SlideShare a Scribd company logo

Ransomware Threats to the Healthcare Industry

T
Tim Gurganus

Bsides Augusta 2016 presentation on ransomware threats to the healthcare industry

Technology
1 of 32
Download to read offline
Ransomware  Threats  to  the   Healthcare  Industry   Tim  Gurganus,  GCFA,  CISSP   Cisco  Ac>ve  Threat  Analy>cs   9/10/2016   hFps://cisco.box.com/ransomware-­‐healthcare-­‐bsides.pdf  
Outline   State  of  Infosec  in  Healthcare   Healthcare  network  vulnerabili>es   General  Mass  distributed  ransomware  incidents          Locky          Cerber          CryptXXX          Exploit  Kit  aFacks          AFacks  via  Email   Targeted  Ransomware  Incidents            SamSam  aFacks          How  they  break-­‐in          Ransomware  spreaders   Ransomware  -­‐  the  next  wave   What  to  do  -­‐  Recommenda>ons  for  Preven>on  and  Incident  Response  
Healthcare  &  Technology   Due  to  the  cost  of  healthcare  rising,  healthcare  is  going              through  a  transforma>on     Healthcare  is  trying  to  figure  out  how  to  use  technology  (How  to  use  big      data?  Pa>ent  data?  )  to  provide  beFer  care  at  a  lower  cost:     EMR  (electronic  medical  record)  solu>ons  are  being  rushed  out     Early  adopters  are  implemen>ng  func>onal,  reliable,  but  not  security   hardened  solu>ons  
State  of  Infosec  in  Healthcare   50%  of  Cisco  Ac>ve  Threat  Analy>cs  healthcare  customers  had  no  IR  plan      and  no  IR  team  when  monitoring  began     All  customers  had  devices  running  on  older  versions  of  Windows,  such  as                    Windows  XP     50  types  of  devices  on  the  average  hospital  networks     CIOs  of  hospitals  have  on  average  100  –  200  ac>ve  projects  they  are      managing  at  once                    How  can  they  see  where  to  focus  security  improvements?     90%  of  healthcare  devices  have  no  security  features            not  designed  for  the  data  to  go  somewhere  else  –  clinical  data  
State  of  Infosec  in  Healthcare   Many  Healthcare  networks  have  the  same  enterprise  vulnerabili>es:     –  Use  of  shared  passwords   –  Low  use  of  encryp>on   –  Very  liFle  logging   –  Weak/flawed  encryp>on  in  Applica>ons   –  Many  untested/vulnerable  apps  with  OWASP  top  10  vulnerabili>es   –  Unpatched  opera>ng  systems  and  applica>ons   –  S>ll  using  devices/applica>ons  running  on  Windows  XP   –  Some  network  devices  don’t  use  authen>ca>on   –  Flat  networks  with  no  segmenta>on   –  Low  use  of  NAC  –  they  don’t  know  all  the  devices  on  their  network   –  Decentralized  IT  Support  –  Lab,  Admin,  Clinical,  Building/Physical  Security      
Ransomware  Impact  to  Healthcare   100%  of  Cisco  ATA  healthcare  customers  have  had  systems  encrypted  by      ransomware     Most  common  ransomware  families  were  Cryptowall,  Teslacrypt  and  Locky     Most  common  method  of  infec>on  is  web  browser  exploit  via  Angler  exploit      kit     Second  most  common  method  is  malicious  email  aFachment     75%  of  medical  ins>tu>ons  have  been  or  believe  they  have  been  vic>ms  of      ransomware  aFacks     Healthcare  is  lagging  in  defense  and  protec>on  from  cyber  aFacks     This  puts  PII  and  PHI  at  risk  and  makes  healthcare  a  target  for  ransomware      
Ransomware  Impact  to  Healthcare   Locky  Ransomware  Distributed  Via  DOCM  A:achments  in  Latest  Email  Campaigns     Throughout  August,  FireEye  Labs  has  observed  a  few  massive  email  campaigns  distribu>ng  Locky  ransomware.  The  campaigns   have  affected  various  industries,  with  the  healthcare  industry  being  hit  the  hardest  based  on  our  telemetry,  as  seen  in  figure   below:  
Cisco  ATA   8   Growth  of  Ransomware       December  2015   17%  of  all  malware   payloads  from  exploit   kits  were  ransomware     May  2016   61%  of  all  malware   payloads  from  exploit   kits  are  ransomware    
Healthcare  is  a  Target   Typical  Incident:  TeslaCrypt  ransomware  installed  by  Angler  Exploit  Kit     1.  Hospital  Staffer  browsed  to:  hFp://daytonoptometric.com/    -­‐  The  Optometric  website  was  compromised    -­‐  The  hacker  had  used  a  mass  infec>on  tool  to  change  the  website  so      every  first  >me  visitor  to  the  site  was  redirected  to  another      compromised  site:  toegewijd-­‐langle.chris>an-­‐cook.co.uk   2.   toegewijd-­‐langle.chris>an-­‐cook.co.uk  delivered  a  landing  page  for  the      Angler  exploit  kit  to  test  if  the  target  was  vulnerable   3.  The  target  was  running  a  Gold  image  used  by  the  hospital  that  included      an  old  version  of  Flash  Player   4.  The  exploit  kit  detected  the  version  of  Flash  and  sent  the  appropriate      version  of  flash  exploit  in  an  SWF  file  to  exploit  the  target   5.  Aler  the  exploit  succeeded,  the  target  downloaded  an  EXE  of  the      Teslacrypt  ransomware          
Healthcare  is  a  Target   TeslaCrypt  ransomware  installed  by  Angler  Exploit  Kit  cont.     6.  The  Teslacrypt  ransomware  installed  and  connected  to  its  Command  and  Control  server  on  another   compromised  host:  hFp://tele-­‐channel.com/wp-­‐admin/maint/wcspng.php   7.  Aler  receiving  the  encryp>on  key,  the  ransomware  began  encryp>ng  the  file  system  of  the                  hospital  staffer’s  worksta>on     Typical  to  find  PCs  in  hospitals  that  are  not  up  to  date  on  patches     Typical  to  find  that  the  hospital  has  no  patch  management              solu>on  to  install  security  patches  in  a  >mely  manner     Olen  100s  of  applica>ons  need  to  be  tested  before  patches  can  be  distributed     Most  infec>ons  can  be  traced  to  Clinical  staff  web  browsing  from  a  worksta>on  that  was  missing  Flash   Player  patches     Some  infec>ons  seem  to  come  from  hospital  staff  accessing  personal  email  from  clinical  care  networks          
Cisco  ATA   11   Ac>ve  Ransomware  Families  –  CryptXXX  Ransomware   CryptXXX  is  believed  to  have  been  developed  from  the  same  group  that  wrote  the   Reveton  ransomware     CryptXXX  is  distributed  via  exploit  kit  and  malicious  email  aFachment     On  first  launch,  CryptXXX  delays  execu>on  for  3721  seconds  to  avoid  automated   sandbox  analysis     CryptXXX  has  other  an>-­‐analysis  func>ons  such  as:          Checking  the  CPU  name  in  the  registry          Monitoring  for  mouse  events       CryptXXX  will  encrypt  files  on  the  local  drives  as  well  as  any  mounted  drives     CryptXXX  has  func>ons  for  stealing  bitcoin  and  creden>al  data  (such  as  passwords   stored  in  browsers,  FTP  clients,  email  clients  and  IM  clients)        
Cisco  ATA   12   Ac>ve  Ransomware  Families  –  Cerber  Ransomware   Cerber  is  distributed  via  malicious  email  aFachment  and  by  exploit  kit   Example  message  subjects:   Subject:  Metus  Corpora>on   Subject:  user@email.com  has  sent  you  a  message   Subject:  user@email.com  has  sent  you  a  file  via  WeTransfer     Cerber  aFacks  have  been  distributed  using  the  Dridex  botnet   The  file  type  of  the  aFachment  is  typically  MS  Word  DOC   The  Word  Macro  typically  builds  a  VBS  script  and  launches  it  to  download  the  Cerber   executable   The  latest  variants  actually  use  the  Microsol  BITS  service  for  the  download   Some  Cerber  downloaders  have  the  .RTF  extension   Some  Cerber  campaigns  have  used  Javascript  downloaders  in  .ZIP  file  aFachments   Once  Cerber  starts  running,  it  sends  UDP  packets  to  command  and  control  servers  in   one  of  three  ranges  on  U6892:                  31.184.234.0/24  or  31.184.235.0/24  or  85.93.0.0  -­‐  85.93.43.138    
Cisco  ATA   13   Ac>ve  Ransomware  Families  –  Locky  Ransomware   Delivered  via  email  aFachment  by  Dridex  botnet  only  on  weekdays     Locky  seems  to  target  business  email  addresses     Locky  uses  an  affiliate  model       Each  variant  has  an  affiliate  id  that  is  used  to  distribute  collected  ransoms     Locky  Ransomware  infec>ons  on  Day  0:                
Ransomware  Propaga>on   None  of  the  mass  distributed  ransomware  have  spreader  func>ons  for    self  propaga>on     There  were  affiliates  of  CryptoWall  that  performed  targe>ng     In  some  cases  they  used  custom  made  builds  of  the  ransomware  that  were  not                  detected  by  an>virus  solware  due  to  their  low  circula>on       In  one  outbreak  of  Cryptowall,  the  ini>al  vic>m  was  compromised  with  a  password  stealer,  like                        Dridex  or  Zeus     Ransomware  was  spread  to  other  systems  within  the  same  Windows  domain  via  a  PSExec-­‐based                  worm     Other  network  spreaders  have  also  been  seen  found  in  incident  analysis  
Targeted  Ransomware  AFacks   Aler  compromising  an  external  facing  server  in  the  hospital,  aFackers  deploy                    a  tool  to  harvest  Ac>ve  directory  details     A  list  of  target  systems  and  accounts  was  created  aler  mapping  the  network     Aler  encryp>on  is  complete,  the  ransomware  displays  the  ransom  note  and                    securely  deletes  itself     SAMSAM  –  aler  compromising  the  JBOSS  server,  the  memory  of  the  server  was   searched  for  AD  passwords  and  password  hashes   These  were  used  to  move  laterally   A  spreader  was  executed  on  machines  where  access  was  successful    
Targeted  Ransomware  AFacks  -­‐  2   Each  machine  encrypted  had  a  ransom  of  1.5  bitcoin  to  purchase  the  decryp>on  u>lity     Analysis  of  the  bitcoin  accounts  indicated  ransoms  of  $7000  -­‐  $9000  had  been  paid                     The  incident  at  Hollywood  Presbyterian  Medical  Center  and  others  in  Germany  and   Australia  were  targeted  ransomware  aFacks        
Targeted  Ransomware  Incident   Based  on  actual  incident:   •  Offsite  loca>on  reports  computer  problems  beginning  on  a  Sunday  night   •  370  applica>ons  running  at  that  loca>on  were  affected   •  Following  their  IR  plan,  a  mid-­‐level  director  was  involved  and  IR  ac>ons  were   ini>ated   •  The  situa>on  was  assessed  to  be  gerng  worse  into  Monday  morning   •  To  protect  systems  from  further  damage,  the  electronic  medical  records   system  (EMR)  was  shut  off   •  This  affected  the  en>re  hospital  network  and  impacted  pa>ent  care,  building   management  system,  ordering  supplies  and  equipment   •  In  all,  10  hospitals  and  300  loca>ons  were  affected    
Targeted  Ransomware  Incident   Lesson  learned:   •  Some  type  of  ransomware  incident  is  an  eventuality,  so  plan  accordingly   •  Ransomware  incident  is  different  from  a  PHI  breach   •  Plan  to  have  a  down>me  Incident  Command  Center  that  works  to  coordinate  the  response   without  relying  on  computer  networks   •  Plan/rehearse  a  comprehensive  plan  for  when  all  applica>ons  are  unavailable  –  this  is   different  from  individual  plan  for  one  applica>on  failing   •  Include  a  communica>ons  plan  for  staff,  pa>ents  and  the  public                                          while  maintaining  compliance       •  Plan  for  a  marathon  of  recovery  ac>vity  (what  order  will  applica>ons  be  restored?    Can   addi>onal  staff  be  brought  in?)                                      In  72  hours,  essen>al  applica>ons  restored                                  Full  recovery  took  3  weeks  (how  to  enter  the  data  once  systems  are  restored?)   •  Plan  for  manual  record  keeping  and  pa>ent  care  for  an  extended  period  
Breaking  in  via  HVAC  Controllers  and  Terminals   Cisco  ATA  has  seen  several  instances  of  HVAC  systems  compromised  via  RDP  dic>onary   aFack  and  then  used  to  spread  ransomware  inside  the  network     System  iden>fied  as  a  SIEMENS  HVAC  system  based  off  customer  inventory     In  one  incident,  vendor  support  staff  downloaded  ransomware  using  the  on-­‐site  terminal   for  the  HVAC  system   Impact  to  Hospital:     “Shutdown  of  system  would  result  in  loss   capability  to  remotely  monitoring  coolant   systems,  possibly  impac>ng  pa>ent  care.”    
What  Could  be  Next?   En>re  hard  drive  encryp>on  -­‐  replace  MBR  ==  Petya   Chimera  ransomware  (not  ac>ve)  -­‐  threatened  to  leak  data  of  certain  types              Threaten  to  create  a  HIPAA  viola>on  for  ransom   Encryp>on  of  file  servers   Encryp>on  of  cloud  storages  that  is  mounted  as  a  UNC  path  or  drive  leFer   Environment  aware  ransomware  -­‐  Malware  could  monitor  data  File  usage  and  encrypt  types  of  files  you  use  most   Target  data  and  backups   Destroy  X  files  per  day,  if  ransom  not  paid   More  ransomware  as  a  service   Insurance  scam  -­‐  create  encrypted  access  to  vic>m  data  as  long  as  they  keep  paying   Lite  encryp>on  aFack      Only  change  some  data  in  each  file      To  avoid  detec>on  by  file  access  ac>vity        
Host  Mi>ga>on  to  Block  Flash  Exploits     Enable  Click  to  Ac1vate  for  Flash  Plugin   All  modern  web  browsers  allow  you  to  disable  Flash  Player  un>l  the  user  clicks  to  play   Flash  content     Once  enabled,  the  User  will  be  prompted  to  ac>vate  an  Flash  Video  content:   This  effec>vely  stops   Flash  exploits  from   automa>cally  running   when  the  page  is   loaded  
Host  Mi>ga>on  to  Block  Flash  Exploits     Enable  Click  to  Ac1vate  for  Flash  Plugin   All  modern  web  browsers  allow  you  to  disable  Flash  Player  un>l  the  user  clicks  to  play   Flash  content     Once  enabled,  the  User  will  be  prompted  to  ac>vate  an  Flash  Banner  Ad  content:   This  effec>vely  stops   Flash  exploits  from   automa>cally  running   when  the  page  is   loaded  
Host  Mi>ga>on  to  Block  Flash  Exploits     Enable  Click  to  Ac1vate  for  Flash  Plugin   All  modern  web  browsers  allow  you  to  disable  Flash  Player  un>l  the  user  clicks  to  play   Flash  content     Once  enabled,  the  User  will  be  prompted  to  ac>vate  an  Flash  Banner  Ad  content:   This  effec>vely  stops  Flash   exploits  from  automa>cally   running  when  the  page  is  loaded     The  browser  can  be  set  to   whitelist  certain  trusted   websites  so  that  Flash  content   runs  automa>cally  on  page  load  
Host  Mi>ga>on  to  Block  Javascript  Downloaders     Change  the  Way  Windows  Opens  Javascript  Files     Some  downloaders  use  Javascript  files  to  download  ransomware     By  changing  the  default  program  for  .JS  file  to  notepad,  the  downloader   can  be  defeated     By  default,  Windows  runs  .JS  files  stored  on  the  hard  drive  using  the   Windows  Scrip1ng  Host  (wscript.exe  or  cscript.exe)     Since  most  users  don’t  ever  need  to  open     Javascript  files,  you  can  change  the  default     program  to  handle  .JS  files  to  Notepad.        
Host  Mi>ga>on  to  Javascript  Downloaders     Change  the  Way  Windows  Opens  Javascript  Files       Right  click  on  a  .JS  file    click  on  Open  with  |  Choose   another  app  |  More  apps  ↓    
Host  Mi>ga>on  to  Javascript  Downloaders     Change  the  Way  Windows  Opens  Javascript  Files     Select  Notepad  and  then  turn  on  Always  use  this  app  to  open  .js  files:   Note  that  this  doesn’t  disable   the  Windows  Script  Host     If  you  really  need  to  run  a     JavaScript  file,  you  can  open  a   command  prompt  and  run  the   script  with:  wscript  filename.js    
        Host  Mi>ga>on  to  Block  Ransomware       Using  Canary  Files  to  Detect  Ransomware     File  integrity  monitoring  (FIM)  could  be  set  up  to   monitor  some  directories  containing  random  files   with  names  that  match  those  encrypted  by   ransomeware     If  the  FIM  detected  the  watched  files  were   being  altered  or  deleted,  it  could  launch  a   script  to  determine  what  process  was  altering   the  files  and  kill  it,  as  well  as  display  a  warning     This  is  what  An>Ransom  does  using  procmon   and  file  audi>ng:   hFp://www.security-­‐projects.com/?An>_Ransom      
Host  Mi>ga>on  to  Block  Ransomware     Detec>ng  Ransomware  Using  Canary  Files     Using  Canary  Files  to   Detect  Ransomware       Since  the  order  of   encryp>on  is  randomized,   there  is  no  way  to  make   the  canary  files  be  the  first   to  be  encrypted     When  tested  with  CTB-­‐ Locker  and  Cryptowall,  far   fewer  files  were  encrypted      
Mi>ga>on     Free  Decryptors   Due  to  encryp>on  flaws  and  some  coding  mistakes,  security  researchers  have  found  ways   to  decrypt  ransomed  files  for  free  for  certain  ransomware:     List  of  types  of  free  decrypters   •  hFps://noransom.kaspersky.com/   •  Search  for  encrpyted  file  extension  decrypt  on  bleepingcomputer.com   •  Ex:  .locky  decrypt   •  hFp://blogs.cisco.com/security/talos/teslacrypt   •  hFp://www.welivesecurity.com/2016/05/18/eset-­‐releases-­‐decryptor-­‐recent-­‐variants-­‐ teslacrypt-­‐ransomware/    
Recommenda>ons  for  Incident  Response   Preparing  for  Ransomware  AFacks:     Test  backup/  Recovery  Plans   Patch  Flash  Player  and  Set  to  Auto  Update   Patch  Web  Server  Applica>ons   Disable  MS  Office  macros   Audit  Group  Policy  (scheduled  task  crea>on,  crea>on  of  GPO  that  apply  to  machines)   Modify  how  Windows  handles  Javascript  files   Use  File  Integrity  Monitoring  on  Canary  Files   Use  Click  to  Ac1vate  Browser  feature   Email  Gateway  (block  JS  files  inside  .ZIP  files)   Web  Gateway  (block  malicious  downloads,  block  malver>sing,  block  exploit  kit  URLs)   Deploy  Network  IPS  strategically   Segment  Networks   Use  Two  Factor  authen>ca>on  for  remote  access  (RDP,  Teamviewer,  VNC,  etc)   No  shared  passwords  
       Final  Thoughts     •  Compliance  doesn’t  equal  security   •  Know  your  vulnerabili>es   •  Get  to  know  your  network   •  Maintain  a  comprehensive  security  policy  for  central  networks,  systems  and  accounts                                  plus  your  suppliers,  service  providers  and  partners  networks   •  Your  extended  network  needs  to  maintain  same  security  controls  and  policies   •  Don’t  give  up              With  proper  planning,  awareness,  and  execu>on  of  a  security  strategy,  healthcare                                          systems  can  be  protected   •  6  out  of  10  vic>m  companies  made  security  changes  aler  breach   •  So  there  is  more  that  can  be  done    
Ransomware  Threats  to  the   Healthcare  Industry   Tim  Gurganus,  GCFA,  CISSP   Cisco  Ac>ve  Threat  Analy>cs   9/10/2016   hFps://cisco.box.com/ransomware-­‐healthcare-­‐bsides.pdf  

Recommended

Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Ransomware Prevention Guide
Ransomware Prevention GuideRansomware Prevention Guide
Ransomware Prevention GuideBrian Honan
 
Cisco amp everywhere
Cisco amp everywhereCisco amp everywhere
Cisco amp everywhereCisco Canada
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpointsCisco Canada
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceValery Yelanin
 
Advanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníAdvanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníMarketingArrowECS_CZ
 
Advanced Threat Protection
Advanced Threat ProtectionAdvanced Threat Protection
Advanced Threat ProtectionLan & Wan Solutions
 

Recommended

Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Ransomware Prevention Guide
Ransomware Prevention GuideRansomware Prevention Guide
Ransomware Prevention GuideBrian Honan
 
Cisco amp everywhere
Cisco amp everywhereCisco amp everywhere
Cisco amp everywhereCisco Canada
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpointsCisco Canada
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceValery Yelanin
 
Advanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníAdvanced Threat Protection – ultimátní bezpečnostní řešení
Advanced Threat Protection – ultimátní bezpečnostní řešeníMarketingArrowECS_CZ
 
Advanced Threat Protection
Advanced Threat ProtectionAdvanced Threat Protection
Advanced Threat ProtectionLan & Wan Solutions
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
 
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...Jacob Tranter
 
Ransomware attacks
Ransomware attacksRansomware attacks
Ransomware attacksTexas Medical Liability Trust
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an AttackCisco Canada
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Bezpečnost není jen antivirus
Bezpečnost není jen antivirusBezpečnost není jen antivirus
Bezpečnost není jen antivirusMarketingArrowECS_CZ
 
Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityCenzic
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Iaetsd evasive security using ac ls on threads
Iaetsd evasive security using ac ls on threadsIaetsd evasive security using ac ls on threads
Iaetsd evasive security using ac ls on threadsIaetsd Iaetsd
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA InfographicBlue Coat
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Anatomy Of An Attack
Anatomy Of An AttackAnatomy Of An Attack
Anatomy Of An AttackCisco Canada
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionBlue Coat
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureOPSWAT
 
Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Blue Coat
 
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Sonatype
 
FireEye Solutions
FireEye SolutionsFireEye Solutions
FireEye SolutionsPrime Infoserv
 
Ransomware - Information And Protection Guide - Executive Summary
Ransomware - Information And Protection Guide - Executive SummaryRansomware - Information And Protection Guide - Executive Summary
Ransomware - Information And Protection Guide - Executive SummaryBright Technology
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
APT - Project
APT - Project APT - Project
APT - Project Dev Lavaniya
 
NetWitness
NetWitnessNetWitness
NetWitnessTechBiz Forense Digital
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applicationswebhostingguy
 

More Related Content

What's hot

Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
 
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...Jacob Tranter
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an AttackCisco Canada
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityCenzic
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Iaetsd evasive security using ac ls on threads
Iaetsd evasive security using ac ls on threadsIaetsd evasive security using ac ls on threads
Iaetsd evasive security using ac ls on threadsIaetsd Iaetsd
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA InfographicBlue Coat
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Anatomy Of An Attack
Anatomy Of An AttackAnatomy Of An Attack
Anatomy Of An AttackCisco Canada
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionBlue Coat
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureOPSWAT
 
Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Blue Coat
 
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Sonatype
 
Ransomware - Information And Protection Guide - Executive Summary
Ransomware - Information And Protection Guide - Executive SummaryRansomware - Information And Protection Guide - Executive Summary
Ransomware - Information And Protection Guide - Executive SummaryBright Technology
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 

What's hot (20)

Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
 
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
 
Ransomware attacks
Ransomware attacksRansomware attacks
Ransomware attacks
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attack
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
Bezpečnost není jen antivirus
Bezpečnost není jen antivirusBezpečnost není jen antivirus
Bezpečnost není jen antivirus
 
Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application Security
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Iaetsd evasive security using ac ls on threads
Iaetsd evasive security using ac ls on threadsIaetsd evasive security using ac ls on threads
Iaetsd evasive security using ac ls on threads
 
CAS MAA Infographic
CAS MAA InfographicCAS MAA Infographic
CAS MAA Infographic
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
Anatomy Of An Attack
Anatomy Of An AttackAnatomy Of An Attack
Anatomy Of An Attack
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
 
Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101Advanced Threat Protection - Sandboxing 101
Advanced Threat Protection - Sandboxing 101
 
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
 
FireEye Solutions
FireEye SolutionsFireEye Solutions
FireEye Solutions
 
Ransomware - Information And Protection Guide - Executive Summary
Ransomware - Information And Protection Guide - Executive SummaryRansomware - Information And Protection Guide - Executive Summary
Ransomware - Information And Protection Guide - Executive Summary
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cns
 
APT - Project
APT - Project APT - Project
APT - Project
 

Similar to Ransomware Threats to the Healthcare Industry

Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applicationswebhostingguy
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseLumension
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT securitySophos Benelux
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityLumension
 
Cscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesCscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesAlireza Ghahrood
 
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUEScompTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUESEMERSON EDUARDO RODRIGUES
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DeviceWireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DevicePriyanka Aash
 
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DeviceWireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DevicePriyanka Aash
 
Atc ny friday-talk_20080808
Atc ny friday-talk_20080808Atc ny friday-talk_20080808
Atc ny friday-talk_20080808Todd Deshane
 
Protecting Windows Networks From Malware 31 Jan09
Protecting Windows Networks From Malware 31 Jan09Protecting Windows Networks From Malware 31 Jan09
Protecting Windows Networks From Malware 31 Jan09technext1
 
Protecting Windows Networks From Malware
Protecting Windows Networks From MalwareProtecting Windows Networks From Malware
Protecting Windows Networks From MalwareRishu Mehra
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesBunmi Sowande
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionAlert Logic
 
Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3Denise Bailey
 
Security and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxSecurity and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxedgar6wallace88877
 

Similar to Ransomware Threats to the Healthcare Industry (20)

NetWitness
NetWitnessNetWitness
NetWitness
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applications
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your Enterprise
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint Security
 
Cscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesCscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antiviruses
 
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUEScompTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DeviceWireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
 
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DeviceWireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device
 
Atc ny friday-talk_20080808
Atc ny friday-talk_20080808Atc ny friday-talk_20080808
Atc ny friday-talk_20080808
 
Protecting Windows Networks From Malware 31 Jan09
Protecting Windows Networks From Malware 31 Jan09Protecting Windows Networks From Malware 31 Jan09
Protecting Windows Networks From Malware 31 Jan09
 
Protecting Windows Networks From Malware
Protecting Windows Networks From MalwareProtecting Windows Networks From Malware
Protecting Windows Networks From Malware
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
 
CCNAS Ch01
CCNAS Ch01 CCNAS Ch01
CCNAS Ch01
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-Article
 
Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3Ransomware and email security ver - 1.3
Ransomware and email security ver - 1.3
 
Security and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxSecurity and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docx
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Ransomware Threats to the Healthcare Industry

  • 1. Ransomware  Threats  to  the   Healthcare  Industry   Tim  Gurganus,  GCFA,  CISSP   Cisco  Ac>ve  Threat  Analy>cs   9/10/2016   hFps://cisco.box.com/ransomware-­‐healthcare-­‐bsides.pdf  
  • 2. Outline   State  of  Infosec  in  Healthcare   Healthcare  network  vulnerabili>es   General  Mass  distributed  ransomware  incidents          Locky          Cerber          CryptXXX          Exploit  Kit  aFacks          AFacks  via  Email   Targeted  Ransomware  Incidents            SamSam  aFacks          How  they  break-­‐in          Ransomware  spreaders   Ransomware  -­‐  the  next  wave   What  to  do  -­‐  Recommenda>ons  for  Preven>on  and  Incident  Response  
  • 3. Healthcare  &  Technology   Due  to  the  cost  of  healthcare  rising,  healthcare  is  going              through  a  transforma>on     Healthcare  is  trying  to  figure  out  how  to  use  technology  (How  to  use  big      data?  Pa>ent  data?  )  to  provide  beFer  care  at  a  lower  cost:     EMR  (electronic  medical  record)  solu>ons  are  being  rushed  out     Early  adopters  are  implemen>ng  func>onal,  reliable,  but  not  security   hardened  solu>ons  
  • 4. State  of  Infosec  in  Healthcare   50%  of  Cisco  Ac>ve  Threat  Analy>cs  healthcare  customers  had  no  IR  plan      and  no  IR  team  when  monitoring  began     All  customers  had  devices  running  on  older  versions  of  Windows,  such  as                    Windows  XP     50  types  of  devices  on  the  average  hospital  networks     CIOs  of  hospitals  have  on  average  100  –  200  ac>ve  projects  they  are      managing  at  once                    How  can  they  see  where  to  focus  security  improvements?     90%  of  healthcare  devices  have  no  security  features            not  designed  for  the  data  to  go  somewhere  else  –  clinical  data  
  • 5. State  of  Infosec  in  Healthcare   Many  Healthcare  networks  have  the  same  enterprise  vulnerabili>es:     –  Use  of  shared  passwords   –  Low  use  of  encryp>on   –  Very  liFle  logging   –  Weak/flawed  encryp>on  in  Applica>ons   –  Many  untested/vulnerable  apps  with  OWASP  top  10  vulnerabili>es   –  Unpatched  opera>ng  systems  and  applica>ons   –  S>ll  using  devices/applica>ons  running  on  Windows  XP   –  Some  network  devices  don’t  use  authen>ca>on   –  Flat  networks  with  no  segmenta>on   –  Low  use  of  NAC  –  they  don’t  know  all  the  devices  on  their  network   –  Decentralized  IT  Support  –  Lab,  Admin,  Clinical,  Building/Physical  Security      
  • 6. Ransomware  Impact  to  Healthcare   100%  of  Cisco  ATA  healthcare  customers  have  had  systems  encrypted  by      ransomware     Most  common  ransomware  families  were  Cryptowall,  Teslacrypt  and  Locky     Most  common  method  of  infec>on  is  web  browser  exploit  via  Angler  exploit      kit     Second  most  common  method  is  malicious  email  aFachment     75%  of  medical  ins>tu>ons  have  been  or  believe  they  have  been  vic>ms  of      ransomware  aFacks     Healthcare  is  lagging  in  defense  and  protec>on  from  cyber  aFacks     This  puts  PII  and  PHI  at  risk  and  makes  healthcare  a  target  for  ransomware      
  • 7. Ransomware  Impact  to  Healthcare   Locky  Ransomware  Distributed  Via  DOCM  A:achments  in  Latest  Email  Campaigns     Throughout  August,  FireEye  Labs  has  observed  a  few  massive  email  campaigns  distribu>ng  Locky  ransomware.  The  campaigns   have  affected  various  industries,  with  the  healthcare  industry  being  hit  the  hardest  based  on  our  telemetry,  as  seen  in  figure   below:  
  • 8. Cisco  ATA   8   Growth  of  Ransomware       December  2015   17%  of  all  malware   payloads  from  exploit   kits  were  ransomware     May  2016   61%  of  all  malware   payloads  from  exploit   kits  are  ransomware    
  • 9. Healthcare  is  a  Target   Typical  Incident:  TeslaCrypt  ransomware  installed  by  Angler  Exploit  Kit     1.  Hospital  Staffer  browsed  to:  hFp://daytonoptometric.com/    -­‐  The  Optometric  website  was  compromised    -­‐  The  hacker  had  used  a  mass  infec>on  tool  to  change  the  website  so      every  first  >me  visitor  to  the  site  was  redirected  to  another      compromised  site:  toegewijd-­‐langle.chris>an-­‐cook.co.uk   2.   toegewijd-­‐langle.chris>an-­‐cook.co.uk  delivered  a  landing  page  for  the      Angler  exploit  kit  to  test  if  the  target  was  vulnerable   3.  The  target  was  running  a  Gold  image  used  by  the  hospital  that  included      an  old  version  of  Flash  Player   4.  The  exploit  kit  detected  the  version  of  Flash  and  sent  the  appropriate      version  of  flash  exploit  in  an  SWF  file  to  exploit  the  target   5.  Aler  the  exploit  succeeded,  the  target  downloaded  an  EXE  of  the      Teslacrypt  ransomware          
  • 10. Healthcare  is  a  Target   TeslaCrypt  ransomware  installed  by  Angler  Exploit  Kit  cont.     6.  The  Teslacrypt  ransomware  installed  and  connected  to  its  Command  and  Control  server  on  another   compromised  host:  hFp://tele-­‐channel.com/wp-­‐admin/maint/wcspng.php   7.  Aler  receiving  the  encryp>on  key,  the  ransomware  began  encryp>ng  the  file  system  of  the                  hospital  staffer’s  worksta>on     Typical  to  find  PCs  in  hospitals  that  are  not  up  to  date  on  patches     Typical  to  find  that  the  hospital  has  no  patch  management              solu>on  to  install  security  patches  in  a  >mely  manner     Olen  100s  of  applica>ons  need  to  be  tested  before  patches  can  be  distributed     Most  infec>ons  can  be  traced  to  Clinical  staff  web  browsing  from  a  worksta>on  that  was  missing  Flash   Player  patches     Some  infec>ons  seem  to  come  from  hospital  staff  accessing  personal  email  from  clinical  care  networks          
  • 11. Cisco  ATA   11   Ac>ve  Ransomware  Families  –  CryptXXX  Ransomware   CryptXXX  is  believed  to  have  been  developed  from  the  same  group  that  wrote  the   Reveton  ransomware     CryptXXX  is  distributed  via  exploit  kit  and  malicious  email  aFachment     On  first  launch,  CryptXXX  delays  execu>on  for  3721  seconds  to  avoid  automated   sandbox  analysis     CryptXXX  has  other  an>-­‐analysis  func>ons  such  as:          Checking  the  CPU  name  in  the  registry          Monitoring  for  mouse  events       CryptXXX  will  encrypt  files  on  the  local  drives  as  well  as  any  mounted  drives     CryptXXX  has  func>ons  for  stealing  bitcoin  and  creden>al  data  (such  as  passwords   stored  in  browsers,  FTP  clients,  email  clients  and  IM  clients)        
  • 12. Cisco  ATA   12   Ac>ve  Ransomware  Families  –  Cerber  Ransomware   Cerber  is  distributed  via  malicious  email  aFachment  and  by  exploit  kit   Example  message  subjects:   Subject:  Metus  Corpora>on   Subject:  user@email.com  has  sent  you  a  message   Subject:  user@email.com  has  sent  you  a  file  via  WeTransfer     Cerber  aFacks  have  been  distributed  using  the  Dridex  botnet   The  file  type  of  the  aFachment  is  typically  MS  Word  DOC   The  Word  Macro  typically  builds  a  VBS  script  and  launches  it  to  download  the  Cerber   executable   The  latest  variants  actually  use  the  Microsol  BITS  service  for  the  download   Some  Cerber  downloaders  have  the  .RTF  extension   Some  Cerber  campaigns  have  used  Javascript  downloaders  in  .ZIP  file  aFachments   Once  Cerber  starts  running,  it  sends  UDP  packets  to  command  and  control  servers  in   one  of  three  ranges  on  U6892:                  31.184.234.0/24  or  31.184.235.0/24  or  85.93.0.0  -­‐  85.93.43.138    
  • 13. Cisco  ATA   13   Ac>ve  Ransomware  Families  –  Locky  Ransomware   Delivered  via  email  aFachment  by  Dridex  botnet  only  on  weekdays     Locky  seems  to  target  business  email  addresses     Locky  uses  an  affiliate  model       Each  variant  has  an  affiliate  id  that  is  used  to  distribute  collected  ransoms     Locky  Ransomware  infec>ons  on  Day  0:                
  • 14. Ransomware  Propaga>on   None  of  the  mass  distributed  ransomware  have  spreader  func>ons  for    self  propaga>on     There  were  affiliates  of  CryptoWall  that  performed  targe>ng     In  some  cases  they  used  custom  made  builds  of  the  ransomware  that  were  not                  detected  by  an>virus  solware  due  to  their  low  circula>on       In  one  outbreak  of  Cryptowall,  the  ini>al  vic>m  was  compromised  with  a  password  stealer,  like                        Dridex  or  Zeus     Ransomware  was  spread  to  other  systems  within  the  same  Windows  domain  via  a  PSExec-­‐based                  worm     Other  network  spreaders  have  also  been  seen  found  in  incident  analysis  
  • 15. Targeted  Ransomware  AFacks   Aler  compromising  an  external  facing  server  in  the  hospital,  aFackers  deploy                    a  tool  to  harvest  Ac>ve  directory  details     A  list  of  target  systems  and  accounts  was  created  aler  mapping  the  network     Aler  encryp>on  is  complete,  the  ransomware  displays  the  ransom  note  and                    securely  deletes  itself     SAMSAM  –  aler  compromising  the  JBOSS  server,  the  memory  of  the  server  was   searched  for  AD  passwords  and  password  hashes   These  were  used  to  move  laterally   A  spreader  was  executed  on  machines  where  access  was  successful    
  • 16. Targeted  Ransomware  AFacks  -­‐  2   Each  machine  encrypted  had  a  ransom  of  1.5  bitcoin  to  purchase  the  decryp>on  u>lity     Analysis  of  the  bitcoin  accounts  indicated  ransoms  of  $7000  -­‐  $9000  had  been  paid                     The  incident  at  Hollywood  Presbyterian  Medical  Center  and  others  in  Germany  and   Australia  were  targeted  ransomware  aFacks        
  • 17. Targeted  Ransomware  Incident   Based  on  actual  incident:   •  Offsite  loca>on  reports  computer  problems  beginning  on  a  Sunday  night   •  370  applica>ons  running  at  that  loca>on  were  affected   •  Following  their  IR  plan,  a  mid-­‐level  director  was  involved  and  IR  ac>ons  were   ini>ated   •  The  situa>on  was  assessed  to  be  gerng  worse  into  Monday  morning   •  To  protect  systems  from  further  damage,  the  electronic  medical  records   system  (EMR)  was  shut  off   •  This  affected  the  en>re  hospital  network  and  impacted  pa>ent  care,  building   management  system,  ordering  supplies  and  equipment   •  In  all,  10  hospitals  and  300  loca>ons  were  affected    
  • 18. Targeted  Ransomware  Incident   Lesson  learned:   •  Some  type  of  ransomware  incident  is  an  eventuality,  so  plan  accordingly   •  Ransomware  incident  is  different  from  a  PHI  breach   •  Plan  to  have  a  down>me  Incident  Command  Center  that  works  to  coordinate  the  response   without  relying  on  computer  networks   •  Plan/rehearse  a  comprehensive  plan  for  when  all  applica>ons  are  unavailable  –  this  is   different  from  individual  plan  for  one  applica>on  failing   •  Include  a  communica>ons  plan  for  staff,  pa>ents  and  the  public                                          while  maintaining  compliance       •  Plan  for  a  marathon  of  recovery  ac>vity  (what  order  will  applica>ons  be  restored?    Can   addi>onal  staff  be  brought  in?)                                      In  72  hours,  essen>al  applica>ons  restored                                  Full  recovery  took  3  weeks  (how  to  enter  the  data  once  systems  are  restored?)   •  Plan  for  manual  record  keeping  and  pa>ent  care  for  an  extended  period  
  • 19. Breaking  in  via  HVAC  Controllers  and  Terminals   Cisco  ATA  has  seen  several  instances  of  HVAC  systems  compromised  via  RDP  dic>onary   aFack  and  then  used  to  spread  ransomware  inside  the  network     System  iden>fied  as  a  SIEMENS  HVAC  system  based  off  customer  inventory     In  one  incident,  vendor  support  staff  downloaded  ransomware  using  the  on-­‐site  terminal   for  the  HVAC  system   Impact  to  Hospital:     “Shutdown  of  system  would  result  in  loss   capability  to  remotely  monitoring  coolant   systems,  possibly  impac>ng  pa>ent  care.”    
  • 20. What  Could  be  Next?   En>re  hard  drive  encryp>on  -­‐  replace  MBR  ==  Petya   Chimera  ransomware  (not  ac>ve)  -­‐  threatened  to  leak  data  of  certain  types              Threaten  to  create  a  HIPAA  viola>on  for  ransom   Encryp>on  of  file  servers   Encryp>on  of  cloud  storages  that  is  mounted  as  a  UNC  path  or  drive  leFer   Environment  aware  ransomware  -­‐  Malware  could  monitor  data  File  usage  and  encrypt  types  of  files  you  use  most   Target  data  and  backups   Destroy  X  files  per  day,  if  ransom  not  paid   More  ransomware  as  a  service   Insurance  scam  -­‐  create  encrypted  access  to  vic>m  data  as  long  as  they  keep  paying   Lite  encryp>on  aFack      Only  change  some  data  in  each  file      To  avoid  detec>on  by  file  access  ac>vity        
  • 21. Host  Mi>ga>on  to  Block  Flash  Exploits     Enable  Click  to  Ac1vate  for  Flash  Plugin   All  modern  web  browsers  allow  you  to  disable  Flash  Player  un>l  the  user  clicks  to  play   Flash  content     Once  enabled,  the  User  will  be  prompted  to  ac>vate  an  Flash  Video  content:   This  effec>vely  stops   Flash  exploits  from   automa>cally  running   when  the  page  is   loaded  
  • 22. Host  Mi>ga>on  to  Block  Flash  Exploits     Enable  Click  to  Ac1vate  for  Flash  Plugin   All  modern  web  browsers  allow  you  to  disable  Flash  Player  un>l  the  user  clicks  to  play   Flash  content     Once  enabled,  the  User  will  be  prompted  to  ac>vate  an  Flash  Banner  Ad  content:   This  effec>vely  stops   Flash  exploits  from   automa>cally  running   when  the  page  is   loaded  
  • 23. Host  Mi>ga>on  to  Block  Flash  Exploits     Enable  Click  to  Ac1vate  for  Flash  Plugin   All  modern  web  browsers  allow  you  to  disable  Flash  Player  un>l  the  user  clicks  to  play   Flash  content     Once  enabled,  the  User  will  be  prompted  to  ac>vate  an  Flash  Banner  Ad  content:   This  effec>vely  stops  Flash   exploits  from  automa>cally   running  when  the  page  is  loaded     The  browser  can  be  set  to   whitelist  certain  trusted   websites  so  that  Flash  content   runs  automa>cally  on  page  load  
  • 24. Host  Mi>ga>on  to  Block  Javascript  Downloaders     Change  the  Way  Windows  Opens  Javascript  Files     Some  downloaders  use  Javascript  files  to  download  ransomware     By  changing  the  default  program  for  .JS  file  to  notepad,  the  downloader   can  be  defeated     By  default,  Windows  runs  .JS  files  stored  on  the  hard  drive  using  the   Windows  Scrip1ng  Host  (wscript.exe  or  cscript.exe)     Since  most  users  don’t  ever  need  to  open     Javascript  files,  you  can  change  the  default     program  to  handle  .JS  files  to  Notepad.        
  • 25. Host  Mi>ga>on  to  Javascript  Downloaders     Change  the  Way  Windows  Opens  Javascript  Files       Right  click  on  a  .JS  file    click  on  Open  with  |  Choose   another  app  |  More  apps  ↓    
  • 26. Host  Mi>ga>on  to  Javascript  Downloaders     Change  the  Way  Windows  Opens  Javascript  Files     Select  Notepad  and  then  turn  on  Always  use  this  app  to  open  .js  files:   Note  that  this  doesn’t  disable   the  Windows  Script  Host     If  you  really  need  to  run  a     JavaScript  file,  you  can  open  a   command  prompt  and  run  the   script  with:  wscript  filename.js    
  • 27.         Host  Mi>ga>on  to  Block  Ransomware       Using  Canary  Files  to  Detect  Ransomware     File  integrity  monitoring  (FIM)  could  be  set  up  to   monitor  some  directories  containing  random  files   with  names  that  match  those  encrypted  by   ransomeware     If  the  FIM  detected  the  watched  files  were   being  altered  or  deleted,  it  could  launch  a   script  to  determine  what  process  was  altering   the  files  and  kill  it,  as  well  as  display  a  warning     This  is  what  An>Ransom  does  using  procmon   and  file  audi>ng:   hFp://www.security-­‐projects.com/?An>_Ransom      
  • 28. Host  Mi>ga>on  to  Block  Ransomware     Detec>ng  Ransomware  Using  Canary  Files     Using  Canary  Files  to   Detect  Ransomware       Since  the  order  of   encryp>on  is  randomized,   there  is  no  way  to  make   the  canary  files  be  the  first   to  be  encrypted     When  tested  with  CTB-­‐ Locker  and  Cryptowall,  far   fewer  files  were  encrypted      
  • 29. Mi>ga>on     Free  Decryptors   Due  to  encryp>on  flaws  and  some  coding  mistakes,  security  researchers  have  found  ways   to  decrypt  ransomed  files  for  free  for  certain  ransomware:     List  of  types  of  free  decrypters   •  hFps://noransom.kaspersky.com/   •  Search  for  encrpyted  file  extension  decrypt  on  bleepingcomputer.com   •  Ex:  .locky  decrypt   •  hFp://blogs.cisco.com/security/talos/teslacrypt   •  hFp://www.welivesecurity.com/2016/05/18/eset-­‐releases-­‐decryptor-­‐recent-­‐variants-­‐ teslacrypt-­‐ransomware/    
  • 30. Recommenda>ons  for  Incident  Response   Preparing  for  Ransomware  AFacks:     Test  backup/  Recovery  Plans   Patch  Flash  Player  and  Set  to  Auto  Update   Patch  Web  Server  Applica>ons   Disable  MS  Office  macros   Audit  Group  Policy  (scheduled  task  crea>on,  crea>on  of  GPO  that  apply  to  machines)   Modify  how  Windows  handles  Javascript  files   Use  File  Integrity  Monitoring  on  Canary  Files   Use  Click  to  Ac1vate  Browser  feature   Email  Gateway  (block  JS  files  inside  .ZIP  files)   Web  Gateway  (block  malicious  downloads,  block  malver>sing,  block  exploit  kit  URLs)   Deploy  Network  IPS  strategically   Segment  Networks   Use  Two  Factor  authen>ca>on  for  remote  access  (RDP,  Teamviewer,  VNC,  etc)   No  shared  passwords  
  • 31.        Final  Thoughts     •  Compliance  doesn’t  equal  security   •  Know  your  vulnerabili>es   •  Get  to  know  your  network   •  Maintain  a  comprehensive  security  policy  for  central  networks,  systems  and  accounts                                  plus  your  suppliers,  service  providers  and  partners  networks   •  Your  extended  network  needs  to  maintain  same  security  controls  and  policies   •  Don’t  give  up              With  proper  planning,  awareness,  and  execu>on  of  a  security  strategy,  healthcare                                          systems  can  be  protected   •  6  out  of  10  vic>m  companies  made  security  changes  aler  breach   •  So  there  is  more  that  can  be  done    
  • 32. Ransomware  Threats  to  the   Healthcare  Industry   Tim  Gurganus,  GCFA,  CISSP   Cisco  Ac>ve  Threat  Analy>cs   9/10/2016   hFps://cisco.box.com/ransomware-­‐healthcare-­‐bsides.pdf