Healthcare Cybersecurity

Study Suggests Paying a Ransom Doubles the Cost of Recovery from a Ransomware Attack

Organizations that experience a ransomware attack may be tempted to pay the ransom to reduce downtime and save on recovery costs, but a survey commissioned by Sophos suggests organizations that pay the ransom actually end up spending much more than those that recover files from backups.

The FBI does not recommend paying a ransom as giving attackers money enables them to conduct more attacks and could see a victim targeted further and there is no guarantee that valid keys will be supplied to decrypt data. The increased cost can now be added to the list of reasons not to pay.

The survey was conducted by market research firm Vanson Bourne between January and February 2020 on approximately 5,000 IT decision makers at companies with between 100 and 5,000 employees across 26 countries including the United States, Canada, and the United Kingdom.

51% of the people surveyed said they had experienced a ransomware attack in the previous 12 months, 73% of whom said the attack resulted in the encryption of data. 26% of attacked organizations paid the ransom and 73% did not. 56% of firms said they were able to recover their files from backups. Out of the firms that paid the ransom, 95% said they were able to recover their data. 1% of firms that paid the ransom said they were unable to recover their data.

84% of organizations said they had a cyber insurance policy, but only 64% said that policy covered ransomware attacks. Out of the 64% that did have coverage for ransomware attacks, 94% said the ransom was paid by their insurance company.

Victims of ransomware attacks were asked to provide an estimate cost of the attack, including downtime, staff costs, equipment costs, lost business, and other associated costs. The average cost in cases where the ransom was not paid was $732,520 whereas the cost was around twice that amount at organizations that paid the ransom -$1,448,458.

The ransom payment must be covered, which is often sizable, and many of the costs associated with an attack have to be covered even if the ransom is paid. It may be an attractive option to pay the ransom to recover more quickly, but the reality is recovery may not be shortened considerably even if the ransom is paid. Oftentimes a separate decryption key is required for each endpoint so recovery will still be an incredibly time-consuming process, which may not be straightforward. It is also not unusual for data to be corrupted during encryption and decryption.

The take home message is to make sure that you have the option of recovering files from backups, which means ensuring multiple backups are made with one copy stored on an air-gapped device. Backups must also be tested to make sure data hasn’t been corrupted and file recovery is possible. You should then follow the FBI’s recommendations and not pay the ransom unless you have no other choice.

The post Study Suggests Paying a Ransom Doubles the Cost of Recovery from a Ransomware Attack appeared first on HIPAA Journal.

Chinese Hacking Groups are Targeting COVID-19 Research Organizations

Organizations involved in research into SARS-CoV-2 and COVID-19 have been warned that they are being targeted by hackers affiliated with the Peoples Republic of China (PRC) and should take steps to protect their systems from attack.

The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and the Federal Bureau of Investigation (FBI) have warned that organizations in the health care, pharmaceutical, and research sectors that are working on testing procedures, SARS-CoV-2 vaccines, and new treatments for COVID-19 are being targeted by hackers looking to gain access to research data to advance PRC’s research program. The Trump Administration has also warned that cyber espionage campaigns targeting COVID-19 research organizations are now being conducted by hackers linked to Iran.

In the alert, CISA and the FBI warn that the theft of intellectual property in these attacks jeopardizes the delivery of secure, effective, and efficient treatment options. All organizations involved in COVID-19 research have been advised to apply the recommended mitigations as soon as possible to prevent surreptitious review and theft of COVID-19 related data.

CISA warns that press attention affiliating an organization with COVID-19 research is likely to result in increased interest and cyber activity and it is best to assume that targeted cyber attacks will occur. Patching efforts should be stepped up and critical vulnerabilities should be addressed on all systems. If patches cannot be applied to address vulnerabilities, mitigations should be implemented until the patches can be applied. Priority should be given to vulnerabilities known to have been exploited by these threat actors and vulnerabilities on internet-connected servers and software processing internet data.

Scans should be conducted on all web applications to identify anomalous activity that could indicate unauthorized access and checks conducted to identify any modifications that have been made to the applications.  Authentication measures should be strengthened, and multi-factor authentication should be implemented.

Scans should be performed to identify unusual user activity. When anomalous behavior is detected, access should be immediately suspended pending further investigation. When suspicious or criminal activity is detected, the local FBI field office should be alerted. CISA and the FBI will be releasing technical information about threats and cyberattacks in the coming days.

The post Chinese Hacking Groups are Targeting COVID-19 Research Organizations appeared first on HIPAA Journal.

CISA and FBI Publish List of Top 10 Exploited Vulnerabilities

On Tuesday, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint public service announcement detailing the top 10 most exploited vulnerabilities between 2016 and 2019. These vulnerabilities have been exploited by sophisticated nation state hackers to attack organizations in the public and private sectors to gain access to their networks to steal sensitive data.

The vulnerabilities included in the list have been extensively exploited by hacking groups with ties to China, Iran, Russia and North Korea with those cyber actors are still conducting attacks exploiting the vulnerabilities, even though patches have been released to address the flaws. In some cases, patches have been available for more than 5 years, but some organizations have still not applied the patches.

Exploiting the vulnerabilities in the top 10 list requires fewer resources compared to zero-day exploits, which means more attacks can be conducted. When patches are applied to address the top 10 vulnerabilities, nation state hackers will be forced to develop new exploits which will limit their ability to conduct attacks.

“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries,” explains CISA and FBI in the alert.

CISA and the FBI hope the list will help organizations to prioritize patching and are urging all organizations to invest more time and resources into patching and develop a program that will keep all system patching up to date moving forward.

Top 10 Routinely Exploited Vulnerabilities

The top 10 list of routinely exploited vulnerabilities includes flaws in Microsoft Office, Microsoft Windows, Microsoft SharePoint, Microsoft .NET Framework, Apache Struts, Adobe Flash Player, and Drupal. Out of the top ten, most nation state hacking groups have concentrated on just three vulnerabilities – CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158 – all of which concern Microsoft’s OLE technology. Microsoft’s Object Linking and Embedding (OLE) allows content from other applications to be embedded in Word Documents. The fourth most commonly exploited vulnerability – CVE-2017-5638 – is present in the web framework, Apache Struts. These vulnerabilities have been exploited to deploy a range of different malware payloads including Loki, FormBook, Pony/FAREIT, FINSPY, LATENTBOT, Dridex, JexBos, China Chopper, DOGCALL, WingBird, FinFisher, and Kitty.

Priority Vulnerability Affected Products
1 CVE-2017-11882 Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products
2 CVE-2017-0199 Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1
3 CVE-2017-5638 Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
4 CVE-2012-0158 Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0
5 CVE-2019-0604 Microsoft SharePoint
6 CVE-2017-0143 Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT
7 CVE-2018-4878 Adobe Flash Player before 28.0.0.161
8 CVE-2017-8759 Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
9 CVE-2015-1641 Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
10 CVE-2018-7600 Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1

 

A warning has also been issued about two vulnerabilities that have been exploited in attacks in 2020. These vulnerabilities both concern Virtual Private Network (VPN) solutions and have been exploited by nation state hackers and cybercriminal groups: The Citrix vulnerability CVE-2019-19781 and the Pulse Secure VPN vulnerability CVE-2019-11510.

The rush to implement cloud collaboration services such as Microsoft Office 365 to allow employees to work remotely due to COVID-19 has given hackers new options for attacking organizations. Hasty deployments of these solutions have led to oversights in security configurations which makes them vulnerable to attack. Cybersecurity weaknesses are also being targeted, such as poor employee education about phishing and social engineering. A lack of system recovery and contingency plans has also placed organizations at risk of ransomware attacks.

The post CISA and FBI Publish List of Top 10 Exploited Vulnerabilities appeared first on HIPAA Journal.

Zoom Reaches Settlement with NY Attorney General Over Privacy and Security Issues

Zoom reached an agreement with the New York Attorney General’s office and has committed to implementing better privacy and security controls for its teleconferencing platform. New York Attorney General Letitia James launched an investigation into Zoom after researchers uncovered a number of privacy and security issues with the platform earlier this year.

Zoom has proven to be one of the most popular teleconferencing platforms during the COVID-19 pandemic. In March, more than 200 million individuals were participating in Zoom meetings with usership growing by 2,000% in the space of just three months. As the number of users grew and the platform started to be used more frequently by consumers and students, flaws in the platform started to emerge.

Meeting participants started reporting cases of uninvited people joining and disrupting private meetings. Several of these “Zoombombing” attacks saw participants racially abused and harassed on the basis of religion and gender. There were also several reported cases of uninvited individuals joining meetings and displaying pornographic images.

Then security researchers started uncovering privacy and security issues with the platform. Zoom stated on its website that Zoom meetings were protected with end-to-end encryption, but it was discovered that Zoom had used AES 128 bit encryption rather than AES 256 bit encryption and its end-to-end encryption claim was false. Zoom was also discovered to have issued encryption keys through data centers in China, even though meetings were taking place between users in the United States.

Zoom used Facebook’s SDK for iOS to allow users of the iOS mobile app to login through Facebook, which meant that Facebook was provided with technical data related to users’ devices each time they opened the Zoom app. While Zoom did state in its privacy policy that third-party tools may collect information about users, data was discovered to have been passed to Facebook even when users had not used the Facebook login with the app.  There were also privacy issues associated with the LinkedIn Sales Navigator feature, which allowed meeting participants to view the LinkedIn profiles of other meeting participants, even when they had taken steps to remain anonymous by adopting pseudonyms. The Company Directory feature of the platform was found to violate the privacy of some users by leaking personal information to other users if they had the same email domain.

Zoom responded quickly to the privacy and security issues and corrected most within a few days of discovery. The firm also announced that it was halting all development work to concentrate on privacy and security. The company also enacted a CISO Council and Advisory Board to focus on privacy and security and Zoom recently announced that it has acquired the start-up firm Keybase, which will help to implement end-to-end encryption for Zoom meetings.

Under the terms off the settlement with the New York Attorney General’s office, Zoom has agreed to implement a comprehensive data security program to ensure its users are protected. The program will be overseen by Zoom’s head of security. The company has also agreed to conduct a comprehensive security risk assessment and code review and will fix all identified security issues with the platform. Privacy controls will also be implemented to protect free accounts, such as those used by schools.

Under the terms of the settlement, Zoom must continue to review privacy and security and implement further protections to give its users greater control over their privacy. Steps must also be taken to regulate abusive activity on the platform.

“This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don’t have to worry while participating in a video call,” said Attorney General James.

The post Zoom Reaches Settlement with NY Attorney General Over Privacy and Security Issues appeared first on HIPAA Journal.

Government Healthcare Agencies and COVID-19 Research Organizations Targeted by Nigerian BEC Scammers

Business email compromise scammers operating out of Nigeria have been targeting government healthcare agencies, COVID-19 research organizations, and pandemic response organizations to obtain fraudulent wire transfer payments and spread malware.

The attacks were detected by Palo Alto Networks’ Unit 42 team researchers and have been attributed to a cybercriminal organization called SilverTerrier. SilverTerrier actors have been highly active over the past 12 months and are known to have conducted at least 2.1 million BEC attacks since the Unit 42 team started tracking their activity in 2014. In 2019, the group conducted an average of 92,739 attacks per month, with activity peaking in June when 245,637 attacks were conducted.

The gang has been observed exploiting the CVE-2017-11882 vulnerability in Microsoft Office to install malware, but most commonly uses spear phishing emails targeting individuals in the finance department. The gang uses standard phishing lures such as fake invoices and payment advice notifications to trick recipients into opening malicious email attachments that install malware. A wide range of malware variants have been used by the gang, including information stealers such as Lokibot, Pony, and PredatorPain and remote administration tools to maintain persistent access to compromised systems. The gangs use malware to steal sensitive information and gain access to bank accounts and payroll systems. BEC attacks are also conducted to obtain fraudulent wire transfer payments.

Unit 42 researchers have tracked the activity of three threat actors from the group over the past 3 months who, between them, have conducted 10 COVID-19 themed malware campaigns on organizations involved in the national response to COVID-19 in Australia, Canada, Italy, the United Kingdom, and the United States.

Recent targets have included government healthcare agencies, local and regional governments, medical publishing companies, research firms, insurance companies, and universities with medical programs and medical centers. 170 distinct phishing emails have been identified by the researchers, several of which related to supplies of face masks and other personal protective equipment.

SilverTerrier attacks increased by 172% in 2019 and Palo Alto Networks reports there is no indication that the attacks will slow in 2020. “In light of this trend, we encourage government agencies, healthcare and insurance organisations, public utilities, and universities with medical programs to apply extra scrutiny to Covid-19-related emails containing attachments,” said the researchers. Since the attacks are mostly conducted by email, the best defense is training for staff to help them identify spear phishing emails and an advanced spam filtering solution to prevent the emails from being delivered to inboxes. It is also important to check to make sure that the CVE-2017-11882 Microsoft Office vulnerability and to continue to apply patches promptly.

 

The post Government Healthcare Agencies and COVID-19 Research Organizations Targeted by Nigerian BEC Scammers appeared first on HIPAA Journal.

CISA Issues Fresh Alert About Ongoing APT Group Attacks on Healthcare Organizations

Advanced Persistent Threat (APT) groups are continuing to target healthcare providers, pharmaceutical firms, research institutions, and others involved in the COVID-19 response, prompting a further joint alert from cybersecurity authorities in the United State and United Kingdom.

The latest warning from the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) follows on from an earlier joint alert issued on April 8, 2020 and provides further information on the tactics, techniques, and procedures being used by the APT groups to gain access to networks and sensitive data.

In the latest alert, CISA/NCSC explained that APT groups are targeting organizations involved in COVID-19 research to obtain sensitive information on the COVID-19 response and research data to further the domestic research efforts in countries that fund the APT groups.

APT groups often target healthcare organizations to obtain personal information of patients, intellectual property, and intelligence that aligns with national priorities. APT groups do not appear to be conducting higher numbers of attacks, they have just shifted their focus and are now concentrating attacks on organizations engaged in the response to COVID-19. CISA/NCSC warn that efforts to obtain sensitive data are continuing with national and international healthcare organizations being targeted in order to acquire sensitive COVID-19 research data.

One of the ways that the attacks are being conducted is to target supply chains, which are seen as a weak link that can be exploited to gain access to higher value targets. Many employees of organizations in the supply chain are now working from home due to the COVID-19 lockdown, and new vulnerabilities have been introduced as a result.

The APT groups are using a variety of methods to infiltrate networks, gain persistence, and steal sensitive data. The alert raises awareness of two tactics that have been observed over the past few weeks: Exploitation of vulnerabilities and password spraying.

Many employees have been forced to work from home during the pandemic to help control the spread of the virus and are accessing their corporate networks using virtual private networks (VPNs). Several commercial VPN solutions have been found to have exploitable vulnerabilities which are now being exploited. In 2019, VPN solutions from Palo Alto Networks, Pulse Secure, and Fortinet were found to have vulnerabilities and patches were released to correct the flaws. Many organizations are also vulnerable to the Citrix vulnerability, CVE-2019-19781. Patches to correct these flaws were released several months ago but many organizations have not yet applied the patches and are vulnerable to attack. APT groups have been observed conducting scans to identify organizations that have not yet patched the Citrix and VPN vulnerabilities and are actively exploiting the flaws.

APT groups are also conducting password spraying attacks to gain access to corporate systems. Password spraying is a type of brute force attack that involves the use of commonly used passwords. These attacks involve using a commonly used passwords to see if it allows access to a system. The same password is then tried on multiple accounts before the process is repeated with a second password. That process continues until the correct password is found.

CISA/NCSC warn that this tactic is often successful, as within any large group of users there will be commonly used passwords. The approach of using one password on many different accounts before moving on to the next also helps the attackers conduct attacks undetected, as this would be less likely to trigger account lockouts due to too many failed password attempts in a short period of time.

Once an attack succeeds and a correct password is found, the password is used to access other accounts where the password has been reused. Attackers also download global address lists which are used for further password spraying attacks on the organization. The attackers also attempt to move laterally to steal additional credentials and sensitive data.

CISA/NCSC have provided mitigations that will help healthcare organizations harden security against these attacks. These include ensuring VPN clients and infrastructure are updated and running the latest versions of software and patching all other software and operating systems promptly. Multi-factor authentication should be configured to prevent stolen or brute forced passwords from being used to access accounts, the management interfaces of critical systems should also be protected to prevent attackers from gaining privileged access to vital assets, and monitoring capability should be stepped up to identify network intrusions.

You can view the CISA/NCSC alert, mitigations, and other useful resources on this link.

The post CISA Issues Fresh Alert About Ongoing APT Group Attacks on Healthcare Organizations appeared first on HIPAA Journal.

Worldwide Spike in Brute Force RDP Attacks During COVID-19 Pandemic

COVID-19 has forced many organizations to rapidly scale up the numbers of employees working from home, which has created new opportunities for cybercriminals to conduct attacks. Cyberattacks on remote workers have increased substantially during the COVID-19 lockdown, with application-level protocols used by remote workers to connect to corporate systems now being extensively targeted.

Remote Desktop Protocol (RDP) is a proprietary communications protocol developed by Microsoft to allow employees, IT workers, and others to remotely connect to corporate systems, services, and virtual desktops. The protocol has been used by many organizations to allow their employees to work from home on personal computers.

RDP has also proven to be popular with cybercriminals. In line with the increase in remote workers accessing systems via RDP, cybercriminals have stepped up attacks. New data from Kaspersky show a major worldwide increase in brute force attacks on RDP.

In order to connect via RDP, employees typically need to enter a username and password. Brute force attacks on RDP are conducted to guess those passwords, which involves trying different password combinations until the right one is guessed. That can take a long time for complex passwords, but the attacks start with dictionary words and passwords obtained in prior data breaches. Annual worst passwords lists show a great deal of people still choose easy to remember passwords, which can be correctly guessed in these automated RDP attacks in a matter of seconds.

Once the credentials have been correctly guessed, they can be used to remotely connect to whatever systems an employee is authorized to access. Even if a fairly low-level set of credentials is compromised, it can give hackers the foothold in the network to conduct extensive attacks on the organization. These unauthorized logins using stolen credentials can be difficult for IT security teams to identify.

Once access is gained, attackers can take control of email accounts and send phishing emails internally to other employees. As has been made clear in the many phishing incidents reported by healthcare providers in recent months, a single email account compromise could result in a data breach involving hundreds, thousands, or even hundreds of thousands of patents’ protected health information. Ransomware and other malware can also be installed.

The scale of the attacks is alarming. “During the last year, there were some spikes of such attacks in different regions, but they were mainly local and small,” said, Kaspersky security researcher, Dmitry Galov. “Right now, we can see that almost worldwide, the amount of attacks increased significantly. For instance, in February we witnessed 93,102,836 attacks globally. In April, the figure was already 326,896,999.”

The number of RDP brute force attacks in the United States more than doubled between January 2 and March 3, and almost tripled by April 7, when there were 1.4 million RDP brute force attacks detected.

Increase in Brute Force RDP Attacks. Source: Kaspersky

The brute force RDP attacks are likely to continue at high levels for the foreseeable future, and certainly until the number of remote employees reduces once the COVID-19 crisis is over.

There are several steps that companies can take to reduce the risk of these attacks succeeding. One of the most important steps to take is to implement password policies that force users to set strong passwords that are difficult to guess. Two-factor authentication is also important. If a password is guessed, a second factor must be provided before a connection is allowed. Employees should also use a corporate VPN to connect remotely along with Network Level Authentication (NLA) measures to block unauthorized access attempts. Kaspersky also warns that if RDP is not being used by remote employees, port 3389 should be disabled.

The post Worldwide Spike in Brute Force RDP Attacks During COVID-19 Pandemic appeared first on HIPAA Journal.

NSA Cybersecurity Guidance for Teleworkers and Other Useful COVID-19 Threat Resources

The National Security Agency has issued cybersecurity guidance for teleworkers to help improve security when working remotely. The guidance has been released primarily for U.S. government employees and military service members, but it is also relevant to healthcare industry workers providing telehealth services from their home computers and smartphones.

There are many consumer and enterprise-grade communication solutions available and the cybersecurity protections offered by each can differ considerably. The guidance document outlines 9 important considerations when selecting a collaboration service. By assessing each service against the 9 criteria, remote workers will be able to choose the most appropriate solution to meet their needs.

The NSA strongly recommends conducting high-level security assessments to determine how the security capabilities of each platform performs against certain security criteria. These assessments are useful for identifying risks associated with the features of each tool. The guidance document also provides information on using the collaboration services securely.

The NSA recommends the guidance should be reviewed by all employees who are now working from home to allow them to make an informed decision about the best communication and collaboration tools to use to meet their specific needs, and for workers to take the steps outlined in the guidance document to mitigate risks of cyberattacks.

The guidance document, Selecting and Securely Using Collaboration Service for Telework can be downloaded here.

Healthcare-specific guidance for remote workers has also recently been published by the American Hospital Association (AHA) /American Medical Association (AMA), which should be used in conjunction with the NSA guidance.

OCR Suggests Resources to Help Healthcare Organizations Combat COVID-19 Threats

On April 30, 2020, the HHS’ Office for Civil Rights suggested several resources covering the current threat landscape and the steps that can be taken to reduce risks to a reasonable and acceptable level, as detailed below:

The post NSA Cybersecurity Guidance for Teleworkers and Other Useful COVID-19 Threat Resources appeared first on HIPAA Journal.

Advice for Healthcare Organizations on Preventing and Detecting Human-Operated Ransomware Attacks

Human-operated ransomware attacks on healthcare organizations and critical infrastructure have increased during the COVID-19 pandemic. Dozens of attacks have occurred on healthcare organizations in recent weeks, including Parkview Medical Center, ExecuPharm, and Brandywine Counselling and Community Services.

Many ransomware attacks are automated and start with a phishing email. Once ransomware is downloaded, it typically runs its encryption routine within an hour. Human-operated ransomware attacks are different. Access is gained to systems several weeks or months before ransomware is deployed. During that time, the attackers obtain credentials, move laterally, and collect and exfiltrate data before encrypting files with ransomware.

The attackers can lay dormant in systems for several months before choosing their moment to deploy the ransomware to maximize the disruption caused. The COVID-19 pandemic is the ideal time for deployment of ransomware on healthcare organizations and others involved in the response to COVID-19, as there is a higher probability that the ransom will be paid to ensure a quick recovery.

In the first two weeks of April alone, dozens of attacks have been conducted by a range of advanced cybercriminal organizations on healthcare providers, medical billing companies, research and pharmaceutical firms, and suppliers to the healthcare industry, along with attacks on educational software providers, manufacturers, government institutions, and aid organizations, according to data from Microsoft.

During the first two weeks in April, Microsoft observed human-operated ransomware attacks using 10 different ransomware variants: RobbinHood, Maze, PonyFinal, REvil (Sodinokibi), Valet Loader, NetWalker, Paradise, RagnarLocker, MedusaLocker, and LockBit. While it may appear that ransomware activity has increased in recent weeks, Microsoft explains that in the April attacks, the attackers initially compromised the systems much earlier and they have been biding their time before deploying ransomware. In many cases, the initial compromise occurred several months before the ransomware was deployed.

Different threat groups use different ransomware variants to encrypt files, but the attacks usually occur in the same way. First, the attackers gain access to systems, then they steal credentials, move laterally, exfiltrate sensitive data, establish persistence, before delivering and executing the ransomware payload.

Microsoft has shared information on how the attackers gain access to systems to help network defenders harden their defenses and block attacks. While there are many possible ways of attacking an organization, these threat actors typically use the same methods to gain access.

One of the most common methods of attack is through Remote Desktop Protocol and Virtual Desktop endpoints that lack multi-factor authentication, either through the use of stolen credentials or through brute force tactics to guess weak passwords. Without multi-factor authentication, the stolen credentials can be used to access systems. Since valid credentials are used, network defenders fail to identify attackers accessing their systems.

Weaknesses in internet-facing systems are commonly exploited, such as misconfigured web servers, EHRs, backup servers, and systems management servers. Unpatched vulnerabilities are also often exploited to gain access, with several of the April 2020 attacks having exploited the Citrix Application Delivery Controller (ADC) flaw, CVE-2019-19781, and the Pulse Secure VPN flaw, CVE-2019-11510. Vulnerabilities in unsupported operating systems are also exploited. To block attacks, it is essential for operating systems to be updated to supported versions and for patches to be applied as soon as possible after release.

These are not smash-and-grab raids where ransomware is quickly deployed to obtain a quick payout. All of the threat actors using the above ransomware variants take their time to obtain administrative credentials and move laterally with the aim of infiltrating an organization’s entire environment, including EHRs, inboxes, endpoints, and applications. Almost all of the attacks involved the exfiltration of data, either to sell for profit, use for their own nefarious purposes, or to pressure organizations into paying the ransom.

“After gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells,” explained Microsoft. “They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.” In virtually all cases, accounts had been set up and backdoors used to ensure networks could continue to be accessed after the attack, even after the ransom was paid.

The time between the initial compromise and the deployment of ransomware gives network defenders an opportunity to identify and block the attacks. While threat actors take steps to hide their activity, it is possible to identify their activities as they move laterally. Network defenders should be checking for activity that could indicate an attack in progress, such as the use of malicious PowerShell commands, Cobalt Strike, and other penetration-testing tools. Security logs should be checked to identify any signs of tampering and checks should be performed to identify registry modifications and suspicious access to Local Security Authority Subsystem Service (LSASS).

Microsoft also offers detailed advice on hardening security to prevent attacks and the steps that should be taken if an attack is discovered, including investigation, isolation of compromised endpoints, and recovery.

The post Advice for Healthcare Organizations on Preventing and Detecting Human-Operated Ransomware Attacks appeared first on HIPAA Journal.