It is a fact that most ransomware attacks are taking place in the U.S. Specifically, healthcare and local governments are the apparent favorite targets amongst hackers. About 24% of them were healthcare ransomware attacks thus far in 2018, but “the why” to that degree is unknown. I suggest that hackers might believe these targets to be more likely to meet the ransom demands, have weaker security and response capabilities to begin with, or that, if unsuccessful in the ransom attack they might be able to steal protected health information as their “plan B”.

Protected Health Information has a dark-market cost of $300 – $500 per record due largely to the permanency of the information and reuse potential for other theft and fraud.

In some of my previous blog posts “Personal Health Information (PHI) Breaches – The last 8 Years“, and, “Healthcare – Data Breaches on the Rise?”, I analyzed the increasing trends of healthcare attacks, predicting 2018 to be the highest historically in breached health records.  I fear that my predictions are going to be correct, and likely because of increased application of APT and healthcare ransomware attacks.

A favorite tactic of the SamSam group, in particular,  is to gain access to an organization’s network and sit dormant for a period of time (maybe hours, days or even weeks.  This most closely resembles the Advanced Persistent Threat (APT) phenomena where bad-actors gain access to low level user accounts, and perform numerous reconnaissance and privileged account take-over attempts while also encrypting as many systems as possible ahead of making a ransom demand.

In one attack, last February,  the attackers stayed quiet for about 10 days once inside the victim’s network before encrypting hundreds of computers. Microsoft correctly states that sophisticated bad-actors can often remain dormant (hiding within plain sight) for as many as 200 days while they carry out their reconnaissance, elevated privilege attempts and other nefarious actions.   They often behave like other users in the network, making their activity appear legitimate.

They often behave like other users in the network, making their activity appear legitimate.

The key to tackling healthcare ransomware attacks is to become better in the following areas:

  • Apply behavioral analytics to know the difference between normal user behaviors and abnormal including impossible travel, abnormal account login and activity, and anonymized access.  Apply multi-factor authentication (conditional) to treat these conditions.
  • Apply multi-factor authentication across your enterprise. Period. If you don’t want your users to be burdened with this on every access, then make it conditional.
  • Institute Employee Anti-Phishing Training.  Since over 80% of all attacks (including ransomware) occur from “within the network” typically via phishing, your users (all of them) need to be part of the solution and not part of the problem. Teach them how to detect phishing (as much as possible). You likely cannot filter every phishing attack because they are increasingly getting to be more convincing. Hence, your employees can be a key asset in fighting phishing that leads to ransomware, data theft, etc.
  • Adopt the model of zero-trust versus the traditional but antiquated “trusted zones” model.  The Firewall has been relied upon far too much to keep the clever bad actors out.  And firewalls indeed work to keep the perimeter guarded.  But, once inside the “trusted zone” (via phishing or other approach that circumvents to perimeter), the bad-actors can pretty much do what they way.  Zero-trust greatly improves your ability to secure your users and data by shifting protection from “the network” to “the identity”.

I hope this post has been informative and the tips helpful.

Till next time,