Getty Images

Required Actions to Prevent Common Ransomware Exploits, Access Points

Healthcare is leaving out the proverbial welcome mat for hackers, failing to address key vulnerable endpoints, which later become top access points and exploits for ransomware attacks.

Threat actors have made it clear: healthcare will remain a prime target for ransomware attacks, extortion demands, phishing, and whatever nefarious scheme they can use to ensure a successful payday. But just what makes the healthcare sector rife for attacks? And what prevention steps are needed to close off the flow of attacks?

Currently, the healthcare sector is dealing with a wave of imminent cyberattacks, with four providers continuing to operate under EHR downtime procedures after falling victim to ransomware. The joint alert from the FBI and Departments of Homeland Security and Health and Human Services warned providers must be on alert and quickly take steps to prevent falling victim. 

Many outlets have raised the alarm on ransomware, noting the sophistication of attacks and its impact on patient care. Concernedly, however, there are serious similarities between the industry’s response to the latest alert to the initial launch of ransomware attacks on healthcare in 2016. 

A massive ransomware attack hit Hollywood Presbyterian Medical Center in February of that year, which drove hospital workers into EHR downtime procedures. The provider negotiated with the attackers and ended up paying only $17,000 of the initial ransom demand, but the hospital remained in downtime for several days in the wake of the attack. 

Similar attacks were launched in the weeks and months that followed, prompting agency alerts that encouraged victims not to pay ransom demands. While Hollywood Presbyterian was not the first ransomware attack launched on the sector, it did mark a definitive change in the healthcare threat landscape.  

By the end of 2016, the healthcare sector accounted for 88 percent of all ransomware detections across the United States. 

The parallel between these waves should prove concerning: Awareness around the severity of ransomware and the possible impact of cyberattacks has drastically improved across the sector. But what hasn’t changed is the use of legacy technology, failure to timely apply patches, and serious gaps in employee security training. 

As the latest Coveware research shows that at least 50 percent of all ransomware attacks result in data exfiltration and subsequent extortion attempts, healthcare providers must act immediately to resolve these issues. 

Most Common Ransomware Footholds, Security Gaps

While there are an increasing number of DHS and FBI alerts on the latest threats and vulnerabilities across all sectors, for healthcare, it seems email and humans continue to be the greatest vulnerabilities to enterprise networks. 

Sherrod DeGrippo, senior director of Threat Research and Detection for Proofpoint explained that while some ransomware actors gain initial access through a range of compromise vectors, email-based threats are the most common entry point in ransomware attacks on the sector. 

Meaning, ransomware is not the primary attack, rather, it’s the secondary payload. 

“Threat actors have been known to use loaders in malicious email campaigns that contain links that host malware or attachments with malware,” explained DeGrippo. 

“And once the first-stage downloader establishes an initial system foothold it can subsequently download additional payloads, such as ransomware, and send out system information to multiple command & control servers at the threat actor’s discretion,” she added. 

Tonia Dudley, security solutions advisor at Cofense, shared similar threat intelligence. Particularly, with the Ryuk ransomware variant, the operators will commonly wait until the preferred delivery mechanism is successfully deployed to its target, before the ransomware is deployed.

Prior to the prevalence of TrickBot, Ryuk was delivered via the trojan. However, Cofense research found Ryuk threat actors began to leverage the BazarBackdoor beginning in mid-September to gain a foothold onto a targeted network. The data mirrors a DHS Cyber Command report that revealed it had taken action to disrupt Trickbot, Dudley explained.

With the DHS efforts, Ryuk hackers simply shifted tactics to leverage BazarBackdoor, which has become the variant’s most predominant loader. The tool is a stealthy malware downloader used by the same group as TrickBot, she explained. 

“When it comes to threats we’re seeing in phishing emails, credential related messages are the top threat.”

“With lower confidence, we assess this wave of Ryuk activity may be, in part, in retaliation for September’s TrickBot disruptions,” Dudley noted. “Typically, emails designed to appear as internal business communications are sent to victims within an organization, often with relevant employee names or positions.” 

“These emails usually contain a link, most often to a Google Docs page, though other well-known file hosting platforms have been used as well,” she added. “The Google Docs page will then present a convincing image with another embedded link. This link is typically to a malicious executable hosted on a trusted platform such as Amazon AWS.” 

Given the chain of legitimate services, organizations may find it challenging to both detect and prevent these campaigns.

Social engineering is another common access point, according Matthew Gardiner, principal security strategist at Mimecast. The technique will typically leverage phishing emails that stress an important element to engage the user, which, if successful, will land the precursor – the trojan, bot, or other threat. 

And hackers have increasingly delivered ransomware through these email methods.  

Previous data from Corvus mirrored these findings and added that open ports are also being leveraged to deliver ransomware payloads. Although healthcare entities appear to have a smaller attack surface, open ports give attackers an easy exploit method. 

Providers that fail to manage vulnerable endpoints will find it difficult to monitor and defend against these attacks. 

Required Immediate Actions

Healthcare will always be a prime target for these attacks, due to its troves of sensitive, valuable information and its need for life-preserving medical systems used across the care continuum, explained Ryan Witt, healthcare practice leader at Proofpoint. But what needs to change, is the sector’s mismanagement on patching and failure to close security gaps.

Dudley added that organizations should also pay special heed to any indications of BazarBackdoor compromise.

“Regardless of whether recent activity is in retaliation against TrickBot's disruption, what is clear is that recent efforts by multiple parties to cripple TrickBot seem to have been effective in transitioning the Ryuk actors to leveraging BazarBackdoor,” said Dudley. 

“We must be mindful that there are past connections between TrickBot activity and Emotet,” she added. “While there is no direct evidence of current Emotet involvement in these campaigns, we cannot rule out future delivery of Ryuk via Emotet, given historical relationships between TrickBot and Emotet.” 

Further, it appears that the TrickBot infrastructure is in a restructuring phase, which means that the tool may once again become a delivery mechanism for Ryuk in the future. Dudley stressed that administrators must prioritize all three malware families when searching for indicators of compromise. 

And BazarBackdoor must receive the highest priority for detections into the foreseeable future.

Phishing education and awareness must also improve across the sector, and Dudley urged organizations to consider sending out phishing simulations aligned with current phishing campaigns. 

While those means are effective, the tactics leveraged in Ryuk campaigns lean highly on social engineering. As a result, healthcare organizations should employ other means to prevent falling victim to these highly customized attacks, including encouraging employees to report and flag potential phishing emails to the appropriate team.

“We believe a complete prohibition on the payment of demands is now necessary. If you stop the flow of cash, you’ll stop the attacks. It really is the only practical solution.”

As these messages are tailored to the recipients, it makes it hard for the user to detect. Dudley explained that the workforce can be trained to detect these messages by using images leveraged in real campaigns.

To Witt, healthcare entities should stop cyberattacks before they reach clinical teams to significantly reduce the security risk posed by these advanced threats. It begins with ensuring the organization is leveraging a dedicated advanced email security gateway with data loss prevention (DLP) protection. 

The tool is designed to prevent threats from reaching the healthcare workforce. Witt explained that the right platform will work within the email flow and “analyze suspicious and URLs using static and dynamic techniques across multiple stages of an attack.”  

“It’s also imperative that you have visibility into your most targeted people and an understanding regarding if, when, and how data is being exfiltrated,” he added. 

Nothing that about 30 percent of healthcare personnel operate in a third-party capacity, Witt noted that these users have a legitimate need to use non-hospital devices to access external browsers and email accounts. 

But those connections drastically increase the healthcare entity’s risk of exposure and potential data loss, he explained. To combat these risks, administrators must isolate browser and personal email sessions, which will prevent the deployment of malicious content from impacting the entire enterprise. 

“Most attacks require human interaction to be successful—and they are overwhelmingly aimed at specific people,” Witt said. “We recommend conducting continuous security awareness training for every employee and contractor with access to the system. This will help to empower employees and train them how to identify and report suspicious incidents.” 

Covered entities should also employ an email valid validation system known as Domain-based Message Authentication Reporting and Conformance (DMARC), which Witt said will help detect and prevent email spoofing and provide end-to-end protection. 

DMARC is designed to stop hackers from using sender addresses that appear to come from legitimate sources. Its use can significantly reduce email fraud risk, Witt added. 

Further, entities must ensure they have strong backups, stored in a separate, offline capacity and implement patches that will keep systems updated. Gardiner explained that most healthcare organizations fail to consistently apply patches. 

By aggressively improving vulnerability and patch management, an organization can drastically reduce the risk to the enterprise, Gardiner said. 

Further, entities must ensure they are not just fixing the incident. If an attacker has gained a foothold onto a network, simply eradicating the threat will not harden the attack surface. The vulnerability must also be remediated to prevent an attacker from exploiting the same flaw down the line.

“It’s imperative you have visibility into your most targeted people and an understanding regarding if, when, and how data is being exfiltrated.”

“Healthcare entities handle some of the most sensitive data and life-preserving medical systems often across a broad care collaboration ecosystem,” said Witt. “A compromise to these systems is a patient safety issue, so security must now extend beyond the hospital’s natural borders as well, especially with email, social media, and a multitude of mobile devices.” 

“It’s vital that proactive security measures are taken to improve patient access, improve outcomes, and streamline costs as healthcare organizations approach 2021,” he continued. 

Looking Ahead

The increase in ransomware issues is not surprising, but prevention mechanisms will shore up these gaps. As previously noted to HealthITSecurity.com by Brett Callow, healthcare entities can expect these attacks to continue, as long as providers keep paying ransom demands. 

“We believe a complete prohibition on the payment of demands is now necessary. If you stop the flow of cash, you’ll stop the attacks. It really is the only practical solution,” Callow recently noted. 

“As long as threat actors continue profiting from ransomware, we expect we will continue to see them attack the highest value targets who would have the highest motivation to pay up quickly,” Witt added. “There is a reason Ryuk is called ransomware, not spyware, blackmailware, or conspiracyware.” 

Ransomware has always been about the payout, explained Witt. And healthcare entities are more likely to pay ransoms if patient health is at risk. For reference, consider the recent reported ransom payments made by Blackbaud and the University of California San Francisco's School of Medicine. 

And as Coveware data shows, there is no guarantee that hackers will actually do what they promise and return the data or delete it. In fact, Conti ransomware hackers have repeatedly shown victims falsified evidence that data was deleted by the attackers.

As a result, these attacks are expected to continue over the next several months. Dudley urged providers to stay on alert for indicators of compromise, including those made public or through I-SAC sharing communities, as related to Ryuk, BazarBackdoor, or Trickbot.  

Healthcare will continue to be targeted, with hackers leveraging COVID-19 themes in phishing campaigns as the pandemic numbers continue to rise, she noted. And hackers will also continue to use cloud services as organizations leverage the services for business processes. 

“When it comes to threats we’re seeing in phishing emails, credential related messages are the top threat,” Dudley said. “Threat actors can leverage these stolen credentials to access hosted services as a legitimate user, making it difficult for the organization to detect. This is where enabling two-factor authentication is critical for as many systems as your able.” 

“Most of the emails we saw related to this threat were delivered in September,” she added. “Continue to remind staff that they help keep the organization protected by being vigilant in their email inbox. Encourage staff to report anything that is suspicious to your security teams. IT administrators should ensure their systems have the latest patches applied. If there are systems that are managed by a third party for maintenance, ensure you have those segmented and monitor any internet connections.”

Next Steps

Dig Deeper on Cybersecurity strategies