The Rise of Ransomware in Healthcare · Ransomware Delivery: Phishing Social-based Attack...
Transcript of The Rise of Ransomware in Healthcare · Ransomware Delivery: Phishing Social-based Attack...
The Rise of Ransomware in HealthcareTim Bandos, Sr. Director of Cyber Security, Digital Guardian
“The cybercriminals behind ransomware do not particularly care who their victims are, as long as they
are willing to pay the ransom.”
2Confidential
What Is Ransomware
Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid.
Two Types:
3
Lock Screen – Shows a full
screen message that prevents
you from accessing PC
Crypto – Alters your files so
you can no longer open and
view them
Confidential
How Ransomware Works
4
User Clicks on a Link
or an Attachment in
Encryption of files
occurs within minutes
or even seconds!
Once encryption is
complete, a ransom is
displayed with X
amount of time to pay
for decryption key
Confidential
Ransomware Evolution
Can you guess when the first appearance of Ransomware surfaced?
5Confidential
Ransomware Stats
6
97%
71%
95%
of phishing emails
are now delivering
ransomware
of organizations
who are targeted
by ransomware
end up infected
of ransomware
victims refused to
pay the ransom
Delivery
Mechanisms
% of Ransomware
Victims Using
Security Solutions
at Time of Attack
Confidential
Top Affected Industry: Healthcare
7
*Fireeye Blog: https://www.fireeye.com/blog/threat-research/2016/08/locky_ransomwaredis.html
Confidential
Strains of Ransomware
8Confidential
Ransomware Headlines
9Confidential
Hospitals Hit with Ransomware in 2016
Titus Regional Medical Center
Hollywood (Calif.) Presbyterian Medical Center
Klinikum Arnsberg Hospital
Los Angeles County health department
The Ottawa Hospital
Methodist Hospital
DeKalb Health
Kansas Heart Hospital
Professional Dermatology Care
Keck Medicine
Marin General Healthcare District
Prima Medical Group
Rainbow Children's Clinic
10
Cost of
Ransomware a minute, per
Incident*Ponemon Institute
$7,900
Confidential
Case One
Hollywood Presbyterian Medical Center
How it Happened: According to Wired Magazine, the computer system was hit by a ransomware virus called Locky, which locks users out and won’t send a decrypting key unless a ransom is paid. The attack likely occurred because an employee mistakenly clicked on an email attachment that was actually a phishing scam.
In order for the hospital to regain access, the ransomware demanded 40 Bitcoin (approximately $17,000) which was ultimately paid.
Doctors told reporters they were unable to access patient’s medical histories and could not share x-rays, CT scans, and other medical tests.
Aftermath: IT experts have concluded that Hollywood Presbyterian Medical Center did not have any backup data available and, due to the widespread infection of their system, likely had a very weak security infrastructure
11Confidential
Case Two
Kansas Heart Hospital
How it Happened: Hackers got access to the systems and locked up the files, refusing to give back access unless the hospital paid a ransom. The hospital paid the ransom, however they did not return full access to them and instead demanded another ransom.
Aftermath: According to the report, they said that patient information was not jeopardized and the attack did no impact patient treatment. The IT team was in the process of restoring the rest of the systems that had been compromised.
12Confidential
Ransomware Delivery: Phishing
Social-based Attack
Fraudulent attempt made through email to fool the victim in order to acquire sensitive information.
Phishing Represents 77% of all socially based attacks.
Generally speaking, ‘phishing’ emails are exploratory attacks in which criminals attempt to obtain victims’ sensitive data, such as personally identifiable information and/or network access credentials
13Confidential
Phishing Detection
Check the e-mail addresses
Be suspicious of E-mail addressed to Dear Customer
Be suspicious of grammar or spelling mistakes.
Be suspicious of any email that requires “immediate action”.
Be careful with Links – Hover over them to identify true link
Be suspicious of attachment
Messages that sound to good to be true
E-mail from your friend or co-worker does not necessarily mean
that they sent it.
14
https://digitalguardian.com/blog/dont-
get-hooked-how-recognize-and-avoid-
phishing-attacks-infographic
Confidential
Phishing Example with Ransomware
15Confidential
You’re Infected…
16Confidential
Now What?
First off, take a deep breathe and don’t panic
DO NOT pay the Ransom.
Key Ransomware Objective: Instill Fear & Uncertainty
What are my options?• If you do not have a backup, fear not. Encrypted files from some strains
of ransomware can actually be decrypted for free.
• Go to https://www.nomoreransom.org/
17Confidential
Tips from Tim
Common Sense• Issue: Security professionals assume that end users should
exercise common sense. • There is no such thing as common sense without base common
knowledge. • Security Programs will fail, because they assume there is common
knowledge.
It’s Not Dumb Users• Issue: Security professionals don’t adequately prepare and
then blame end users for security breaches. • Security staff should always ask this question after an incident: what
could we have done better?• Balancing the right level of technology with security awareness is
imperative.
Security Awareness is getting people to implement
secure practices into their daily activities; in an effort
to strengthen the overall security culture.
18
Security Awareness
Confidential
Incident Response Plan
A Cyber Security Incident Response Plan provides a formal, coordinated approach to responding to cyber security
incidents affecting information assets.
Defines: Incident classification
Roles and responsibilities
Incident reporting and escalation
Communication channels for information flow
Outlines the overall incident response processes
19Confidential
Who’s on the IR Team?
Technical
Incident Response Manager
Security Analysts
Threat Researchers
Responsible for identification and response to cyber threats including forensics and root cause analysis.
Non-Technical
Chief Security Officer
Chief Information Security Officer
Chief Information Officer
Legal Counsel
Human Resources
Compliance
Public Affairs
Directs all strategic and non-technical elements of the incident response including communications and enforcing all corrective actions.
20Public
5 Incident Response Phases
21
Preparation
Detection & Reporting
Triage & Analysis
Containment &
Neutralization
Post-Incident Activity
CR
ISIS
Public
Prevention Recommendations
1. Email Filtering – Actively filtering email attachment types that are potentially dangerous
2. End User Education – Teaching users how to identify potentially malicious links and attachments
3. Patch Management – Staying on top of recently released patches for the Operating System / 3rd Party Applications
4. Install Ad Blockers – Help protect against malicious ads from legitimate sites
5. Exploit Prevention – Microsoft’s Enhanced Mitigation Experience Toolkit
6. Backup & Recovery – Implement an effective backup plan in case you need to restore
7. Data Protection Suite – Consider leveraging a Data Loss Prevention technology with the ability to prevent malware infections and ransomware attempts to encrypt files.
22Confidential
Future of Ransomware
We expect to see the ransomware threat landscape sustain, if not exceed, momentum levels observed over the past several years.
Cyber extortion operations, as a whole, have gained significant notoriety in the past year, with illicit profits garnered from highly publicized campaigns
Capitalizing on this momentum, ransomware developers are continuing to expand & establish newly created ransomware variants for use in future campaigns.
Confidential 23
Digital Guardian
Founded 2003 to protect all data
against theft
Began with protecting IP on the
endpoint - the most challenging use
case
Simplified compliance and cloud
data protection with DG appliance
Launched industry’s first Managed
Security Program for DLP
Only security company 100% focused
on protecting sensitive data from
loss or theft
Confidential 24
#1 IP Protection
Digital Guardian: Advanced Threat Protection
25
Digital Guardian’s ATP sees this
EXECUTIONINFILTRATIONBACKDOOR
INSTALLATIONCOMMAND &
CONTROLPERSISTENCE EXFILTRATION
ESCALATIONOF PRIVILEGES
LATERALMOVEMENT
Identification of
the weakest link
and exploiting
Malware installed
on targeted
system(s).
Adversary’s
communication
with their own
infrastructure.
Adversary
commands running
on compromised
system(s).
Presence on the
compromised
system through
system restarts
or privileged
credentials loss
Obtaining a
higher level of
permissions for
full control
Moving across an
environment
from one system
to the next.
The removal of
data to an
external
location.
… So you can stop these!
Spear
Phishing Attack
Exploits Malicious
Network
Operations
Malware Attacks Registry Modifications Privilege
Misuse
Exploits Data
Theft
ATP Prevents Ransomware
Confidential 26
Targeted Phishing Email
Received by Admin
Email Attachment Contains
Encrypted Archive File with
JavaScript Exploit which
Bypasses Email Defenses
Exploit Installs Ransomware
which infects ComputerFiles are Encrypted on
Computer
Ransomware Encrypts
20,000+ Additional Files on
Mounted File Servers
[Info]-ATP1003 - Double
Click on Email Attachment
[Execution]-ATP3030
- Script Executed
from Archive File
[Execution]-ATP1040
- Ransomware Note
Creation
[Execution]-ATP1041
- Ransomware File
Extensions
[Suspicious]-
ATP1023 - Mass
Editing of Files
Behavioral Rules BLOCK Across Entire Attack Lifecycle
Managed Security Programs
Confidential 27
Achieve faster time to value with data loss prevention as a service
Get the latest defense strategies and intelligence now
Let us discover, monitor and protect
your regulated data
ONGOING THREAT INTELLIGENCE
Our team harnesses both externally and internally generated intelligence feeds for immediate detection based on known threat activity.
What You Get: MSP for ATP
Confidential 28
PREVENT ATTACKS IN REAL-TIME
• Dedicated team of analysts constantly review your data for anomalous behavior and alert you immediately upon discovery.
• Alerts generated by our MSP team will provide you with a summary of what’s been detected and include details such as entrance
vector, root cause, endpoints affected, etc.
24/7 SUPPORT
Round the clock support on any questions or requests regarding the service or around threats that have been discovered within the client’s
environment.
FULLY MANAGED ATP INFRASTRUCTURE
• Implementation and management of your advanced threat protection infrastructure.
• No in-house infrastructure, training or subject expertise required.
ONGOING IMPROVEMENT OF YOUR SECURITY POSTURE
Monthly expert risk analysis to assess, iterate and improve your incident response policies and procedures.
PROACTIVE THREAT HUNTING AND INCIDENT RESPONSE
With its proven incident response and threat hunting methodologies, our MSP team hunts, detects and responds to attacks in real-time.
Confidential 29