Ransomware Rules for Payment: Do Extortionists Have the Advantage?

Mar 04, 2016 | by Angel Grant, CISSP

When an entire health system fell prey to cybercriminals and medical records were locked up by a ransomware attack in early February, there seemed no choice but to pay the sum demanded in order to avoid the impact on patient care: $17,000 in 40 Bitcoin. And in that single moment, one hospital became the obligatory canary in a coal mine.

This is only the start of what I expect to be a proliferation of cyber extortion activity in 2016 especially in the healthcare industry as PHI has become incredibly valuable in dark web cybercrime forums. Not only are we going to be hearing more about these kinds of cybercriminal activities, but in the long run, we're probably going to see organizations continue to pay out even more to these cyber extortionists. The precedence is now set with so many organizations paying up.

In fact, some of this has already come to pass. Forbes reported that the original amount demanded by the ransomware attackers was more than 9,000 Bitcoin or the equivalent of $3.6 million. In that same article it was disclosed that a new, "virulent strain of ransomware" known as Locky was infecting at least 90,000 machines a day. The ransomware asked for (in Locky's case that is) was roughly the equivalent of $420 for users to unlock their files.

Just as the politicos at the highest levels of our government should not pay ransom to terrorist for hostages, we should not pay out on ransomware attacks like this. It only serves to embolden these miscreants to take more hostages.

In a statement about the hospital's decision to pay the ransom, Allen Stefanek, Hollywood Hospital's CEO, conceded that "the quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this."

Now, I get it, kind of. We have embraced electronic medical records to help improve quality of patient care and if that information gets stolen or manipulated it can mean life or death - how do you put a price tag on that? If you're a hospital and your records are suddenly encrypted and your operations come to a standstill, then really, what choice do you have? On the other hand, I strongly encourage our healthcare community to immediately start doing the following:

  1. All employees - not just the IT staff but also rank and file workers - should have thorough training on how to avoid phishing attacks either by clicking on suspicious emails or going to non-approved websites infected with drive-by malware; and speaking of that...
  2. Block access to malicious websites and enable behavioral monitoring to keep malware like this off your network. Real time tracking and correlation of security events across infrastructure, cloud, mobile and web applications enable quick response to potential threats or violations of policy. Creating a consolidated view of activity helps you quickly detect anomalies and efficiently spot cybersecurity breaches leading to a more targeted response.
  3. Create a consolidated program to ensure compliance, privacy and security. This includes identifying your most sensitive assets and establishing polices on who can access the data and how should it be stored.
  4. Have a contingency plan (maybe in the cloud, maybe in an offsite, multi-tenant data center) to have all of your data backed up regularly to anticipate and avoid events just like this.
  5. Keep your systems up to date. Ask yourself: what is our malware containment tools and overall "strategy" to combat these kinds of attacks and is it up to date? When was it last tested?

The bottom line: It's no longer sufficient to live by the maxim "This can't happen here, this can't happen to me," because that just doesn't pass muster when you get in the sight of ransomware attackers.

I'll grant you that taking that approach might not be the most practical when it comes to these kinds of attacks. However, I also thoroughly believe that if you're proactive in warding them off through strategies like mentioned above, (and others) that chirping you're hearing (in this case on your network) will grow fainter and fainter still. Until, I hope it goes away entirely - much like the continuing and crippling instances of ransomware itself.

Be vigilant my friends once one of us plays ... the rest of us pays! And remember - consequences drive behavior whether good or bad and without real consequences, the rules of engagement will never change.

Learn more about RSA Fraud and Risk Intelligence by following: @RSAFraud

Author: Angel Grant, CISSP

Category: RSA Fundamentals, RSA Point of View

Keywords: Advanced Threats, Authentication, Cybercrime and Fraud, Healthcare, IAM, Locky, Ransomware, Risk & Compliance (GRC)