A full five days into the ongoing MedStar Health attack, the US Department of Homeland Security and the Canadian Cyber Incident Response Centre issued a joint alert on the surge in ransomware extortion attacks.
While some systems at the Washington DC area’s largest healthcare provider are beginning to come back on line, MedStar hackers are widely reported to have demanded payment in bitcoin digital currency, after which encryption keys are to be delivered via Dark Web to avoid detection and apprehension.
US and Canadian Healthcare Providers - Particularly Attractive Targets
InfoArmor Chief Intelligence Officer Andrew Komarov explains that the high social wealth of the US and Canada make the region an attractive magnet to cybercriminals. “The distribution of ransomware in the US and Canada is almost guaranteed to establish significant infections, especially against typical users that have minimal or no security on their desktops, and who lack knowledge and training” to identify malicious threats.
VASCO Data Security’s John Gunn said: "The most effective defense against ransomware attacks still depends on human intelligence. People have to stop clicking on links in malicious emails - they didn’t just win the lottery, they don’t have a huge refund coming, and a beautiful foreign lady does not want to date them."
Recent attacks and attempts such as the phishing scam that targeted Mattel employees confirms that users are clearly part of the problem, but just as problematic is the recent proliferation in ransomware toolkits. “Anyone can buy the tools to conduct ransomware attacks for as little as $100 on the dark web. It’s a numbers game - more attackers equals more victims,” Gunn added.
Can smarter networks help organizations overcome human nature?
“No matter how well trained and aware users are and diligent the perimeter defenses, the human factor - such as an accounting department staffer opening an attack payload disguised as an invoice – will always leave sensitive data vulnerable, as will always-on data resources," said Carmine Clementelli, security expert with PFU Systems, a Fujitsu company. “Unintelligent networks are hackable.”
Clementelli urges defense-in-depth strategies such as layering in internal traffic intelligence to automatically detect and preempt telltale patterns and events that signal attempts at privilege escalations and other attack indicators.
“At early stages, attacks can still be stopped but only if immediately detected and blocked,” agrees Dr. Csaba Krazsnay, a Product Manager with Balabit. “There are signs when ransomware manages to infect a computer or a server.” For example, processes or applications may unexpectedly stop, or an unauthorized user or an unknown script may try to execute an unusual activity or even insert encryption commands. “Even an intruder’s misuse of a legitimate user account can be noticed in real-time when appropriate monitoring and behavior analytics are implemented.”
Last week’s FBI alert and the current US/Canadian Alert signal that the ransomware ‘age of innocence’ may be at an end. Brian Laing, Lastline VP of Products and Development said: “One of the biggest reasons why companies are unprepared is that they simply did not understand the impact. It’s not only about machines being down for some length of time—sectors such as healthcare can be devastated by this type of attack. Even worse, without ongoing access to full patient records, lives at are stake."
Balabit’s Krazsnay believes the ransomware outbreak will drive a higher and more strategic approach to interdisciplinary planning and training. “Cyber TTXs (table top exercise) must bring together lawyers, soldiers, law enforcement, hackers, hunters, etc. to imagine and plan for ‘what if’ cyber threat scenarios. Let’s hope this alert from the US and Canadian governments rings the alarm bell. Cyber criminals have found a new set of targets, and neither the victims nor the authorities are well enough prepared.”