[2024]Digital Global Overview Report 2024 Meltwater.pdf
Ransomware Threats to the Healthcare Industry
1. Ransomware
Threats
to
the
Healthcare
Industry
Tim
Gurganus,
GCFA,
CISSP
Cisco
Ac>ve
Threat
Analy>cs
9/10/2016
hFps://cisco.box.com/ransomware-‐healthcare-‐bsides.pdf
2. Outline
State
of
Infosec
in
Healthcare
Healthcare
network
vulnerabili>es
General
Mass
distributed
ransomware
incidents
Locky
Cerber
CryptXXX
Exploit
Kit
aFacks
AFacks
via
Email
Targeted
Ransomware
Incidents
SamSam
aFacks
How
they
break-‐in
Ransomware
spreaders
Ransomware
-‐
the
next
wave
What
to
do
-‐
Recommenda>ons
for
Preven>on
and
Incident
Response
3. Healthcare
&
Technology
Due
to
the
cost
of
healthcare
rising,
healthcare
is
going
through
a
transforma>on
Healthcare
is
trying
to
figure
out
how
to
use
technology
(How
to
use
big
data?
Pa>ent
data?
)
to
provide
beFer
care
at
a
lower
cost:
EMR
(electronic
medical
record)
solu>ons
are
being
rushed
out
Early
adopters
are
implemen>ng
func>onal,
reliable,
but
not
security
hardened
solu>ons
4. State
of
Infosec
in
Healthcare
50%
of
Cisco
Ac>ve
Threat
Analy>cs
healthcare
customers
had
no
IR
plan
and
no
IR
team
when
monitoring
began
All
customers
had
devices
running
on
older
versions
of
Windows,
such
as
Windows
XP
50
types
of
devices
on
the
average
hospital
networks
CIOs
of
hospitals
have
on
average
100
–
200
ac>ve
projects
they
are
managing
at
once
How
can
they
see
where
to
focus
security
improvements?
90%
of
healthcare
devices
have
no
security
features
not
designed
for
the
data
to
go
somewhere
else
–
clinical
data
5. State
of
Infosec
in
Healthcare
Many
Healthcare
networks
have
the
same
enterprise
vulnerabili>es:
– Use
of
shared
passwords
– Low
use
of
encryp>on
– Very
liFle
logging
– Weak/flawed
encryp>on
in
Applica>ons
– Many
untested/vulnerable
apps
with
OWASP
top
10
vulnerabili>es
– Unpatched
opera>ng
systems
and
applica>ons
– S>ll
using
devices/applica>ons
running
on
Windows
XP
– Some
network
devices
don’t
use
authen>ca>on
– Flat
networks
with
no
segmenta>on
– Low
use
of
NAC
–
they
don’t
know
all
the
devices
on
their
network
– Decentralized
IT
Support
–
Lab,
Admin,
Clinical,
Building/Physical
Security
6. Ransomware
Impact
to
Healthcare
100%
of
Cisco
ATA
healthcare
customers
have
had
systems
encrypted
by
ransomware
Most
common
ransomware
families
were
Cryptowall,
Teslacrypt
and
Locky
Most
common
method
of
infec>on
is
web
browser
exploit
via
Angler
exploit
kit
Second
most
common
method
is
malicious
email
aFachment
75%
of
medical
ins>tu>ons
have
been
or
believe
they
have
been
vic>ms
of
ransomware
aFacks
Healthcare
is
lagging
in
defense
and
protec>on
from
cyber
aFacks
This
puts
PII
and
PHI
at
risk
and
makes
healthcare
a
target
for
ransomware
7. Ransomware
Impact
to
Healthcare
Locky
Ransomware
Distributed
Via
DOCM
A:achments
in
Latest
Email
Campaigns
Throughout
August,
FireEye
Labs
has
observed
a
few
massive
email
campaigns
distribu>ng
Locky
ransomware.
The
campaigns
have
affected
various
industries,
with
the
healthcare
industry
being
hit
the
hardest
based
on
our
telemetry,
as
seen
in
figure
below:
8. Cisco
ATA
8
Growth
of
Ransomware
December
2015
17%
of
all
malware
payloads
from
exploit
kits
were
ransomware
May
2016
61%
of
all
malware
payloads
from
exploit
kits
are
ransomware
9. Healthcare
is
a
Target
Typical
Incident:
TeslaCrypt
ransomware
installed
by
Angler
Exploit
Kit
1. Hospital
Staffer
browsed
to:
hFp://daytonoptometric.com/
-‐
The
Optometric
website
was
compromised
-‐
The
hacker
had
used
a
mass
infec>on
tool
to
change
the
website
so
every
first
>me
visitor
to
the
site
was
redirected
to
another
compromised
site:
toegewijd-‐langle.chris>an-‐cook.co.uk
2.
toegewijd-‐langle.chris>an-‐cook.co.uk
delivered
a
landing
page
for
the
Angler
exploit
kit
to
test
if
the
target
was
vulnerable
3. The
target
was
running
a
Gold
image
used
by
the
hospital
that
included
an
old
version
of
Flash
Player
4. The
exploit
kit
detected
the
version
of
Flash
and
sent
the
appropriate
version
of
flash
exploit
in
an
SWF
file
to
exploit
the
target
5. Aler
the
exploit
succeeded,
the
target
downloaded
an
EXE
of
the
Teslacrypt
ransomware
10. Healthcare
is
a
Target
TeslaCrypt
ransomware
installed
by
Angler
Exploit
Kit
cont.
6. The
Teslacrypt
ransomware
installed
and
connected
to
its
Command
and
Control
server
on
another
compromised
host:
hFp://tele-‐channel.com/wp-‐admin/maint/wcspng.php
7. Aler
receiving
the
encryp>on
key,
the
ransomware
began
encryp>ng
the
file
system
of
the
hospital
staffer’s
worksta>on
Typical
to
find
PCs
in
hospitals
that
are
not
up
to
date
on
patches
Typical
to
find
that
the
hospital
has
no
patch
management
solu>on
to
install
security
patches
in
a
>mely
manner
Olen
100s
of
applica>ons
need
to
be
tested
before
patches
can
be
distributed
Most
infec>ons
can
be
traced
to
Clinical
staff
web
browsing
from
a
worksta>on
that
was
missing
Flash
Player
patches
Some
infec>ons
seem
to
come
from
hospital
staff
accessing
personal
email
from
clinical
care
networks
11. Cisco
ATA
11
Ac>ve
Ransomware
Families
–
CryptXXX
Ransomware
CryptXXX
is
believed
to
have
been
developed
from
the
same
group
that
wrote
the
Reveton
ransomware
CryptXXX
is
distributed
via
exploit
kit
and
malicious
email
aFachment
On
first
launch,
CryptXXX
delays
execu>on
for
3721
seconds
to
avoid
automated
sandbox
analysis
CryptXXX
has
other
an>-‐analysis
func>ons
such
as:
Checking
the
CPU
name
in
the
registry
Monitoring
for
mouse
events
CryptXXX
will
encrypt
files
on
the
local
drives
as
well
as
any
mounted
drives
CryptXXX
has
func>ons
for
stealing
bitcoin
and
creden>al
data
(such
as
passwords
stored
in
browsers,
FTP
clients,
email
clients
and
IM
clients)
12. Cisco
ATA
12
Ac>ve
Ransomware
Families
–
Cerber
Ransomware
Cerber
is
distributed
via
malicious
email
aFachment
and
by
exploit
kit
Example
message
subjects:
Subject:
Metus
Corpora>on
Subject:
user@email.com
has
sent
you
a
message
Subject:
user@email.com
has
sent
you
a
file
via
WeTransfer
Cerber
aFacks
have
been
distributed
using
the
Dridex
botnet
The
file
type
of
the
aFachment
is
typically
MS
Word
DOC
The
Word
Macro
typically
builds
a
VBS
script
and
launches
it
to
download
the
Cerber
executable
The
latest
variants
actually
use
the
Microsol
BITS
service
for
the
download
Some
Cerber
downloaders
have
the
.RTF
extension
Some
Cerber
campaigns
have
used
Javascript
downloaders
in
.ZIP
file
aFachments
Once
Cerber
starts
running,
it
sends
UDP
packets
to
command
and
control
servers
in
one
of
three
ranges
on
U6892:
31.184.234.0/24
or
31.184.235.0/24
or
85.93.0.0
-‐
85.93.43.138
13. Cisco
ATA
13
Ac>ve
Ransomware
Families
–
Locky
Ransomware
Delivered
via
email
aFachment
by
Dridex
botnet
only
on
weekdays
Locky
seems
to
target
business
email
addresses
Locky
uses
an
affiliate
model
Each
variant
has
an
affiliate
id
that
is
used
to
distribute
collected
ransoms
Locky
Ransomware
infec>ons
on
Day
0:
14. Ransomware
Propaga>on
None
of
the
mass
distributed
ransomware
have
spreader
func>ons
for
self
propaga>on
There
were
affiliates
of
CryptoWall
that
performed
targe>ng
In
some
cases
they
used
custom
made
builds
of
the
ransomware
that
were
not
detected
by
an>virus
solware
due
to
their
low
circula>on
In
one
outbreak
of
Cryptowall,
the
ini>al
vic>m
was
compromised
with
a
password
stealer,
like
Dridex
or
Zeus
Ransomware
was
spread
to
other
systems
within
the
same
Windows
domain
via
a
PSExec-‐based
worm
Other
network
spreaders
have
also
been
seen
found
in
incident
analysis
15. Targeted
Ransomware
AFacks
Aler
compromising
an
external
facing
server
in
the
hospital,
aFackers
deploy
a
tool
to
harvest
Ac>ve
directory
details
A
list
of
target
systems
and
accounts
was
created
aler
mapping
the
network
Aler
encryp>on
is
complete,
the
ransomware
displays
the
ransom
note
and
securely
deletes
itself
SAMSAM
–
aler
compromising
the
JBOSS
server,
the
memory
of
the
server
was
searched
for
AD
passwords
and
password
hashes
These
were
used
to
move
laterally
A
spreader
was
executed
on
machines
where
access
was
successful
16. Targeted
Ransomware
AFacks
-‐
2
Each
machine
encrypted
had
a
ransom
of
1.5
bitcoin
to
purchase
the
decryp>on
u>lity
Analysis
of
the
bitcoin
accounts
indicated
ransoms
of
$7000
-‐
$9000
had
been
paid
The
incident
at
Hollywood
Presbyterian
Medical
Center
and
others
in
Germany
and
Australia
were
targeted
ransomware
aFacks
17. Targeted
Ransomware
Incident
Based
on
actual
incident:
• Offsite
loca>on
reports
computer
problems
beginning
on
a
Sunday
night
• 370
applica>ons
running
at
that
loca>on
were
affected
• Following
their
IR
plan,
a
mid-‐level
director
was
involved
and
IR
ac>ons
were
ini>ated
• The
situa>on
was
assessed
to
be
gerng
worse
into
Monday
morning
• To
protect
systems
from
further
damage,
the
electronic
medical
records
system
(EMR)
was
shut
off
• This
affected
the
en>re
hospital
network
and
impacted
pa>ent
care,
building
management
system,
ordering
supplies
and
equipment
• In
all,
10
hospitals
and
300
loca>ons
were
affected
18. Targeted
Ransomware
Incident
Lesson
learned:
• Some
type
of
ransomware
incident
is
an
eventuality,
so
plan
accordingly
• Ransomware
incident
is
different
from
a
PHI
breach
• Plan
to
have
a
down>me
Incident
Command
Center
that
works
to
coordinate
the
response
without
relying
on
computer
networks
• Plan/rehearse
a
comprehensive
plan
for
when
all
applica>ons
are
unavailable
–
this
is
different
from
individual
plan
for
one
applica>on
failing
• Include
a
communica>ons
plan
for
staff,
pa>ents
and
the
public
while
maintaining
compliance
• Plan
for
a
marathon
of
recovery
ac>vity
(what
order
will
applica>ons
be
restored?
Can
addi>onal
staff
be
brought
in?)
In
72
hours,
essen>al
applica>ons
restored
Full
recovery
took
3
weeks
(how
to
enter
the
data
once
systems
are
restored?)
• Plan
for
manual
record
keeping
and
pa>ent
care
for
an
extended
period
19. Breaking
in
via
HVAC
Controllers
and
Terminals
Cisco
ATA
has
seen
several
instances
of
HVAC
systems
compromised
via
RDP
dic>onary
aFack
and
then
used
to
spread
ransomware
inside
the
network
System
iden>fied
as
a
SIEMENS
HVAC
system
based
off
customer
inventory
In
one
incident,
vendor
support
staff
downloaded
ransomware
using
the
on-‐site
terminal
for
the
HVAC
system
Impact
to
Hospital:
“Shutdown
of
system
would
result
in
loss
capability
to
remotely
monitoring
coolant
systems,
possibly
impac>ng
pa>ent
care.”
20. What
Could
be
Next?
En>re
hard
drive
encryp>on
-‐
replace
MBR
==
Petya
Chimera
ransomware
(not
ac>ve)
-‐
threatened
to
leak
data
of
certain
types
Threaten
to
create
a
HIPAA
viola>on
for
ransom
Encryp>on
of
file
servers
Encryp>on
of
cloud
storages
that
is
mounted
as
a
UNC
path
or
drive
leFer
Environment
aware
ransomware
-‐
Malware
could
monitor
data
File
usage
and
encrypt
types
of
files
you
use
most
Target
data
and
backups
Destroy
X
files
per
day,
if
ransom
not
paid
More
ransomware
as
a
service
Insurance
scam
-‐
create
encrypted
access
to
vic>m
data
as
long
as
they
keep
paying
Lite
encryp>on
aFack
Only
change
some
data
in
each
file
To
avoid
detec>on
by
file
access
ac>vity
21. Host
Mi>ga>on
to
Block
Flash
Exploits
Enable
Click
to
Ac1vate
for
Flash
Plugin
All
modern
web
browsers
allow
you
to
disable
Flash
Player
un>l
the
user
clicks
to
play
Flash
content
Once
enabled,
the
User
will
be
prompted
to
ac>vate
an
Flash
Video
content:
This
effec>vely
stops
Flash
exploits
from
automa>cally
running
when
the
page
is
loaded
22. Host
Mi>ga>on
to
Block
Flash
Exploits
Enable
Click
to
Ac1vate
for
Flash
Plugin
All
modern
web
browsers
allow
you
to
disable
Flash
Player
un>l
the
user
clicks
to
play
Flash
content
Once
enabled,
the
User
will
be
prompted
to
ac>vate
an
Flash
Banner
Ad
content:
This
effec>vely
stops
Flash
exploits
from
automa>cally
running
when
the
page
is
loaded
23. Host
Mi>ga>on
to
Block
Flash
Exploits
Enable
Click
to
Ac1vate
for
Flash
Plugin
All
modern
web
browsers
allow
you
to
disable
Flash
Player
un>l
the
user
clicks
to
play
Flash
content
Once
enabled,
the
User
will
be
prompted
to
ac>vate
an
Flash
Banner
Ad
content:
This
effec>vely
stops
Flash
exploits
from
automa>cally
running
when
the
page
is
loaded
The
browser
can
be
set
to
whitelist
certain
trusted
websites
so
that
Flash
content
runs
automa>cally
on
page
load
24. Host
Mi>ga>on
to
Block
Javascript
Downloaders
Change
the
Way
Windows
Opens
Javascript
Files
Some
downloaders
use
Javascript
files
to
download
ransomware
By
changing
the
default
program
for
.JS
file
to
notepad,
the
downloader
can
be
defeated
By
default,
Windows
runs
.JS
files
stored
on
the
hard
drive
using
the
Windows
Scrip1ng
Host
(wscript.exe
or
cscript.exe)
Since
most
users
don’t
ever
need
to
open
Javascript
files,
you
can
change
the
default
program
to
handle
.JS
files
to
Notepad.
25. Host
Mi>ga>on
to
Javascript
Downloaders
Change
the
Way
Windows
Opens
Javascript
Files
Right
click
on
a
.JS
file
click
on
Open
with
|
Choose
another
app
|
More
apps
↓
26. Host
Mi>ga>on
to
Javascript
Downloaders
Change
the
Way
Windows
Opens
Javascript
Files
Select
Notepad
and
then
turn
on
Always
use
this
app
to
open
.js
files:
Note
that
this
doesn’t
disable
the
Windows
Script
Host
If
you
really
need
to
run
a
JavaScript
file,
you
can
open
a
command
prompt
and
run
the
script
with:
wscript
filename.js
27.
Host
Mi>ga>on
to
Block
Ransomware
Using
Canary
Files
to
Detect
Ransomware
File
integrity
monitoring
(FIM)
could
be
set
up
to
monitor
some
directories
containing
random
files
with
names
that
match
those
encrypted
by
ransomeware
If
the
FIM
detected
the
watched
files
were
being
altered
or
deleted,
it
could
launch
a
script
to
determine
what
process
was
altering
the
files
and
kill
it,
as
well
as
display
a
warning
This
is
what
An>Ransom
does
using
procmon
and
file
audi>ng:
hFp://www.security-‐projects.com/?An>_Ransom
28. Host
Mi>ga>on
to
Block
Ransomware
Detec>ng
Ransomware
Using
Canary
Files
Using
Canary
Files
to
Detect
Ransomware
Since
the
order
of
encryp>on
is
randomized,
there
is
no
way
to
make
the
canary
files
be
the
first
to
be
encrypted
When
tested
with
CTB-‐
Locker
and
Cryptowall,
far
fewer
files
were
encrypted
29. Mi>ga>on
Free
Decryptors
Due
to
encryp>on
flaws
and
some
coding
mistakes,
security
researchers
have
found
ways
to
decrypt
ransomed
files
for
free
for
certain
ransomware:
List
of
types
of
free
decrypters
• hFps://noransom.kaspersky.com/
• Search
for
encrpyted
file
extension
decrypt
on
bleepingcomputer.com
• Ex:
.locky
decrypt
• hFp://blogs.cisco.com/security/talos/teslacrypt
• hFp://www.welivesecurity.com/2016/05/18/eset-‐releases-‐decryptor-‐recent-‐variants-‐
teslacrypt-‐ransomware/
30. Recommenda>ons
for
Incident
Response
Preparing
for
Ransomware
AFacks:
Test
backup/
Recovery
Plans
Patch
Flash
Player
and
Set
to
Auto
Update
Patch
Web
Server
Applica>ons
Disable
MS
Office
macros
Audit
Group
Policy
(scheduled
task
crea>on,
crea>on
of
GPO
that
apply
to
machines)
Modify
how
Windows
handles
Javascript
files
Use
File
Integrity
Monitoring
on
Canary
Files
Use
Click
to
Ac1vate
Browser
feature
Email
Gateway
(block
JS
files
inside
.ZIP
files)
Web
Gateway
(block
malicious
downloads,
block
malver>sing,
block
exploit
kit
URLs)
Deploy
Network
IPS
strategically
Segment
Networks
Use
Two
Factor
authen>ca>on
for
remote
access
(RDP,
Teamviewer,
VNC,
etc)
No
shared
passwords
31. Final
Thoughts
• Compliance
doesn’t
equal
security
• Know
your
vulnerabili>es
• Get
to
know
your
network
• Maintain
a
comprehensive
security
policy
for
central
networks,
systems
and
accounts
plus
your
suppliers,
service
providers
and
partners
networks
• Your
extended
network
needs
to
maintain
same
security
controls
and
policies
• Don’t
give
up
With
proper
planning,
awareness,
and
execu>on
of
a
security
strategy,
healthcare
systems
can
be
protected
• 6
out
of
10
vic>m
companies
made
security
changes
aler
breach
• So
there
is
more
that
can
be
done
32. Ransomware
Threats
to
the
Healthcare
Industry
Tim
Gurganus,
GCFA,
CISSP
Cisco
Ac>ve
Threat
Analy>cs
9/10/2016
hFps://cisco.box.com/ransomware-‐healthcare-‐bsides.pdf