Ransomware Groups are Accelerating Their Attacks with Dwell Time Falling to Just 5 Days

Posted by Steve Alder

Ransomware groups have accelerated their attacks and are now spending less time inside victims’ networks before triggering file encryption, according to the 2023 Active Adversary Report from Sophos. The data for the report came from the first 6 months of 2023 and was gathered and analyzed by the Sophos X-Ops team.

The median dwell time for ransomware groups fell from 9 days to 5 days in the first half of 2023, which the researchers believe is close to the limit of what is possible for hackers. They do not expect the median dwell time to fall below 5 days due to the time it typically takes for the hackers to achieve their objectives. On average, it took 16 hours from initial access for attackers to gain access to Microsoft Active Directory and escalate privileges to allow broad access to internal systems. The majority of ransomware groups do not rely on encryption alone and also exfiltrate data so they can apply pressure to get victims to pay up. Oftentimes, backups of data exist so recovery is possible without paying the ransom, but if there is a threat of data exposure, ransoms are often paid. On average, it takes around 2 days for ransomware gangs to exfiltrate data.

The reduction in dwell time is understandable. The longer hackers remain in networks, the greater the probability that their presence will be detected, especially since intrusion detection systems are getting better at detecting intrusions and malicious activity. One of the ways ransomware groups have accelerated their attacks is by opting for intermittent encryption, where only parts of files are encrypted. The encryption process is far quicker, which means there is less time to detect and stop an attack in progress, but the encryption is still sufficient to prevent access to files.

Ransomware gangs often time their attacks to reduce the risk of detection. In 81% of attacks analyzed by the researchers, the encryption process was triggered outside normal business hours such as at the weekend or during holidays when staffing levels are lower. 43% of ransomware attacks were detected on a Friday or Saturday. While the dwell time for ransomware actors has reduced, there was a slight increase in the dwell time for non-ransomware incidents, which increased from an average of 11 days to 13 days in H1 2023.

In many cyberattacks, a vulnerability was exploited that allowed hackers to use a remote service for initial access, such as vulnerabilities in firewalls or VPN gateways. The exploitation of vulnerabilities in public-facing applications has been the leading root cause of attacks for some time followed by external remote services; however, in H1, 2023, these were reversed and compromised credentials were the root cause in 50% of attacks, with vulnerability exploitation the root cause of 23% of attacks.

Compromised credentials make attacks easy for hackers especially when there is no multi-factor authentication. Implementing and enforcing phishing-resistant MFA should be a priority for all organizations, but the researchers found that in 39% of cases investigated, MFA was not configured. Prompt patching should also be a goal as this reduces the window of opportunity for hackers. The researchers suggest following CISA’s timeline for patching in its Binding Operational Directive 19-02 of 15 days for critical vulnerabilities and 30 days for high-severity vulnerabilities as it will force attackers into a narrower set of techniques by removing the low-hanging fruit.

Previous reports have highlighted the extent to which Remote Desktop Protocol (RDP) is abused. in H1, 2023, RDP was used in 95% of attacks, up from 88% in 2022. In 77% of attacks involving RDP, the tool was used for internal access and lateral movement, up from 65% in 2022. Only 1% of attacks involved RDP for external access. Due to the extent to which RDP is abused, securing RDP should be a priority for security teams. If attackers are forced to break MFA or import their own tools for lateral movement, it will cause attackers to expend more time and effort, which provides defenders with more time to detect intrusions and increases the probability of malicious activity being detected.

The post Ransomware Groups are Accelerating Their Attacks with Dwell Time Falling to Just 5 Days appeared first on HIPAA Journal.

Potential HIPAA Right of Access Violation Settled for $80,000

Posted by Steve Alder

The UnitedHealthcare Insurance Company (UHIC) has agreed to settle an alleged failure to provide timely access to Protected Health Information for $80,000. The voluntary resolution agreement also requires the company to comply with a Corrective Action Plan for a minimum of a year.

In 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) launched an enforcement initiative in response to an increasing number of complaints alleging violations of 45 CFR §164.524 – the access of individuals to Protected Health Information (PHI). To date, the agency has investigated hundreds of complaints and reached settlement agreements in forty-five cases.

The latest settlement agreement relates to a complaint made against UHIC by a customer who had requested a copy of their PHI in January 2021. When the request was not responded to within the allowed time, the customer complained to OCR. The agency initiated an investigation in April 2021, but it was not until July that the customer received the PHI they had requested six months earlier.

According to the resolution agreement, when UHIC was made aware of the issue by OCR, the company conducted its own internal investigation and determined that the compliance failure was attributable to an employee oversight. Despite the company’s cooperation during the investigation, OCR concluded UHIC had failed to provide timely access to PHI in violation of 45 CFR §164.524.

In addition to settling the alleged violation for $80,000, UHIC has agreed to comply with a Corrective Action Plan for a minimum of a year. The Plan requires UHIC to revise where appropriate its policies and procedures relating to customer access requests, distribute revised policies to its workforce, and provide material change training to members of the workforce affected by the change.

The Corrective Action Plan also requires UHIC to submit quarterly reports to OCR listing the dates when access requests are received, the dates they are responded to and the fees charged to individuals. The reports will also have to provide OCR with information relating to the format of access requested, the format provided, and – if requested on paper – the number of pages provided.

In the press release accompanying the announcement of the settlement, OCR Director Melanie Fontes Rainer said:

“Timely access to health information is one of the cornerstones of HIPAA. OCR will continue to ensure that covered entities with a record of delaying or denying access requests will be subject to enforcement. Health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.”

The post Potential HIPAA Right of Access Violation Settled for $80,000 appeared first on HIPAA Journal.