Two new strains of ransomware are locking down and extorting enterprises. MedStar Health is believed to be the latest victim – forced offline, all manner of patient services this week are reportedly delayed or curtailed according to unnamed employees who reported receiving ransom pop ups. MedStar is at least the fifth ransomware infection recently reported by a U.S. provider.
New Ransomware Virus Vectors
The MSIL/Samas strain is particularly troubling and seems to focus on hospitals and healthcare. An FBI alert issued Friday warns that the MSIL/Samas strain of malware attempts to lock and encrypt data across entire networks, rather than confining its extortion to data residing on a single server. MSIL/Samas is believed to use outdated variant features in Red Hat JBOSS - an open source, open standards platform for integrating data, applications and devices.
Organizations are asked to immediately contact the FBI CYWATCH cyber center in the event of attack or with any information to assist investigation.
“Hospitals increasingly become a target of cybercriminals with ransomware attacks, but all organizations handling sensitive data or any valuable information are at risk,” notes Csaba Krasznay with real-time cyber forensics experts Balabit. “It’s all but impossible to know the full extent of attack attempts: only a quarter of cyber attacks are typically reported to authorities, and ransomware attacks fall into a ‘grey zone’ where hefty ransoms may be paid to prevent the release of stolen customer data, and regulations do not currently oblige companies to report unsuccessful threats.”
Krasznay urges continuous, real-time monitoring of user activities, with a focus on privileged accounts of those with access to high value data, to detect, investigate and respond to both intruder and insider suspicious activities.
“Healthcare now finds itself in the crosshairs of the same criminal hacking organizations that have been attacking banking organizations for the past decade,” warns VASCO Data Security’s Michael Magrath, foreseeing “a significant increase in the sector’s investment in IT security."
"Consider that some of the largest banks now spend close to a half-billion dollars a year on IT security and healthcare organizations spend only a fraction of that at present,” adds Magrath.
Magrath has served as an adviser on security and trusted IDs to the US Congress, the AMA, the Obama Administration and several Federal agencies.
Another new ransomware variant – PowerWare – lurks in Word document macros, and is executed by Microsoft PowerShell when infected files are opened. Brian Laing, Product VP with Lastline notes: “Powershell is often one of those things we wish we could go back and unmake! Originally built as an automation tool, it has become one of the attackers tools used. Very few users need the use of macros in their office documents.”
Lastline has recently detected other emerging ransomware strains such as Cerber – which makes novel use of PC speaker and text-to-speech to notify the user their files have been encrypted – and Teslacrypt, which can encrypt tens of thousands of files in mere minutes.
“Fortunately we spotted that one when the customer had Lastline running in a POC, so while we were not setup to block that attack, we were able to alert them - unlike the other technologies installed or vendors in the POC,” says Laing.
To Ransom or Not To Ransom?
“It’s neither productive nor cost-effective to buy keys from bad actors, but it might benefit the security community to analyze weaknesses or ransomware protocols. In some cases, cybersecurity professionals decrypt victims' data without the bad actors’ knowledge (as was the case with InfoArmor and Radamant ransomware),” explains InfoArmor Chief Intelligence Officer Andrew Komarov.
While CISOs and cyber security experts debate the effectiveness and ethics of paying ransom, across at least one major medical system this week, ambulances are being diverted, care of chronic conditions significantly delayed, and care-givers are leaning on long-dormant paper charting systems. And health professionals are hoping that the available patient information is as comprehensive and timely as quality care demands.
Will healthcare continue to be singled out in the cyber threat crosshairs? MedStar Health is just the latest proof that “the disruption of patient care is a huge risk for healthcare organizations (and the public) - a bigger concern than the cost of a ransom,” notes Proficio President Tim McElwee, who emphasizes prevention.
“We particularly urge healthcare organizations to ensure employees are on the lookout for phishing attacks and other vectors, and monitor security events around-the-clock - either internally or through a managed security services provider for the industrial-strength security that the healthcare sector demands. And, of course, ALWAYS backup data and systems.”