Crysis: Security threat evolution in ransomware

Derek Brost, CISSP, Bluelock -

Cybersecurity threats are an ever-increasing risk, especially in the healthcare industry where data is quite sensitive, regulated and required for care. To protect patients' safety and the continuity of operations, healthcare providers must be wary and proactive.

Yet this is difficult, now that recent innovations in the cyber community have given rise to a new strain of ransomware that's more terrifying than anything ever encountered. Be mindful of Crysis.

What does Crysis do to healthcare IT systems?

You've probably heard a lot about the beneficial aspects of encryption. It is a powerful tool to enforce confidentiality of data in a secure state, so that only those with specialized authorization can retrieve it. This keeps patient information safe, private and HIPAA and Meaningful Use compliant. This is also an important statutory Safe Harbor provision.

But ransomware like Crysis is a different application of encryption. In this instance, intruders take your data and lock you out of it. You can't access it without their key. Put simply, intruders use your own tool against you.

Similar to other ransomware strains, Crysis infiltrates your IT systems and encrypts your sensitive data to hold it hostage. It causes delays, at best, in the operations and data stored in EMR, PACS, LIMS, modality management, billing and many other critical data systems. At worst, it causes a complete interruption of the patient care continuum and places your workforce at the mercy of a ransom agent. In other words, Crysis may halt critical aspects that propel the care process and revenue generation, even leading to the need for active patient diversion practices.

Crysis gains access to healthcare environments and data through emails with attachments or compromised links, and as an installer for various legitimate programs and applications (such as Internet Explorer, Microsoft Excel, etc.). Unlike other ransomware strains, Crysis uses a combination of algorithms to encrypt network shares and more than 185 file types on both fixed and removable drives. Crysis attempts to take control of everything. It even steals user credentials and employs them to gain access to other, subsequent environments. All you can do is push the power button to make it worse.

Yet the most intimidating aspect of Crysis is that it lifts data out of IT environments and moves it to another location – literally kidnapping your data. Since this qualifies as a technical "breach," healthcare providers can't simply pay the ransom fee and go about their business. With a Crysis infection, providers must notify their patients, HHS, etc.—which runs up some hefty expenses, fines and could lead to a lengthy Corrective Action Plan.

As you know in a scenario like this, the cost of notifying these parties can outweigh the penalties themselves. Not to mention, the impact on patients' safety can be substantial and the cost of the actual cleanup can be outrageous. This class of malicious software has potential to be one of the worst, widespread threats in the wild yet.

What you can do to avoid Crysis

It's important to understand each of the attack vectors intruders might use to infiltrate your systems and networks. Email is the most common, so it's best to have employees on the lookout for suspicious content or links and to employ one (or more) dedicated email protection systems. Clinicians that bring their own mobile devices or USB drives to work may be a risk, too. For example: If they plug their phone into a hospital computer, it could be an opportunity for intruders to infiltrate numerous network-attached systems (clinical and otherwise). Educate your workforce on ransomware and its effects, to raise awareness and mitigate risks from internal accidents.

The best thing you can do to avoid the most devastating impacts of Crysis is engage with a third-party vendor for backup and recovery. This ensures a separate IT recovery environment. If your IT team hasn't already done so, they should prioritize your applications into recovery tiers, so that if Crysis does infiltrate your environment, your organization can ensure the right attention for the most crucial applications and data. Hand-in-hand with this approach is to confirm that your operational teams are educated on their disaster recovery process and that every member has clearly-defined roles. This also helps maintain evidence of compliance with the HIPAA Security Rule.

Another important mitigation strategy is to segment your networks. This prevents an intrusion from spreading pervasively across all departments and systems of your organization. For instance, there is little-to-no clinical or business reason why a gamma camera in Nuc Med should be permitted to directly exchange data with a blood gas analyzer in a Lab. By not allowing different department network-attached systems to communicate, you can isolate an intrusion to a single instance if you catch it quickly enough. In other words, you can stop Crysis from jumping from system to system.

Like with other ransomware types, the best course of action after a Crysis infection may be to wipe your systems and reload the data. To enable faster recovery, business critical data and applications should be replicated to a secure cloud environment so that you can more easily access clean copies. In parallel with tape backups, immediately notify your cloud provider when something goes awry. In a Crysis attack, your IT resources may become overwhelmed – which is why having a cloud-based recovery provider is a good idea since they can act as an extension of your IT team during an event and rapidly recover your workloads into an alternate, non-affected cloud environment.

As always, be vigilant. While there is no complete safeguard against ransomware like Crysis, with a solid IT disaster recovery plan, healthcare organizations can better ensure business continuity when affected.

Derek Brost, Director of Engineering at Bluelock, is a certified Information Systems Security Professional (CISSP) with a 20 year background in IS/IT operations, architecture, and information security.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.​

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.