What started out as a challenging fall for Healthcare became much worse yesterday when the FBI, together with DHS and HHS, held a conference call describing ransomware activity aimed at U.S. Healthcare organizations.

After targeting Universal Health Services last month—one of the largest healthcare providers in the U.S.—and causing them to shut down all of their IT systems, yesterday’s news made it clear that the FBI believes the group behind Ryuk ransomware is targeting a large number of US hospitals and healthcare providers.

Many organizations may feel protected against ransomware, using the latest signatures provided by antivirus software vendors and network security organizations to detect and possibly even block ransomware before it can cause damage and take systems off the network. But as ENISA has pointed out in its recent annual report—and what is also known to happen with Ryuk specifically—ransomware evolves, making detection harder and its evasion of defensive tools easier.

To make matters worse, determined bad actors have learned their lesson and are doing their homework before launching attacks. More specifically, they’re moving towards more personalized attack vectors that are similar to spear phishing and make use of an extensive reconnaissance phase before striking. This tactic increases the odds that ransomware will be successful in gaining a foothold on the network, causing maximum damage and increasing the gain for the attacker.

Preventing Ransomware Attacks

Agio has always recommended that organizations prepare for the worst. This includes training IT staff for handling a successful ransomware attack, as well as making all users aware that ransomware often gains a foothold through emails or by visiting websites that host malicious code. Now more than ever, the Healthcare and Public Sectors should emphasize these lessons to their employees.

In addition, the following recommendations still apply. The ability to detect and respond effectively to this ongoing threat requires a well-tuned platform that receives the right inputs from systems and solutions appropriately configured and tested to identify “known” patterns of activity, as well as deviations from established norms or baseline.

Agio uses—and recommends using—a Managed Detection and Response (MDR) platform or service that is updated by global threat intelligence feeds and alerting on the known and evolving Indicators of Compromise (IOC) of Ryuk and all other variants of known ransomware. In addition, we deploy and recommend a robust Endpoint Detection and Response (EDR) solution to address ransomware outbreaks. We do encounter organizations with incomplete deployments of this type of solution, and suggest they review their EDR policies and confirm that all devices are enabled and configured to prevent malicious threats.

See also  Common PCI Violations

Finally, we encourage our clients review the alert published by FBI, HHS and DHC that lists various indicators of compromise associated with the group behind the Ryuk ransomware.

As previously indicated, it’s important to keep in mind that ransomware is evolving. Therefore, even keeping your security software up to date may not entirely protect against ransomware gaining a foothold on your network. Efforts directed at training your IT staff to respond to incidents and ensuring your technical defensive measures are in place to contain the incident and restore business operations in a timely manner may now pay off.

Common security mistakes when defending against ransomware

Based on our direct involvement in diagnosing, responding to, and investigating ransomware attacks on our clients over the past few months, we’ve put together the following tips and recommendations to inform your defense against this most troubling form of malware:

  • Inadequate or incomplete cleanup of third-party remote access utilities
  • Inadequate prioritization of system updates
  • No verification of backup & restoration of key systems
    • Do you have the ability to shift to—or work from—another Domain Controller or database now?
  • Incomplete operational picture
    • Are you ingesting the 8 critical log sources?
      • Network Intrusion Detection System​
      • Endpoint Detection & Response​
      • Web Content (Umbrella, Zscaler, PAN OS)​
      • DHCP​
      • Directory Services​
      • Firewall​
      • VPN/Remote Access​ systems
      • Office365
  • Are you routinely reviewing logs? (The SANS Institute Critical Log Review Checklist can help.)
  • No restricting and monitoring/alerting/reconciling of “living off the land” tools (psexec, winrm, etc.)
  • Lack of agility in isolating systems or segments
  • No process for ad hoc password resets

Reduce your exposure

The following guidelines are framed using the MITRE ATT&CK® adversarial objectives.

Initial Access:  

  • Prevent access via phishing emails by leveraging an email security platform with configurability options; consider geo-blocking on email platforms—not just firewalls
  • Conduct user awareness training

Execution: 

  • Enable Outlook Safelinks
  • Validate the functionality of the following for your endpoint detection and response solution (EDR):
    • Application control
    • Isolation agility (to prevent further infection)
    • Disabled use of macros and scripts
    • Enabled memory protection (to disallow attacker from grabbing clear text passwords
    • Signature-based detection

Privilege Escalation: 

  • Implement identity and access management tooling
  • Provision Jumpboxes for conditional access
  • Implement and enforce Multi-factor authentication (MFA)

Defense Evasion: 

  • Validate access to the vssadmin is executable to prevent actors from deleting shadow copies (these actions are monitored by a SIEM)
  • Create a detection rule for behavior analysis (part of log sources)
See also  Cybersecurity Reality Check: If You’re Thinking “A Cyber Attack Won’t Happen to Me,” Think Again

Credential Access: 

  • Enable EDR Memory protection to prevent the dumping of passwords and data leakage via memory

Discovery: 

  • Turn off responses to the ping command; refuse connections for known scanners by user agents (Nmap, OpenVas, Nessus)

Lateral Movement: 

  • Disable SMB v1/2
  • Remove PSEXEC and tools that provide remote access from the network
  • Provision user accounts with the least amount of access
  • Separate usernames by purpose; limit access based on this purpose
  • Segment your environment

Exfiltration: 

  • Use DLP to detect removal of data from your network
  • Limit access and log access to sensitive data (i.e., crown jewels)

Impact: 

  • Implement an Intrusion Detection System (IDS) to detect command and control (C2) activity and other potentially malicious network activity
  • Leverage a platform for security optimization to validate you are able to detect, block, and contain ransomware

Looking Ahead

Ransomware attacks against the healthcare industry aren’t going away. The records housed by this vertical are too comprehensive and bring too much money to the dark net. Agio is aware of the continuous threat and therefore the services and programs in Agio’s portfolio are tailored to meet your organization’s individual cybersecurity needs. Give us a call, we’re here to help.