Healthcare Cybersecurity

Ransomware Gangs Adopt Triple Extortion Tactics

Posted by HIPAA Journal

Following on from the DarkSide ransomware attack on Colonial Pipeline, several ransomware threat actors have ceased activity or have implemented rules that their affiliates must follow, including banning all attacks on critical infrastructure firms, healthcare organizations, and government organizations.  Some popular hacking forums are distancing themselves from ransomware and have banned ransomware groups from advertising their RaaS programs. However, there are many threat actors conducting attacks and not all are curbing their activities. It remains to be seen whether there will be any reduction in attacks, even in the short term.

So far in 2021, attacks have been occurring at record levels, with the healthcare and utility sectors the most targeted. An analysis of attacks by Check Point Research found that since the start of April 2021, ransomware attacks have been occurring at a rate of around 1,000 per week, with a 21% increase in impacted organizations in the first trimester of 2021 and 7% more in April.

The number of attacked organizations is up 102% from the corresponding period in 2020 and in April 2021, an average of 109 ransomware attacks were reported by healthcare organizations every week, with 59 attacks per week on the utilities sector and 34 in legal/insurance. Ransom payments have also increased and are up 171% from the same time last year, with the average payment now $310,000.

Since early 2020, ransomware threat groups have been using double extortion tactics to increase the probability of victims paying the ransom. Instead of simply encrypting files and demanding payment for the keys to decrypt data, prior to data encryption, the attackers exfiltrate any sensitive data they can find. Threats are then issued to publish the data if payment is not made.

Now, a new tactic has been detected by researchers at Check Point – triple extortion attacks. As with the double extortion tactics of breaching a healthcare network, exfiltrating data, and demanding a ransom for the keys to decrypt files and prevent the sale or publication of stolen data on leak sites, some threat groups are also targeting individuals whose data has been stolen. They too are issued with a ransom demand to prevent their personal and health data from being sold or put in the public domain.

This tactic has been observed since late 2020 and has continued to gain traction in 2021, with the first known case affecting the Vastaamo Clinic in Finland in October 2020. In that case, the attackers stole large amounts of data and issued ransom demands to the clinic and patients, with the latter including a threat to publish their psychotherapy notes if they failed to pay to prevent the data leak.

While the REvil ransomware operation did not issue demands for payment from individuals, their tactics have included contacting individuals by telephone to alert them to the attack to pile on the pressure on the breached entity to pay up.

“We can only assume that creative thinking and a wise analysis of the complex scenario of double extortion ransomware attacks have led to the development of the third extortion technique,” explained Check Point Research. “Third-party victims, such as company clients, external colleagues and service providers, are heavily influenced, and damaged by data breaches caused by these ransomware attacks, even if their network resources are not targeted directly… Such victims are a natural target for extortion, and might be on the ransomware groups’ radar from now on.”

The post Ransomware Gangs Adopt Triple Extortion Tactics appeared first on HIPAA Journal.

CISA Issues Guidance on Evicting Adversaries from Networks Following SolarWinds Attacks

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) has published guidance on evicting threat actors from networks compromised in the SolarWinds Orion supply chain attacks and, including subsequent compromises of Active Directory and M365 environments.

The attacks have been attributed to threat actors tied to the Russian Foreign Intelligence Service (SVR). After gaining network access through the update mechanism of SolarWinds Orion, the threat actor selected targets of interest for further compromise and bypassed multi-factor authentication methods and moved laterally into Microsoft 365 environments by compromising federated identity solutions. Most of the targets selected for further compromise were government departments and agencies and critical infrastructure organizations, although private sector organizations may also have experienced more extensive compromises.

The guidance applies to evicting adversaries from on-premises and cloud environments and includes a 3-phase remediation plan. CISA notes that malicious compromises are unique to each victim, so careful consideration must be given to each of the steps and the guidance then applied to the unique environment of each breached entity to ensure success.

All three phases are required to fully evict an adversary from either on-premises or cloud environments, so shortcuts should not be taken. The failure to follow all steps could result in substantial, long-term undetected Advanced Persistent Threat (APT) activity, prolonged theft of data, and erosion of public trust in victims’ networks.

The guidance provides the plan for evicting adversaries from a network, but does not provide specific details on how the required actions should be taken.

Any attempt to evict an adversary from the network requires a pre-eviction phase, an eviction phase, and a post-eviction phase. The pre-eviction phase is concerned with confirming tactics, techniques, and procedures (TTTPs) associated with the attacks and fully investigating the true scope of compromise. During the remediation process, steps will be taken to improve security and build more resilient networks; however, the eviction process is complex, time-consuming, and will require business networks to be disconnected from the Internet for 3-5 days.

A thorough risk assessment must be conducted prior to any eviction attempt to understand the potential impacts on critical business functions. There will likely be disruption to business operations, so it is essential that the remediation efforts are properly planned, the impact on the business is fully understood, and appropriate resources are made available to limit disruption.

After completing all eviction steps, entities enter into the post-eviction phase which involves confirming the adversary has been evicted. This phase includes integrating detection mechanisms, configuring endpoint forensics and detection solutions for aggressive collection, and maintaining vigilance, with steps taken over the 60 days after completing the eviction phase.

“In the hours, days, and weeks after the network’s internet connection is restored, the agency’s detection capability will be important in verifying that all threat actor activity within the enterprise has stopped,” explained CISA. “Extended vigilance is necessary because this threat actor has demonstrated extreme patience with follow-on activity.”

CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise can be found on this link.

The post CISA Issues Guidance on Evicting Adversaries from Networks Following SolarWinds Attacks appeared first on HIPAA Journal.

April 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

April was another particularly bad month for healthcare data breaches with 62 reported breaches of 500 or – the same number as March 2021. That is more than 2 reported healthcare data breaches every day, and well over the 12-month average of 51 breaches per month.

Healthcare data breaches in the past 12 months

High numbers of healthcare records continue to be exposed each month. Across the 62 breaches, 2,583,117 healthcare records were exposed or compromised; however, it is below the 12-month average of 2,867,243 breached records per month. 34.4 million healthcare records have now been breached in the past 12 months, 11.2 million of which were breached in 2021.

Healthcare records breached in the past 12 months

Largest Healthcare Data Breaches Reported in April 2021

There were 19 reported data breaches in April that involved more than 10,000 records, including 7 that involved more than 100,000 records with all but one of the top 10 data breaches due to hacking incidents.

Ransomware attacks continue to occur at high levels, with many of the reported attacks affecting business associates of HPAA-covered entities. These incidents, which include attacks on Netgain Technologies, Accellion, and CaptureRX, have affected multiple healthcare provider clients.

The majority of ransomware attacks now involve data theft prior to file encryption, with the stolen data used as leverage to get breach victims to pay. Large quantities of data are stolen in the attacks. The top three data breaches of the month all involved the use of ransomware and involved 1.3 million healthcare records.

There has been some positive news this month. In the wake of the ransomware attack on Colonial Pipeline, multiple ransomware gangs appear to have ceased operations and at least two have now taken the decision not to attack healthcare organizations. This news should naturally be taken with a large pinch of salt, as similar promises were made by certain ransomware gangs at the start of the pandemic and attacks continued at high levels.

Name of Covered Entity Covered Entity Type Business Associate Involvement Individuals Affected Type of Breach Reported Cause of Breach
Trinity Health Business Associate Yes 586,869 Hacking/IT Incident Ransomware (Accellion)
Bricker & Eckler LLP Business Associate Yes 420,532 Hacking/IT Incident Ransomware
Health Center Partners of Southern California Business Associate Yes 293,516 Hacking/IT Incident Ransomware (Netgain Technologies)
Total Health Care Inc. Health Plan No 221,454 Hacking/IT Incident Phishing
Wyoming Department of Health Health Plan No 164,010 Unauthorized Access/Disclosure Exposure of PHI over Internet
Home Medical Equipment Holdco, LLC Healthcare Provider No 153,013 Hacking/IT Incident Phishing
Health Aid of Ohio, Inc. Healthcare Provider No 141,149 Hacking/IT Incident Unspecified hacking and data exfiltration attack
Woodholme Gastroenterology Healthcare Provider No 50,000 Hacking/IT Incident Unspecified hacking and data exfiltration attack
Neighborhood Healthcare Healthcare Provider Yes 45,200 Hacking/IT Incident Ransomware (Netgain Technologies)
Crystal Lake Clinic PC Healthcare Provider No 37,331 Hacking/IT Incident Not confirmed
RiverSpring Health Plans Health Plan No 31,195 Hacking/IT Incident Phishing
Middletown Medical Imaging Healthcare Provider No 29,945 Hacking/IT Incident Exposure of PHI over Internet
St. John’s Well Child and Family Center, Inc. Healthcare Provider No 29,030 Hacking/IT Incident Unspecified hacking and data exfiltration attack
MailMyPrescriptions.com Pharmacy Corporation Healthcare Provider No 24,037 Hacking/IT Incident Phishing
Squirrel Hill Health Center Healthcare Provider No 23,869 Hacking/IT Incident Malware
Eastern Shore Rural Health System Inc. Healthcare Provider Yes 23,282 Unauthorized Access/Disclosure Not confirmed
Faxton St. Luke’s Healthcare Healthcare Provider Yes 17,656 Hacking/IT Incident Ransomware (CaptureRX)
Midwest Transplant Network, Inc. Healthcare Provider No 17,580 Hacking/IT Incident Ransomware
Baptist Health Arkansas Healthcare Provider Yes 16,765 Hacking/IT Incident Hacking of business associate (Foley & Lardner, LLP)

Causes of April 2021 Healthcare Data Breaches

Hacking/IT incidents, which include malware and ransomware attacks, dominated the breach reports in April 2021 and accounted for 67.74% of all reported breaches (42 incidents). These incidents involved 85.93% of all breached records in April. The mean breach size was 52,851 records and the median breach size was 6,563 records.

There were 17 incidents classed as unauthorized access/disclosures involving 358,870 records – 13.89% of all records breached in April. The mean breach size was 21,110 records and the median breach size was 2,704 records.

Loss and theft incidents continue but only at very low levels. There were just two reported cases of theft of devices containing PHI and one loss incident reported. 4,500 records were breached in these 3 incidents.

April 2021 Healthcare Data Breach causes

Network server incidents, most of which involved ransomware or malware, have overtaken phishing as the main cause of healthcare data breaches, although it should be noted that phishing emails are often the root cause of many ransomware attacks. There were 19 reported incidents involving PHI in email accounts, the majority of which were due to phishing or other forms of credential theft. One of the largest reported breaches in April was due to phishing and resulted in the exposure and potential theft of the PHI of 221,454 individuals.

April 2021 Healthcare Data Breaches - location of PHI

According to the Verizon 2021 Data Breach Investigations Report, phishing attacks increased globally by 11% in 2020 and ransomware attacks increased by 6%. The report shows insider breaches in healthcare have continued to fall and are now not even in the top three breach causes. In 2020, 61% of healthcare data breaches were due to external threat actors and 39% were caused by insiders.

April 2021 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 30 data breaches of 500 or more records reported by the provider and a further 13 reported by a vendor. Business associate data breaches continue to be reported at high levels. There were 24 breaches involving business associates, with 10 of those breaches reported by the covered entity. 9 branches were reported by health plans in April, with one breach affecting a health plan reported by its business associate.

States Affected by Healthcare Data Breaches

HIPAA-covered entities and business associates based in 28 states reported breaches of protected health information in April. California was the worst affected state with 7 breaches reported followed by Michigan and Texas with 5 breaches. Florida, New York, and Wisconsin had 4 breaches, and there were 3 reported breaches in Massachusetts and Ohio.

Wyoming, the least populated U.S. state, only had one reported breach, but it affected a quarter of state residents.

State No. Reported Data Breaches
California 7
Michigan and Texas 5
Florida, New York, & Wisconsin 4
Massachusetts & Ohio 3
Georgia, Illinois, Minnesota, Missouri, New Mexico, Pennsylvania, and Vermont 2
Alabama, Arkansas, Colorado, Kansas, Maryland, Montana, North Carolina, New Hampshire, New Jersey, Oregon, Tennessee, Virginia, & Wyoming 1

HIPAA Enforcement Activity in April 2021

It has been a busy year of HIPAA enforcement by the HHS’ Office for Civil Rights with 6 financial penalties imposed to resolve violations of the HIPAA Rules; however, there were no new settlements or civil monetary penalties announced in April, nor any enforcement actions by state Attorneys General.

 

The post April 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

DarkSide RaaS Shut Down and Ransomware Gangs Ban Attacks on Healthcare Organizations

Posted by HIPAA Journal

The DarkSide ransomware gang has notified its affiliates that it has shut down its ransomware-as-a-service (RaaS) operation. The announcement came after the group’s public infrastructure was taken offline in what appears to be a law enforcement operation.

On May 13, the DarkSide data leak site went offline along with much of the group’s public infrastructure, including the payment server used to obtain ransom payments from victims and its breach data content delivery network. The gang also said its cryptocurrency wallets had been emptied and the funds transferred to an unknown account.

Intel 471 obtained a copy of a note written by the gang explaining to its affiliates that part of its public infrastructure was lost, its servers could not be accessed via SSH, and its hosting panels had been blocked. The group said its hosting company did not provide any further information other than the loss of the servers was “at the request of law enforcement.”

The group explained that it will be releasing the decryptors for all companies that have been attacked but have not paid the ransom; however, those decryptors are being released to the affiliates who conducted the attacks, not to the attacked companies. It will be up to individual affiliates whether to provide them to their victims or attempt to obtain payment.

“In view of the [loss of servers] and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck,” wrote the gang.

The same day that the group’s infrastructure was taken down, President Biden held a press conference about the Colonial Pipeline ransomware attack explaining the efforts made by the government to limit disruption and promising action would be taken against the DarkSide ransomware gang.

“We don’t believe the Russian government was involved in this attack,” said President Biden. “We do have strong reason to believe that the criminals who did the attack are living in Russia.” Biden went on to say that the United States was “in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks” and that the U.S. would “pursue a measure to disrupt their ability to operate.” President Biden also confirmed that the U.S. Department of Justice has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.

Prior to the shutdown, the hacking community had started to shun the DarkSide group. One of the two top-tier dark web forums used by the DarkSide gang to advertise its RaaS operation deleted the DarkSide account along with two threads about its ransomware operation, according to Gemini Advisory. Gemini Advisory also claims to have heard from several credible sources that the group no longer has a presence on the dark web. One top-tier dark web forum often used by ransomware gangs has also imposed sanctions on ransomware operations and has banned them entirely from the forum, claiming ransomware has become too toxic.

Intel 471 reports that it is not only the DarkSide operation that has been shut down. Several other ransomware operations have halted their operations, although it is unclear whether this is a permanent shut down or if the ransomware gangs are simply laying low and will start up their operations again under a different name. The Babuk ransomware operators claim to have provided their source code to another team and are pulling out of ransomware attacks. They said their ransomware will be operated by a different group under a different name.

The REvil ransomware gang, one of the most prolific ransomware operations, has also announced that it will no longer be promoting its ransomware operation on dark web forums and expects to make its operation private. Both REvil and Avaddon have taken the decision to stop their affiliates from attacking companies in certain sectors. Both ransomware gangs released statements confirming new rules have been introduced for affiliates that prohibit them from conducting attacks on the government, healthcare, charities, and educational institutions in any country. They also require their affiliates to obtain approval from the group before any attack. Should any affiliate attack a prohibited target, the victim will be provided with the decryptor free of charge and the affiliate will be permanently kicked out of the RaaS program.

Intel 471 also reports that the cryptocurrency mixing service, BitMix, which was used by REvil and Avaddon to launder the cryptocurrency generated from ransomware attacks has also been shut down.

The post DarkSide RaaS Shut Down and Ransomware Gangs Ban Attacks on Healthcare Organizations appeared first on HIPAA Journal.

Biden Signs Expansive Executive Order to Improve Cybersecurity for Federal Networks

Posted by HIPAA Journal

On May 13, 2021, President Biden signed an expansive Executive Order that aims to significantly bolster cybersecurity protections for federal networks, improve threat information sharing between the government, law enforcement and the private sector, and introduce a cyber threat response playbook to accelerate incident response and mitigation.

The 34-page Executive Order includes short time frames for making significant improvements to cybersecurity, with all elements of the Executive Order due to be implemented within the next 360 days and the first elements due in 30 days.  The Executive Order was penned following a series of damaging cyberattacks that impacted government departments and agencies, such as the SolarWinds Orion Supply chain attack and attacks on Microsoft Exchange Servers. The recent DarkSide ransomware attack on Colonial Pipeline served as yet another reminder of the importance of improving cybersecurity, not just for the Federal government but also the private sector which owns and operates much of the country’s critical infrastructure.

President Biden is planning to lead by example and is urging the private sector and critical infrastructure firms to follow the lead of the Federal government in improving resilience to cyberattacks and preparing for attacks to ensure that disruption to operational capabilities is kept to a minimum.

The key elements of the Executive Order on Improving the Nation’s Cybersecurity are:

  • Removing barriers to threat information sharing to make it easier for private sector companies to report threats and data breaches that could potentially have an impact on Federal networks.
  • Modernizing and implementing stronger cybersecurity standards in the Federal government. This includes widespread use of multifactor authentication, more extensive use of data encryption, the adoption of a zero-trust architecture, and a more rapid transition to secure cloud services.
  • The creation of a standard cyber incident response playbook. Government departments and agencies need to know, in advance, how to respond to threats. The playbook will ensure a rapid and uniform response to any cybersecurity incident.
  • Improvements to investigative and remediation capabilities. Detailed security event logs must be maintained by federal departments and agencies to ensure that cyberattacks can be easily investigated and remediated. Breach investigations have previously been hampered due to the lack of robust and consistent logging.
  • Improving software supply chain security. All software sold to the U.S. government will need to adhere to new security standards. Developers will be required to maintain greater visibility into their software solutions and make security data publicly available. The government will also launch a pilot “energy star” label program to demonstrate whether software was developed securely.
  • A Cybersecurity Safety Review Board will be created that consists of government and private sector leads that will meet following any significant security breach to analyze what has happened. Recommendations can then be made and implemented to ensure similar attacks are prevented in the future.
  • Improvements to cyber incident detection capabilities. A government-wide endpoint detection and response system will be implemented, along with robust intra-governmental information sharing.

“This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur,” explained the Biden Administration in a statement about the Executive Order. “It is the first of many ambitious steps the Administration is taking to modernize national cyber defenses.”

The post Biden Signs Expansive Executive Order to Improve Cybersecurity for Federal Networks appeared first on HIPAA Journal.

Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall

Posted by HIPAA Journal

2020 was certainly not a typical year. The pandemic placed huge pressures on IT security teams and businesses were forced to rapidly accelerate their digital transformation plans and massively expand their remote working capabilities. Cyber actors seized the opportunities created by the pandemic and exploited vulnerabilities in security defenses to gain access to business networks and sensitive data.

In 2020, phishing and ransomware attacks increased, as did web application attacks, according to the recently published Verizon 2021 Data Breach Investigations Report. The report provides insights into the tactics, techniques and procedures used by nation state actors and cybercriminal groups and how these changed during the pandemic.

To compile the Verizon 2021 Data Breach Investigations Report, the researchers analyzed 79,635 incidents, of which 29,207 met the required quality standards and included 5,258 confirmed data breaches in 88 countries – one third more data breaches than the previous year’s DBIR.

2020 saw an 11% increase in phishing attacks, with cases of misrepresentation such as email impersonation attacks at 15 times the level of 2019. There was a 6% increase in ransomware attacks, with 10% of all data breaches in 2020 involving the use of ransomware – Twice the level of the previous year.

Across all industry sectors, phishing was the main cause of data breaches and was involved in 36% of incidents. The researchers attributed the increase in phishing attacks to the pandemic, with COVID-19 and other related pandemic lures extensively used in targeted attacks on at-home workers. While phishing attacks and the use of stolen credentials are linked, the researchers found attacks involving stolen credentials were similar to the level of the previous year and were involved in 25% of breaches. Exploitation of vulnerabilities was also common, but in most cases it was not new vulnerabilities being exploited but vulnerabilities for which patches have been available for several months or years.

The increase in remote working forced businesses to move many of their business functions to the cloud and securing those cloud resources proved to be a challenge. Attacks on web applications accounted for 39% of all data breaches, far higher than the previous year. Attacks on external cloud assets were much more common than attacks on on-premises assets.

61% of data breaches involved credential theft, which is consistent with previous data breach investigation reports and 85% of data breaches involved a human element. In the majority of cases (80%), data breaches were discovered by a third party rather than the breached entity.

There were considerable variations in attacks and data breaches across the 12 different industry verticals represented in the report. In healthcare, human error continued to be the main cause of data breaches, as has been the case for the past several years. The most common cause of data breaches in misdelivery of paper and electronic documents (36%), but this was far higher in the financial sector (55%). In public administration, the main cause of data breaches was social engineering, such as phishing attacks to obtain credentials.

Healthcare Data Breaches in 2020. Source: Verizon 2021 Data Breach Investigations Report

Verizon analyzed 655 healthcare security incidents, which included 472 data breaches. 221 incidents involved malware, 178 hacking, 137 human error, and 106 social attacks. For the second consecutive year, incidents involving malicious insiders have fallen out of the top three attack types. While it is certainly good news that the number of malicious insider incidents is falling, that does not mean that these incidents are no longer occurring. It could indicate malicious insiders are able to cover their tracks much better. Attacks by external threat actors significantly increased, with healthcare industry cyberattacks commonly involving the use of ransomware. 61% of incidents were the work of external threat actors and 39% were internal data breaches.

Interestingly, considering the value of medical data on the black market, medical data was not the most commonly breached data type. Medical data was breached in 55% of data breaches, with personal data breached in 66% of incidents.  32% of breached involved the theft of credentials. Verizon suggests that could be due to the opportunistic nature of attacks by external threat actors. “With the increase of External actor breaches, it may simply be that the data taken is more opportunistic in nature. If controls, for instance, are more stringent on Medical data, an attacker may only be able to access Personal data, which is still useful for financial fraud. Simply put, they may take what they can get and run.

Breach detection has been steadily improving since 2016, when the majority of data breaches took months or more to identify. The majority of data breaches are now being discovered in days or less, although most commonly not by the breached entity.  80% of data breaches were identified by a third party.

The cost of a data breach is now estimated to be $21,659 on average, with 95% of data breaches having a financial impact of between $826 and $653,587.

The post Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall appeared first on HIPAA Journal.

CISA/FBI Provide Best Practices for Preventing Business Disruption from Ransomware Attacks

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert about DarkSide ransomware in the wake of the attack on the fuel pipeline company Colonial Pipeline.

The cyberattack caused major disruption to fuel supplies to the East Coast. Colonial Pipeline was forced to shut down systems to contain the threat, including the operational technology of its 5,500-mile pipeline which supplies diesel, gasoline, and jet fuel to the U.S. East Coast. The four main pipelines were shut down over the weekend, and while smaller pipelines were quickly restored, the main pipelines have remained shut down pending safety assessments. The pipelines transport around 2.5 million barrels of fuel a day and provide 45% of the East Coast’s fuel.

The attack affected Colonial Pipeline’s information technology network, but its operational technology network was not affected. The DarkSide ransomware gang issued a statement shortly after the attack explaining the attacks was conducted purely for financial reasons and not for political reasons or to cause economic or social disruption. The group also said it would be vetting future ransomware attacks by its affiliates and partners to avoid social consequences in the future.

The joint advisory from CISA and the FBI includes technical details of the attack along with several mitigations to reduce the risk of compromise in DarkSide ransomware attacks and ransomware attacks in general. All critical infrastructure owners and operators are being urged to implement the mitigations to prevent similar attacks.

Previous attacks by DarkSide partners have gained initial access to networks via phishing emails and the exploitation of vulnerabilities in remotely accessible accounts and systems and Virtual Desktop Infrastructure. The group is known to use Remote Desktop Protocol (RDP) to maintain persistence. As with many other human-operated ransomware operations, prior to the deployment of ransomware the attackers exfiltrate sensitive data and threaten to sell or publish the data if the ransom is not paid.

Preventing DarkSide and other ransomware attacks requires steps to be taken to block the initial attack vectors. Strong spam filters are required to prevent phishing emails from reaching inboxes and multi-factor authentication should be enabled for email accounts to prevent the stolen credentials from being used. MFA should also be implemented on all remote access to operational technology (OT) and information technology (IT) networks. An end user training program should be implemented to train employees how to recognize spear phishing emails and to teach cybersecurity best practices.

Network traffic should be filtered to prohibit communications with known malicious IP addresses, and web filtering technology used to prevent users from accessing malicious websites. It is vital for software and operating systems to be kept up to date and for patches to be applied promptly. CISA recommends using a centralized patch management system and a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.

Access to resources over networks should be restricted, especially RDP, which should be disabled if not operationally necessary. If RDP is required, MFA should be implemented. Steps should also be taken to prevent unauthorized execution of code, including disabling Office Macros and implementing application allowlisting to ensure only authorized programs can be executed in accordance with the security policy.

Inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected should be monitored and/or blocked and signatures should be deployed to block inbound connection from Cobalt Strike servers and other post exploitation tools.

It may not be possible to block all attacks, so steps should be taken to limit the severity of a successful attack to reduce the risk of severe business or functional degradation. These measures include robust network segmentation, organizing assets into logical zones, and implementing regular and robust backup procedures.

You can view the alert and recommended mitigations here.

The post CISA/FBI Provide Best Practices for Preventing Business Disruption from Ransomware Attacks appeared first on HIPAA Journal.

CISA Warns of FiveHands Ransomware Threat

Posted by HIPAA Journal

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about a new ransomware variant being used in attacks on a wide range of industry sectors, including healthcare.

So far, the threat group behind the attacks has mainly targeted small- to medium-sized companies, according to researchers at FireEye who have been tracking the activity of the threat group. It is currently unclear whether this is the work of a nation state-backed hacking group or a cybercriminal organization. FireEye is tracking the group as UNC2447.

The threat group was first identified conducting FiveHands ransomware attacks in January and February, mostly on businesses in healthcare, telecommunications, construction, engineering, education, real estate, and the food and beverage industries. The group has been targeting an SQL injection vulnerability in the SonicWall SMA 100 Series VPN appliance – CVE-2021-20016 – to gain access to business networks and is using a variety of publicly available penetration and exploitation tools in the attacks.

FiveHands is a novel ransomware variant that utilizes public key encryption called NTRUEncrypt. This ensures files encrypted cannot be decrypted without paying the ransom. Windows Volume Shadow copies are also deleted to hamper any attempts to recover data without paying the ransom. As with most other ransomware variants, sensitive data are identified and exfiltrated prior to file encryption and victims are pressured into paying the ransom with the threat of the exposure or sale of stolen data.

Once access to a network is gained, the attackers use SoftPerfect Network Scanner for Discovery and netscan.exe to find hostnames and network services. The attackers use PsExec for executing programs, including the Microsoft Sysinternals remote administration tool Servemanager.exe, along with other publicly available pen testing tools such as routerscan.exe, grabff.exe for extracting stored Firefox passwords and authentication data, and rclone.exe and s3browser-9-5-3.exe for uploading and downloading files. The SombRAT Trojan is also utilized in attacks as a loader for executing batch and text files.

FiveHands ransomware is able to evade security solutions through the use of PowerShell and can download additional malicious payloads. Communications with the C2 server are via a Secure Sockets Layer tunnel and are AES encrypted, and allow the threat group to execute downloadable DLL plug-ins through the protected SSL session. CISA reports that the FiveHands malware itself only provides the framework, with functionality added through the DLL plugins which collect and exfiltrate system data such as operating processes, computer name, username, operating system version, local system time, and other key data.

CISA has offered several mitigations that can be implemented to strengthen security and block FiveHands ransomware attacks. Organizations that use the SonicWall SMA 100 Series VPN appliance should ensure the patch for the CVE-2021-20016 vulnerability is applied. SonicWall corrected the vulnerability in February.

Other recommendations include:

  • Maintain up-to-date antivirus signatures and engines.
  • Disabling file and printer sharing services.
  • Restricting users’ permissions to install and run software applications.
  • Implementing multi-factor authentication (MFA), especially on VPN connections
  • Decommissioning unused VPN servers
  • Monitoring network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
  • Exercising caution when opening email attachments
  • Enabling personal firewalls on agency workstations
  • Disable unnecessary services on agency workstations and servers.
  • Monitoring users’ web browsing habits

The post CISA Warns of FiveHands Ransomware Threat appeared first on HIPAA Journal.

Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause

Posted by HIPAA Journal

Network intrusion incidents have overtaken phishing as the leading cause of healthcare data security incidents, which has been the main cause of data breaches for the past 5 years.

In 2020, 58% of the security incidents dealt with by BakerHostetler’s Digitial Assets and Data Management (DADM) Practice Group were network intrusions, most commonly involving the use of ransomware.

This is the 7th consecutive year that the BakerHostetler 2021 Data Security Incident Response (DSIR) Report has been published. The report provides insights into the current threat landscape and offers risk mitigation and compromise response intelligence to help organizations better defend against attacks and improve their incident response. The report is based on the findings of more than 1,250 data security incidents managed by the company in 2020, which included a wide variety of attacks on healthcare organizations and their vendors.

Ransomware attacks are now the attack method of choice for many cybercriminal organizations and have proven to be very profitable. By exfiltrating data prior to encryption, victims not only have to pay to recover their files, but also to prevent the exposure or sale of sensitive data. This new double extortion tactic has been very effective and data exfiltration prior to file encryption is now the norm. Throughout 2020, ransomware attacks continued to grow in frequency and severity.

BakerHostetler reports that the ransoms demanded and the number being paid increased dramatically in 2020, as did the number of threat groups/ransomware variants involved in the attacks. In 2019, there were just 15. In 2020, the number had grown to 75.

Out of the incidents investigated and managed by BakerHostetler in 2020, the largest ransom demand was for more than $65 million. The largest ransom demand in 2019 was ‘just’ $18 million. Payments are often made to speed up recovery, ensure data are recovered, and to prevent the sale or exposure of data. In 2020, the largest ransom paid was more than $15 million – up from just over $5 million in 2019 – and the average ransom payment more than doubled from $303,539 in 2019 to $797,620 in 2020.

In healthcare, the average initial ransom demand was $4,583,090 with a median ransom demand of $1.6 million. The average payment was $910,335 (median $332,330), and the average number of individuals affected was 39,180 (median 1,270). The average time to acceptable restoration of data was 4.1 days and the average forensic investigation cost was $58,963 (median $25,000).

Across all industry sectors, 70% of ransom notes claimed sensitive data had been stolen and 90% of investigations found some evidence of data exfiltration. 25% of incidents resulted in theft of data that required notifications to be issued to individuals. 20% of victims made a payment to the attackers even though they were able to recover their data from backups.

When ransoms are paid, in 99% of cases the payment was made by a third party for the affected organization and in 98% of cases a valid encryption key was provided to allow data to be recovered. It took an average of 13 days from encryption to restoration of data.

Phishing accounted for 24% of all security incidents. Phishing attacks often led to network intrusion (33%), ransomware attacks (26%), data theft (24%), and Office 365 account takeovers (21%).

“In 2020 we saw a continued surge in ransomware as well as an increase in large supply chain matters, further stretching the capacity of the incident response industry,” said Theodore J. Kobus III, chair of BakerHostetler’s DADM Practice Group “Organizations worked to quickly contain incidents – despite challenges in simply getting passwords changed and endpoint, detection and response tools deployed to remote workers.”

It is more common now for legal action to be taken by breach victims. The trend for lawsuits being filed when breaches impact fewer than 100,000 individuals continued to increase in 2020, which is driving up the data breach cost. HIPAA enforcement activity also continued at elevated levels, although in 2020 the majority of the financial penalties issued were for HIPAA Right of Access failures, rather than fines related to security breaches.

The post Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause appeared first on HIPAA Journal.