Digital extortion: 26 things to know about ransomware

From ransomware's numerous variations to recent incidents, here are 26 things to know about one of healthcare's growing cybersecurity threats.

The basics: Variations and preventive measures

1. Ransomware is a type of malware that encrypts a victim's files and demands payment in return for unlocking the files, according to HIMSS.

2. Ransomware, though making headlines recently, is not a new cyberattack strategy. The first type of ransomware, PC Cyborg, was reported in 1989, according to HIMSS.

3. Since then, a number of different ransomware variants have evolved, according to the United States Computer Emergency Readiness Team. In 2013, CryptoLocker, CryptoBit and Xorist arrived on the scene. This year, Locky has been noted as a popular ransomware type. Locky is spread through spam emails that contain Microsoft Office documents or other attachments with malicious intent.

4. The Institute of Critical Infrastructure Technology outlined how three common ransomware varieties work.

•    Locker ransomware typically restricts access to a device's interface but does not affect the underlying system or files.
•    Unlike locker ransomware, crypto ransomware targets underlying information and systems. The user can do anything on the device except access the encrypted files. Oftentimes, this type of ransomware includes a time limit. If the victim does not pay the requested ransom within that time, the decryption key will be deleted and access to the data will be permanently lost.
•    Hackers can use both types of ransomware in concert with one another through hybrid ransomware.

5. As cyberattack targets continue to bolster their defenses, new ransomware variants continue to evolve. Three newer variants to know, according to IT World Canada, include:

•    Ransom_Petya.A. This type of ransomware is sent as a resume that needs to be retrieved through a Dropbox link. Once opened, the ransomware will cause Windows to crash as it rewrites the master boot record. Once the victim reboots the computer, a demand for ransom will appear on the screen.
•    PowerWare. PowerWare, first noted by researchers at Carbon Black, uses Microsoft Word and PowerShell scripting language. This type of ransomware is sent via a macro-enabled Microsoft Word document. The PowerWare will initially ask for $500 in ransom, but up the demand to $1,000 after two weeks.
•    Samas/Samsam/MSIL.B/C. SamSam aims to compromise servers and move laterally throughout a network. This variant will demand ransom to release information from multiple machines.

6. Ransomware, depending on the malicious actor and type, can be distributed through various channels, according to the Institute of Critical Infrastructure Technology. Delivery methods include:

•    Traffic distribution system. A TDS will redirect web traffic to a site, which hosts an exploit kit. Some hackers may hire a TDS to spread their ransomware.
•    Malvertisement. In this case, a malicious advertisement would take a user to a malicious landing page if clicked on.
•    Phishing email. Phishing scams are the most common way to disseminate malicious content. A single click on a malicious link or attachment could compromise an entire network.
•    Downloaders. Downloaders deliver malware into systems in stages, which makes it harder to recognize the malicious intent by signature-based detection.
•    Social engineering. Social engineering relies on maneuvering users into breaking their own security protocols to introduce the malware into their system.
•    Self-propagation. Self-propagating ransomware will have a functionality that supports its continual spread throughout a system.
•    Ransomware-as-a-service. Experienced hackers may outsource their successful malware to less technically adept cyberattackers.

7. Ransomware is an exploitative type of malware. It seeks vulnerabilities in an organization's network and takes advantage of human error. HIMSS recommends seven steps organizations can take to prevent and minimize the effects of a malware attack.

•    Ensure software and plug-ins are up-to-date.
•    Know how to recognize a phishing scheme and avoid getting hooked.
•    Segment your organization's network.
•    Regularly conduct risk assessments and address any uncovered vulnerabilities.
•    Frequently backup your data.
•    Hold mock exercises. Guide employees through hypothetical ransomware scenarios.
•    Anytime a security incident occurs, analyze the lessons learned and address any gaps in strategy.

Recent incidents

8. In February, a ransomware attack caused the IT system at Hollywood (Calif.) Presbyterian Medical Center to go offline. The hospital's staff was locked out of the EHR and could not communicate via email. The hackers responsible demanded payment in bitcoins, a form of digital currency. During the event, the hospital was forced to divert some patients to other hospitals.

9. Hollywood Presbyterian eventually paid the hackers $17,000 in ransom to regain access to its IT system and patient records. The media initially reported the ransom demand was set at 9,000 bitcoins, or more than $3 million. But President and CEO Allen Stefanek said in a hospital statement the claim was false. "The amount of ransom requested was 40 bitcoins, equivalent to approximately $17,000," Mr. Stefanek wrote. "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this."

10. In March, Methodist Hospital in Henderson, Ky., declared an internal emergency after being hit with ransomware. The attack limited the hospital's use of its electronic web-based services. The hospital announced its patient information was secure, activated a backup system while its main network was locked and continued to operate as normal.

11. The hospital recovered from the attack without payment, which was requested in bitcoins.

12. On March 28, MedStar Health, based in Columbia, Md., shut down its computer networks to stop the spread of malware. Several news outlets reported the event was a ransomware attack. MedStar employees told The Washington Post they saw pop-up ransom notes demanding the system pay 45 bitcoins, or roughly $19,000, to unlock the computer systems, but the hospital system did not disclose the exact nature of the attack, referring to it only as a "malicious malware attack."

13. In March, the Los Angeles County health department found traces of ransomware on five of its computers. The health department reported the attack to the Los Angeles district attorney and county chief information officer.

14. U.S. healthcare organizations are not the only ransomware targets. In February, Lukas Hospital in Neuss, Germany, suffered an attack. Just a month later, four computers at the Ottawa Hospital in Canada became inaccessible due to ransomware delivered through a spam email.

15. Ransomware recently targeted several major websites, including The New York Times, BBC, AOL, NFL and Newsweek, through a malvertising campaign. Malvertising relies on users clicking on a malicious advertisement. Once a user clicks the ad, the user is taken to a page that tries to infect their computer.

16. Last month, bad actors set in motion the first ransomware attack targeting Apple computers. In the past, ransomware attacks exclusively targeted Windows operating systems. Whoever was responsible for the recent attack embedded a functional version of the malware in a program called Transmission, used on Apple's iOS, to transfer data on sharing networks.

17. Federal agencies are also common ransomware targets. The Department of Homeland Security announced 29 federal agencies reported 321 ransomware-related incidents within the past nine months.

18. Since 2005, the Justice Department's Internet Crime Complaint Center has reported nearly 7,700 ransomware complaints in which victims paid a total of $57 million in ransom payments, reports The Hill.

Fighting back

19. Following the rash of ransomware attacks in the first half of the year, the U.S. Department of Homeland Security and the Canadian Cyber Incident Response Centre issued a joint ransomware warning. The alert names several prominent ransomware variants that have emerged over the past few years, including Xorist, CtyptorBit, CryptoLocker, Samas and Locky. The joint warning also included measures to take to prevent ransomware attacks.

20. Though the Petya strain of ransomware recently ramped up its encryption efforts, an unidentified programmer developed a tool that can crack the malware without payment. The programmer posted to code-sharing site Github describing how he created a key generator to unlock a computer encrypted by Petya. A security researcher from news site Bleeping Computer said the key generator was able to unlock a Petya-encrypted computer in seven seconds.

21. Individual companies are analyzing their security in light of recent ransomware attacks. Adobe released an emergency update to its Flash software in response to a security flaw that could be an opportunity for ransomware. Researchers discovered the security flaw can be used to deliver ransomware to Windows PCs, according to the report. Adobe urged anyone using Flash, including Windows, Mac, Chrome and Linux computer users, to update Flash as soon as possible.

22. The FBI is analyzing the ransomware variant known as MSIL/Samas and is asking U.S. security firms for help. MSIL/Samas ransomware is designed to encrypt entire networks rather than single devices.
 
23. A new survey conducted by HIMSS Analytics and Healthcare IT News found 50.8 percent of hospital leaders would not pay ransom demands if hackers encrypted patient data.

The ambiguities

24. Though the FBI is investigating a number of the ransomware attacks that occurred this year, their stance on paying the ransom in these malware attacks is murky. The law enforcement agency's official stance is: "The FBI does not advise victims on whether or not to pay the ransom," according to a letter from a U.S. Senate committee.

25. Ransomware can involve sensitive information, but this security incident is not quite considered a data breach. Hackers using ransomware restrict user access to their own files, but the hackers do not access or extract any data. There is no legal requirement for hospitals to report a ransomware attack.

26. There may be no requirement to report these attacks now, but Rep. Ted Lieu (D-Calif.) plans to draft legislation changing that. He hopes requiring ransomware reporting will help lawmakers understand how hackers carry out these malicious attacks.

More articles on health IT:
Mistake leads to data breach affecting 44k FDIC customers: 5 things to know
IBM, American Cancer Society to create Virtual Cancer Health Advisor
Palm Beach County Health Department breached

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months