement a framework that will be effective at identifying and preventing attacks.

The post HHS Raises Awareness of Threats to Electronic Health Record Systems appeared first on HIPAA Journal.

CrowdStrike has released its annual threat report which shows there was a major increase in data leaks following ransomware attacks in 2021, rising 82% from 2020. CrowdStrike observed 2,686 ransomware attacks in 2021 compared to 1,474 in 2020. There were more than 50 ransomware attacks a week in 2021.

Ransomware gangs also increased their ransom demands in 2021, which were 36% higher than in 2020. In 2021, the average ransom demand was $6.1 million. The healthcare industry was extensively targeted by ransomware gangs in 2021, even though several threat actors claimed they would not conduct attacks on healthcare organizations. CrowdStrike tracked 154 ransomware attacks on healthcare organizations in 2021, up from 94 in 2020, with healthcare ranking 6^th out of all industry sectors for data leaks, down from 4^th position in 2020.

CrowdStrike said the threat landscape became much more crowded in 2021, with several new adversaries emerging including threat actors that have previously not been extensively involved in cyberattacks such as Turkey and Colombia. CrowdStrike identified 21 new adversaries in 2021, with significant increases in Iran-nexus and China-nexus threat actors.

A threat group tracked as Wizard Spider was one of the most prolific ransomware actors in 2021, Carbon Spider specialized in big game hunting, Cozy Bear specialized in targeting cloud environments, Prophet Spider used the Log4j exploit for harvesting credentials from cloud workspace services, and Aquatic Panda targeted the Log4j vulnerability and used the Log4Shell exploit to achieve remote code execution on victims’ systems.

Iran-nexus actors extensively adopted lock-and-leak tactics, Russian threat actors increasingly targeted cloud environments, and China-nexus threat actors specialized in deploying exploits for new vulnerabilities. CrowdStrike said there was a sixfold increase in vulnerability exploitation in 2021, with 10 named adversaries or activity clusters involved in those attacks. Only 2 vulnerabilities were exploited by Chinese threat actors in 2020, compared to 12 in 2021.

Since 2020, ransomware gangs have been exfiltrating sensitive data prior to encrypting files and have been using double extortion tactics on their victims, where payment is required for the keys to decrypt data and also to prevent the leaking of the stolen data on data leaks sites. While ransomware attacks were commonplace, there was also an increase in data theft and extortion without the use of ransomware and there was an active market for the sale and purchase of stolen information on hacking forums and darknet sites.

Malware is commonly used in cyberattacks but attackers are increasingly avoiding the use of malware and are using legitimate credentials to access networks and then living-off-the-land techniques, where existing system tools are used rather than malware to evade security solutions. In 2021, only 38% of cyberattacks involved malware, with 62% of attacks malware free.

CrowdStrike expects cloud-related threats to become more prevalent and to evolve in 2022 as threat actors prioritize targets that provide direct access to large consolidated stores of high-value data. Threat actors are also likely to diversify their tool arsenal to include mobile malware 9nm 2022, and it is highly probable adversaries will continue to seek weaknesses in platforms used by their targets in 2022. “Through the coming year, adversaries are expected to continue to react to vulnerability identification and seek to gain access to their targets through exploitive means as quickly as possible,” said CrowdStrike.

To counter these threats, CrowdStrike recommends learning about the adversaries that are known to target your industry, as this will allow you to better prepare for attacks. It is vital to protect all workloads and have a tested response plan to allow immediate action to be taken in the event of an attack. The speed of the response often dictates whether mitigations succeed or fail.

Cloud misconfigurations are often exploited to gain access to large data stores. One way to reduce the risk of human error is to set up new accounts and infrastructure using default patterns. While it is important to implement technical measures to detect and stop intrusions, it is also important to invest in user awareness programs, as end users can play a key role in preventing data breaches, especially detecting and avoiding phishing attacks and social engineering techniques.

The post 2021 Saw Sharp Increase in Ransomware Data Leaks and Ransom Demands appeared first on HIPAA Journal.