The Rise of Ransomware in HealthcareTim Bandos, Sr. Director of Cyber Security, Digital Guardian

“The cybercriminals behind ransomware do not particularly care who their victims are, as long as they

are willing to pay the ransom.”

2Confidential

What Is Ransomware

Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid.

Two Types:

3

Lock Screen – Shows a full

screen message that prevents

you from accessing PC

Crypto – Alters your files so

you can no longer open and

view them

Confidential

How Ransomware Works

4

User Clicks on a Link

or an Attachment in

Email

Encryption of files

occurs within minutes

or even seconds!

Once encryption is

complete, a ransom is

displayed with X

amount of time to pay

for decryption key

Confidential

Ransomware Evolution

Can you guess when the first appearance of Ransomware surfaced?

5Confidential

Ransomware Stats

6

97%

71%

95%

of phishing emails

are now delivering

ransomware

of organizations

who are targeted

by ransomware

end up infected

of ransomware

victims refused to

pay the ransom

Delivery

Mechanisms

% of Ransomware

Victims Using

Security Solutions

at Time of Attack

Confidential

Top Affected Industry: Healthcare

7

*Fireeye Blog: https://www.fireeye.com/blog/threat-research/2016/08/locky_ransomwaredis.html

Confidential

Strains of Ransomware

8Confidential

Ransomware Headlines

9Confidential

Hospitals Hit with Ransomware in 2016

Titus Regional Medical Center

Hollywood (Calif.) Presbyterian Medical Center

Klinikum Arnsberg Hospital

Los Angeles County health department

The Ottawa Hospital

Methodist Hospital

DeKalb Health

Kansas Heart Hospital

Professional Dermatology Care

Keck Medicine

Marin General Healthcare District

Prima Medical Group

Rainbow Children's Clinic

10

Cost of

Ransomware a minute, per

Incident*Ponemon Institute

$7,900

Confidential

Case One

Hollywood Presbyterian Medical Center

How it Happened: According to Wired Magazine, the computer system was hit by a ransomware virus called Locky, which locks users out and won’t send a decrypting key unless a ransom is paid. The attack likely occurred because an employee mistakenly clicked on an email attachment that was actually a phishing scam.

In order for the hospital to regain access, the ransomware demanded 40 Bitcoin (approximately $17,000) which was ultimately paid.

Doctors told reporters they were unable to access patient’s medical histories and could not share x-rays, CT scans, and other medical tests.

Aftermath: IT experts have concluded that Hollywood Presbyterian Medical Center did not have any backup data available and, due to the widespread infection of their system, likely had a very weak security infrastructure

11Confidential

Case Two

Kansas Heart Hospital

How it Happened: Hackers got access to the systems and locked up the files, refusing to give back access unless the hospital paid a ransom. The hospital paid the ransom, however they did not return full access to them and instead demanded another ransom.

Aftermath: According to the report, they said that patient information was not jeopardized and the attack did no impact patient treatment. The IT team was in the process of restoring the rest of the systems that had been compromised.

12Confidential

Ransomware Delivery: Phishing

Social-based Attack

Fraudulent attempt made through email to fool the victim in order to acquire sensitive information.

Phishing Represents 77% of all socially based attacks.

Generally speaking, ‘phishing’ emails are exploratory attacks in which criminals attempt to obtain victims’ sensitive data, such as personally identifiable information and/or network access credentials

13Confidential

Phishing Detection

Check the e-mail addresses

Be suspicious of E-mail addressed to Dear Customer

Be suspicious of grammar or spelling mistakes.

Be suspicious of any email that requires “immediate action”.

Be careful with Links – Hover over them to identify true link

Be suspicious of attachment

Messages that sound to good to be true

E-mail from your friend or co-worker does not necessarily mean

that they sent it.

14

https://digitalguardian.com/blog/dont-

get-hooked-how-recognize-and-avoid-

phishing-attacks-infographic

Confidential

Phishing Example with Ransomware

15Confidential

You’re Infected…

16Confidential

Now What?

First off, take a deep breathe and don’t panic

DO NOT pay the Ransom.

Key Ransomware Objective: Instill Fear & Uncertainty

What are my options?• If you do not have a backup, fear not. Encrypted files from some strains

of ransomware can actually be decrypted for free.

• Go to https://www.nomoreransom.org/

17Confidential

Tips from Tim

Common Sense• Issue: Security professionals assume that end users should

exercise common sense. • There is no such thing as common sense without base common

knowledge. • Security Programs will fail, because they assume there is common

knowledge.

It’s Not Dumb Users• Issue: Security professionals don’t adequately prepare and

then blame end users for security breaches. • Security staff should always ask this question after an incident: what

could we have done better?• Balancing the right level of technology with security awareness is

imperative.

Security Awareness is getting people to implement

secure practices into their daily activities; in an effort

to strengthen the overall security culture.

18

Security Awareness

Confidential

Incident Response Plan

A Cyber Security Incident Response Plan provides a formal, coordinated approach to responding to cyber security

incidents affecting information assets.

Defines: Incident classification

Roles and responsibilities

Incident reporting and escalation

Communication channels for information flow

Outlines the overall incident response processes

19Confidential

Who’s on the IR Team?

Technical

Incident Response Manager

Security Analysts

Threat Researchers

Responsible for identification and response to cyber threats including forensics and root cause analysis.

Non-Technical

Chief Security Officer

Chief Information Security Officer

Chief Information Officer

Legal Counsel

Human Resources

Compliance

Public Affairs

Directs all strategic and non-technical elements of the incident response including communications and enforcing all corrective actions.

20Public

5 Incident Response Phases

21

Preparation

Detection & Reporting

Triage & Analysis

Containment &

Neutralization

Post-Incident Activity

CR

ISIS

Public

Prevention Recommendations

1. Email Filtering – Actively filtering email attachment types that are potentially dangerous

2. End User Education – Teaching users how to identify potentially malicious links and attachments

3. Patch Management – Staying on top of recently released patches for the Operating System / 3rd Party Applications

4. Install Ad Blockers – Help protect against malicious ads from legitimate sites

5. Exploit Prevention – Microsoft’s Enhanced Mitigation Experience Toolkit

6. Backup & Recovery – Implement an effective backup plan in case you need to restore

7. Data Protection Suite – Consider leveraging a Data Loss Prevention technology with the ability to prevent malware infections and ransomware attempts to encrypt files.

22Confidential

Future of Ransomware

We expect to see the ransomware threat landscape sustain, if not exceed, momentum levels observed over the past several years.

Cyber extortion operations, as a whole, have gained significant notoriety in the past year, with illicit profits garnered from highly publicized campaigns

Capitalizing on this momentum, ransomware developers are continuing to expand & establish newly created ransomware variants for use in future campaigns.

Confidential 23

Digital Guardian

Founded 2003 to protect all data

against theft

Began with protecting IP on the

endpoint - the most challenging use

case

Simplified compliance and cloud

data protection with DG appliance

Launched industry’s first Managed

Security Program for DLP

Only security company 100% focused

on protecting sensitive data from

loss or theft

Confidential 24

#1 IP Protection

Digital Guardian: Advanced Threat Protection

25

Digital Guardian’s ATP sees this

EXECUTIONINFILTRATIONBACKDOOR

INSTALLATIONCOMMAND &

CONTROLPERSISTENCE EXFILTRATION

ESCALATIONOF PRIVILEGES

LATERALMOVEMENT

Identification of

the weakest link

and exploiting

Malware installed

on targeted

system(s).

Adversary’s

communication

with their own

infrastructure.

Adversary

commands running

on compromised

system(s).

Presence on the

compromised

system through

system restarts

or privileged

credentials loss

Obtaining a

higher level of

permissions for

full control

Moving across an

environment

from one system

to the next.

The removal of

data to an

external

location.

… So you can stop these!

Spear

Phishing Attack

Exploits Malicious

Network

Operations

Malware Attacks Registry Modifications Privilege

Misuse

Exploits Data

Theft

ATP Prevents Ransomware

Confidential 26

Targeted Phishing Email

Received by Admin

Email Attachment Contains

Encrypted Archive File with

JavaScript Exploit which

Bypasses Email Defenses

Exploit Installs Ransomware

which infects ComputerFiles are Encrypted on

Computer

Ransomware Encrypts

20,000+ Additional Files on

Mounted File Servers

[Info]-ATP1003 - Double

Click on Email Attachment

[Execution]-ATP3030

- Script Executed

from Archive File

[Execution]-ATP1040

- Ransomware Note

Creation

[Execution]-ATP1041

- Ransomware File

Extensions

[Suspicious]-

ATP1023 - Mass

Editing of Files

Behavioral Rules BLOCK Across Entire Attack Lifecycle

Managed Security Programs

Confidential 27

Achieve faster time to value with data loss prevention as a service

Get the latest defense strategies and intelligence now

Let us discover, monitor and protect

your regulated data

ONGOING THREAT INTELLIGENCE

Our team harnesses both externally and internally generated intelligence feeds for immediate detection based on known threat activity.

What You Get: MSP for ATP

Confidential 28

PREVENT ATTACKS IN REAL-TIME

• Dedicated team of analysts constantly review your data for anomalous behavior and alert you immediately upon discovery.

• Alerts generated by our MSP team will provide you with a summary of what’s been detected and include details such as entrance

vector, root cause, endpoints affected, etc.

24/7 SUPPORT

Round the clock support on any questions or requests regarding the service or around threats that have been discovered within the client’s

environment.

FULLY MANAGED ATP INFRASTRUCTURE

• Implementation and management of your advanced threat protection infrastructure.

• No in-house infrastructure, training or subject expertise required.

ONGOING IMPROVEMENT OF YOUR SECURITY POSTURE

Monthly expert risk analysis to assess, iterate and improve your incident response policies and procedures.

PROACTIVE THREAT HUNTING AND INCIDENT RESPONSE

With its proven incident response and threat hunting methodologies, our MSP team hunts, detects and responds to attacks in real-time.

Confidential 29