Petronella Blog Archive

Visit our New Blog

Ransomware's Latest Trend: Hospitals

Blog Post

Ransomware attacks where hackers take over the systems of organizations like businesses and hospitals in order to encrypt their files and hold them hostage until they pay money to gain access again are not new; they’ve been around for at least a decade. The tactic of specifically targeting hospitals and other health care facilities, however, is a new phenomenon.  And it's starting to happen more.

When you think about it, why wouldn’t cyber criminals go after hospitals? They are the perfect target for extortionists. Not only do hospitals provide critical emergency care, but they also have access to current patient records. Doctors and nurses can’t make decisions involving surgery, prescriptions, or any other treatment without up-to-date medical records. Not having access to this information causes patient care to be delayed, which could lead to preventable deaths and ultimately open a hospital to lawsuits. Consequently, they are far more likely to pay a ransom to regain access to their systems than another organization, which is even more problematic considering, on the whole, hospitals don’t put a lot of emphasis on cyber security or train their employees to recognize threats.

Within the last month alone, there have been several high-profile ransomware attacks on hospitals. Hollywood Presbyterian Medical Center in Los Angeles was locked out of its systems for a week due to an attack using the Locky strain of malware. Ultimately, they caved in and paid the hacker $17,000 in Bitcoin to regain access. MedStar Health in the Washington DC area had to shut down huge parts of its network, preventing employees from accessing email or patient records, crippling the 10 hospitals and 250 outpatient facilities that operate under its umbrella.

Originating in Eastern Europe, ransomware first starting popping up around 2005 and has remained an ever-growing threat because, quite simply, it works. Typically an attack begins with a phishing email that contains malware or a link to a webpage that downloads it onto the victim’s computer, though some thieves use malvertising or compromised banner ads on legitimate websites. Previously, cybercriminals would lock a victim out of their computer or keyboard, but with the advent of cryptware that allows hackers to encrypt files on a computer with a specific key that only the criminal knows, things reached a new level. In 2014, the developers of the CryptoLocker ransomware stole around $27 million dollars in just six months from victims who inadvertently downloaded the malware.

In the past few months, we’ve seen cybercriminals attempting to lock users out of whole systems rather than individual computers by going after servers that stored shared files. Some like Locky have even started searching out and either encrypting or deleting backup files so victims are unable to restore lost data without paying the ransom.

The FBI puts out periodical warnings about growing ransomware attacks, including the recent MSIL/Samas and Locky malware. Locky is a little different than other malware in that it uses a combination of tactics to gain access to a system. It typically starts with scattershot phishing emails, but once in the system, the infection spreads laterally to gain control over key network components. To do this, hackers have to use tools like keystroke loggers to gain access to key file-sharing servers, then lock users out. It’s not necessary for hackers to encrypt every server, they just need to find the ones that are most crucial to that organization functioning.

Unfortunately, as was the case with the attack on MedStar, the best response is very often to shut down a network in order to stop the infection from spreading. When this happens to a hospital that can mean going back to paper for all its scheduling and communications, consequently delaying patients’ access to surgery and other care.

Aside from disconnecting systems from the network that are infected, victims should also turn off Wi-Fi and Bluetooth, and remove any external hard drives or thumb drives.

In some cases, knowing the type of ransomware can be helpful as there may be some tool or work around to unlock the encryptions, but typically the only thing victims can do is either restore lost data from backups or pay the ransom. The fact that there are so few options in dealing with ransomware attacks just underlines how it important it is for hospitals to have a strong backup and recovery system.

There are several things hospitals can do to better protect themselves against ransom attacks. First, they should set their mail server to block out any possibly malicious files such as .zip files. Second, to prevent malware from installing in the first place, they could whitelist their computers. The process involves scanning each individual machine to list all the approved applications on that specific computer, so that any other executable file gets blocked. The time and effort involved in doing this usually stops most organizations from going through the effort. Third, restrict user access. Every employee doesn’t need access to every file, so by splitting them up and assigning those groups and files to different servers, if one section get attacked, they won’t spread the infection to everyone else.

However, the most important thing hospitals can do to protect themselves from malware is train their employees. Sending out monthly simulated phishing attacks alone can dramatically reduce the likelihood of users being fooled by sketchy emails. Hackers want to be able to get in and get out. So making your network difficult to penetrate is key. The idea is that criminals looking to make a quick buck won’t think it’s worth the effort to attack your system, when they could find an easier score somewhere else.