Ransomware is malicious software that compromises the availability of critical information.  Unlike other hacking forms, ransomware does not compromise the confidentiality or integrity of the data, nor does it require the hackers to sell the information to a 3rd party in order to benefit from the proceeds.

This article originally appear in the Compliance and Ethics blog. 

The information is held hostage until the owners of the information provide the requested “ransom amount” at which point the information is “released.”  Using social engineering techniques, the careless or untrained user clicks on a phishing message, a contaminated web advertisement or visits a malicious website and the ransomware is released into the system, where it encrypts the hard drive using cryptographic key technology locking down the target information.

Once the ransomware has been installed and the hard-drive encrypted, a message will present on the target individual’s screen.

The information is confined until the ransom is paid.  The hackers demand to be paid in “crypto currency”, an electronic payment system using digital untraceable currency which is distributed on a portion of the internet only accessible through a specialized browser (aka “the dark web”) which allows anonymous transactions to take place over the internet.  The most popular type of crypto currency is known as “Bitcoins” (or BTC) and the specialized browser, “Tor.” The exchange rate of Bitcoin to U.S. dollar is variable so it is not a one-to-one exchange; one Bitcoin can be worth hundreds of dollars.

There are many variants of ransomware and each has their own presentation and payment system.  According to KnowBe4, RSA 2048 is the most frequently used encryption in ransomware attacks, and “an average desktop computer is estimated to take around 6.4 quadrillion years to crack an RSA 2048 key.”[1]  Ransomware is more prevalent than people realize, not only because it is risk-free for the hackers but also because organizations would rather pay the ransom than publicize the problem.  Since the confidentiality or integrity of the information has not been compromised, no notification to authorities is required, although the FBI has requested companies to report the situation to them.[2]

So what can your organization do to prevent a ransomware attack? Here are a few must dos:

Establish or update your Information Risk Management Program:Formalize a Governance or Oversight Committee to review risk-rating reports, determine risk appetite, approve risk treatment and fund priority initiatives.

Conduct that periodic risk analysis and implement a risk management plan. Include this threat, ransomware, in all its forms in your information risk assessment.  Understand that the vulnerabilities start with your workforce members and the assets to be protected are all the applications, storage devices and media that contain that confidential information.

Implement Technology-Prevention Tools and Processes

  • Update browsers
  • Install timely software patches – hackers exploit known vulnerabilities in applications to install malware
  • Enable pop-up blockers
  • Invest in antivirus with active monitoring and layer on anti-malware and anti-ransomware
  • Ensure Backups are not on a network accessible to a possibly compromised computer. Kentucky-based Methodist Hospital fell victim to a strain of ransomware known as “Locky” that encrypts all important files and then deletes the originals. The hospital was forced to process everything by hand on paper.[3]

Train employees on social engineering tactics

  • Email attachments
    • Hidden File extensions
    • Contaminated Zip Files
  • Email links
    • Free software
  • Web Advertising
    • “Drive-by-down loads”

Update your Cyber Insurance

Check the wording very carefully. BitPay found out the hard way that the definition of “hacking” doesn’t include social engineering tactics.[4]

Increase the frequency of back-ups

Ensure your Business Continuity Plan (BCP) includes a robust system and data backup plan. Recovery is measured in terms of how much data can an organization afford to lose (i.e. 1 hour or 24 hours) and how long can an organization operate without an asset or group of assets being available before it impacts the bottom line (i.e. 1 hour or 24 hours.)

Test Your Emergency Response System

“We have a pretty robust emergency response system that we developed quite a few years ago, and it struck us that as everyone’s talking about the computer problem at the hospital maybe we ought to just treat this like a tornado hit, because we essentially shut our system down and reopened on a computer-by-computer basis,” said David Park, an attorney for the Kentucky healthcare center.

Update your Information Risk Management Plan to include Ransomware as a Threat

Every organization with confidential information should be conducting a bona fide and comprehensive risk analysis and utilize those results to make informed decisions to manage those risks. Keep an eye on new developments in hacking techniques and include them as threats in your IRM program, identify the vulnerabilities that exist and add additional controls or safeguards to your defensive position.

Conclusion:  With the increasing use of Electronic Health Records and the willingness to pay the ransom rather than lose the data, healthcare organizations are a prime target for a ransomware attack.   The business of patient care and patient safety is easily compromised if the EHR system and attendant patient information is unavailable for any length of time.  This compromise of availability creates a sense of necessary urgency to restore the system to operational functionality or endanger patient safety.  Time is not on your side.

This article originally appear in the Compliance and Ethics blog. 

Rich Curtiss

Rich Curtiss

Principal Consultant at Clearwater Compliance
Mr. Curtiss has over 35 years of diverse, executive IT experience across several verticals including Healthcare, Finance, Department of Defense, Intelligence Community and Consulting Services.Rich has served in executive information technology and cybersecurity positions as a CIO, CISO, Director and Program Manager. He's a member of the Clearwater consulting team.
Rich Curtiss