While the ransomware breach at Hollywood Presbyterian Medical Center in Los Angeles last month may seem like an unfortunate, yet isolated, incident, a new report from the Institute for Critical Infrastructure Technology (ICIT) warns that ransomware threats will likely escalate this year.
According to the ICIT report, 2016 will be the year ransomware will “wreak havoc on America’s critical infrastructure community.” “To pay or not to pay,” will be the question fueling heated debate in boardrooms across the country, according to the report authors, James Scott, ICIT senior fellow and Drew Spaniel, ICIT visiting scholar from Carnegie Mellon University.
ICIT is a non-profit think tank that advises decision makers on technology and cybersecurity trends in infrastructure sectors including government, defense and healthcare. The report gives an analysis of the ransomware threat as well as the attacker and targets and provides mitigation strategies.
“Ransomware is less about technological sophistication and more about exploitation of the human element. Simply, it is a digital spin on a centuries old criminal tactic,” the authors stated.
The report authors also tapped into cybersecurity research contributed by security firms, such as Kaspersky, Covenant Security Solutions, Securonix, Forcepoint, GRA Quantum and Trend Micro, for insights into ransomware attacks. These security firms predict a dominant resurgence of ransomware attacks this year, according to the report, and already healthcare organizations have been targeted, such as the incident at Hollywood Presbyterian Medical Center last month.
“The healthcare sector was not a traditional target for ransomware attacks. One theory is that attackers did not target systems that jeopardized lives,” Scott and Spaniel wrote. However, they noted, recently, that mentality has changed for at least the group operating the Locky ransomware as evidenced by the incident at Hollywood Presbyterian Medical Center.
The report authors point out that cyber threat actors are using ransomware attacks because these attacks are “under combatted and highly profitable.” And, unlike hackers who attempt to exfiltrate or manipulate data, ransomware criminals only attempt to prevent access to data and during an active ransomware attack, business operations grind to a halt until the system is restored or replaced.
And, with the prevalence of mobile devices and the growth of the Internet of Things (IoT), the “potential threat landscape available to ransomware threat actors is too tantalizing a target to ignore.” Consequently, “Information security specialists and the technical controls that they implement must become adaptable, responsive, and resilient to combat emerging threats,” Scott and Spaniel wrote.
How profitable is ransomware? According to research provided by security firms, creating a phishing page and setting up a mass spam email costs about $150. “A trendy crypto ransomware sells for about $2000 on dark net forums. Locker ransomware probably costs less. This means that an attacker only needs to ransom eight everyday users (at the average $300) to generate a profit,” the authors wrote.
“Symantec estimated that in 2009, 2.9 percent of the victims paid the ransom. In 2014, CTU researchers estimated that about 1.1 percent of the Cryptowall ransomware victims paid the ransom (at an average of $500). Despite this seemingly low response rate, the FBI reported that from the 992 related complaints, Cryptowall reportedly netted over $18 million from victims between 2014-2015.”
The report specifically details the types of ransomware, such as locker ransomware and crypto ransomware, with the Locky ransomware being an active example and the type that infected medical systems belonging to Hollywood Presbyterian Medical Center. In that incident, while healthcare data remained unaffected, computers essential to laboratory work, CT scans, emergency room systems and pharmacy operations were infected.
“After ten days, the administration paid attackers 40 Bitcoins ($17,000) to release the systems. Later that week, five computers belonging to the Los Angeles County health department were infected with a ransomware variant. The health department refuses to pay the ransom and will restore its systems from backups. Similarly, two hospitals in Germany were infected with ransomware at roughly the same time as Hollywood Presbyterian Medical Center. Both are restoring their systems from backup systems,” Scott and Spaniel wrote.
Scott and Spaniel also highlight that ransomware follows the same distribution and infection vectors, or delivery channels, as traditional malware such as traffic distribution services, malvertisement, phishing emails, downloaders, social engineering and ransomware as a service (RaaS).
The authors also detail mitigation strategies noting that "preventing infection is preferred over remediation efforts."
“The first step to mitigating a ransomware threat is to implement a comprehensive cybersecurity strategy,” the authors stated. “Software and hardware solutions are necessary, but they are not the only necessity. First and foremost, information security training and awareness must improve. Afterward, organizations can rely on the layered defenses that they have invested in to secure their network.
The report recommends that organizations have a dedicated information security team to ensure all systems were updated and patched and that critical systems were backed up. Organizations also should have layered defenses to protect networks. And, personnel training and awareness are critical as information security experts often cite that “humans are the weakest link.”
“Employees should be trained to recognize a malicious link or attachment. There is no justifiable reason that most organizations cannot reduce their personnel’s malicious link click rate below 15 percent," the authors stated. “Teach employees to not click on any links in any emails. It takes barely any more time to type a link into Google as it does to click the link. Personnel should only open attachments from personnel that they trust and only if they are expecting the file.”
Healthcare leaders also should focus on administrative policies and procedures to strengthen cyber defense and consider cyber insurance policies that cover ransomware attacks.
When a compromise does occur, the ICIT report recommends that organizations disengage from communicating with the attack until the situation is thoroughly assessed and a course of action decided.
“The proper response will depend on the risk appetite of the organization, the potential impact of the hostage data, the impact on business continuity, whether a redundant system is available, and the sectorial regulatory requirements,” Scott and Spaniel wrote.
According to the report, there are several response options:
- Engage the incident response team which will, in turn, notify the authorities
- Try to implement a solution without an information security team
- Attempt to recover the data through system backup or recover data through shadow copies or file recovery software tools
- Do nothing; backup the system and ignore the ransom demand; or, if there is no backup but the ransom outweighs the cost of the system, then purchase a new device and dispose of the infected system
- Pay the ransom. If this option is legitimately being debated, the report authors recommend doing an internet search on the type of ransomware holding the system to find out whether cybercriminals who use that ransomware are likely to release the data after receiving payment.
- Hybrid solution which includes simultaneous efforts to pay the ransom and to triage the system to attempt to restore from a backup server.
The report authors concluded that the enlistment of an information security team is the first step in a companywide security strategy. And, the information security team should, at minimum, “conduct an immediate companywide vulnerability analysis, develop a crisis management strategy that takes into consideration all know threats and also conduct continuous device and application patching, auditing of third party vendors and agreements as well as organizational penetration testing and security centric technological upgrades.” “Together, these actions can profoundly minimize a company’s attack surface,” the authors stated.