An Eye-Opening Look Inside a Healthcare Cyberattack Incident

An Eye-Opening Look Inside a Healthcare Cyberattack Incident

2018 may just be several weeks old, but already we’re seeing reports of a dangerous ransomware campaign in full swing.Ransomware continues to be a popular cybercriminal approach because of the sheer number of targets that can be infected. Everyone from individual users to large enterprises have been attacked, and small to expansive infections won’t stop anytime soon. Ransomware is big business. As organizations increasingly depend on electronic data and computer networks to conduct their daily operations, growing pools of personal and financial information are being transferred and stored online aka “the cloud”.

By now, most organizations of all sizes, as well as, individuals are well aware of the deceptive nature of ransomware. As its name implies, ransomware is a malicious software that holds electronic files hostage pending the payment of a ransom, typically with untraceable bitcoin as the currency of choice. The main problem is the ransomware encrypts a series of files or worse, the entire hard drive preventing access to those files. Absent the victim’s ability to restore a backup, the attacker (aka “hacker”) may hold the encryption keys required to access the files until the ransom demand is met or only for a number of hours.

“Unfortunately, ransomware threats continue to emerge as they prove successful for cybercriminals, and more high-profile business targets fall victim to this kind of infection nearly every day. There’s no doubt that ransomware will maintain its reputation as a formidable threat in the cybersecurity industry,” says Rob Kleeger, Managing Director of Digital4nx Group, Ltd.

Organizations must treat mitigating the risks associated with ransomware—data loss, interruption of business operations, and more—as a strategic imperative by implementing a layered security approach that maps to and thus thwarts ransomware attack campaigns.

Increasingly Sophisticated Variants Are Emerging

Ransomware is evolving using increasingly sophisticated tactics, techniques, and procedures to execute attacks. Ransom amounts are typically measured in the tens of thousands of dollars or less, which is indicative of a business model predicated on a large number of quick and small transactions across a broad set of targets. While attack methods vary across types of vulnerabilities, the most commonly exploited is human vulnerability via spear phishing. Traditionally, most infections are launched with a spam email that includes a malicious link or attachment, providing hackers entry into the system and enabling them to deliver the ransomware and lock down the system. “Drive-by downloading” is another frequently tapped vector to deliver ransomware payload. The hackers inject malicious code into legitimate webpages, or redirect traffic to spoofed sites, which has proven successful as well.

The majority of ransomware variants are either known as crypto-based, or data-locker based. These variants leverage sophisticated encryption algorithms that lock down the infected device’s operating system – meaning that all files and data, as well as applications and other system platforms, are rendered unavailable, in addition to making system files and associated data inaccessible to the victim. CryptoLocker is one of the most well-known variants of this kind. The recent Petya attacks fall into this category as well.

The world has seen its fair share of ransomware attacks — the WannaCry and NotPetya attacks were in the past year alone. These attacks were direct ransom worms that had to do with informational warfare between countries, managing to affect large entities and causing organizations to rebuild active directories.

Dharma is a ransomware-type infection which targets to encrypt the most valuable information on the victimized computer.Dharma ransomware is a variant of CrySiS ransomware that has been increasingly tied to brute force Remote Desktop Protocol (RDP) attacks. Dharma made its first appearance in November 2016, shortly after the master decryption keys for CrySiS ransomware were publicly posted to the forum.

In addition to bearing technical similarities to CrySiS, Dharma has also been observed infecting victims in similar ways. Both have been tied to a recent spike in brute force attacks on victims with open RDP ports.

RDP was developed by Microsoft as a remote management tool. It’s commonly exposed in internal networks for use in administration and support, but when exposed to the wider Internet it can be a dangerous beacon for attackers.Remote Desktop Protocol (RDP) attacks sometimes begin with the infection of one machine and then spreads to all other connected computers and then hold the victim hostage for ransom.

In a recent case for a Withum client, we responded to a ransomware attack and learned that one ransomware (Dharma) had only locked up files on the local user’s computer. A week later, there was an attack from an RDP connection from a user which then affected the entire user directory on one server and then worked its way across to the domain controller and email server, which effectively encrypted the entire operation. During the investigation, it was learned that the backup’s maintained by a third-party provider were actually stored on the encrypted server and the redundant backup was an external USB hard drive, which also was connected to the server. Unfortunately, the only off-premises backup was months ago, thus the organization is beginning the process of recreating their efforts from re-entering data, paper files, and emails. The organization’s insurance coverage is woefully inadequate to cover the incident investigation and notification process. The potential regulator fines have not yet been determined. Could this ransomware event cause an operational going concern? Time will tell.

Ransomware isn’t spreadindiscriminately. Instead, attackers typically gain access to target servers via weak or stolen credentials, often identifying prospective victims by scanning the Internet for computers with exposed RDP connections. By using port scanning tools like masscan, attackers can easily hone in on systems with open ports (port 3389 is standard for RDP). Once found, the standard drill is to try to gain access by conducting brute force attacks designed to guess weak or default passwords.

SamSam is one of a growing list of ransomware families that primarily infects victims via exposed RDP ports. SamSam resurfaced, this time targeting organizations with RDP connections exposed.

Securing RDP Is Therefore Key

Ransomware is also exploiting application vulnerabilities, as is the case with SamSam, which takes advantage of vulnerabilities in certain web application stacks, and others that exploit vulnerabilities in Adobe Flash.

Trend Micro has reported the most consistent target of those attacks has been healthcare providers in the United States. One Dharma victim, ABCD Children’s Pediatrics in San Antonio, was forced to notify 55,447 patients that their personal data had been encrypted and therefore potentially exposed to hackers.

So far, confirmed victims include Indiana-based Adams Memorial Hospital, electronic health records (EHR) provider Allscripts, an unnamed Industrial Control Systems (ICS) company, and the municipality of Farmington, New Mexico. The most high-profile case, however, is another Indiana-based hospital — Hancock Health — which made headlines for its decision to pay a $55,000 ransom in order to regain access to its files and restore its systems.

SamSam Ransomware Attacks Surging

The series of high-profile malware infections has been tied to the SamSam ransomware group. As mentioned, victims include electronic health records provider Allscripts, an unnamed Industrial Control Systems (ICS) company, and two Indiana hospitals, among others.

On January 11th, Hancock Regional Hospital in Indiana discovered that their computers had been infected with SamSam ransomware. They engaged their incident response and crisis management plan and got their legal team and an outside cybersecurity firm involved. They also contacted the FBI’s cybercrime task force. They even had full backups of all the data that SamSam encrypted, however the hospital decided to pay the four Bitcoin ransom in order to get their files decrypted, which was worth around $55,000 USD at the time. According to their public press releases, “We were in a very precarious situation at the time of the attack,” Hancock Health CEO Steve Long said. “With the ice and snow storm at hand, coupled with the one of the worst flu seasons in memory, we wanted to recover our systems in the quickest way possible and avoid extending the burden toward other hospitals of diverting patients. Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations.”

As stated earlier, the point of entry was a computer with the Remote Desktop Protocol open to the Internet, and a vendor’s username and password were used. More than 1,400 of the hospital’s files were encrypted by SamSam, and each file was renamed “I’m sorry.”

At that time, there was no practical way for any entity to decrypt files affected by SamSam. Decryption wasn’t an option for Hancock Health. Hancock Health assured that life-sustaining and support systems of the hospital remained unaffected during the ordeal. They also assured that patient data wasn’t transferred outside of the hospital’s network. Hancock Health said that recovering from their backups could have taken weeks. They made a difficult decision in favor of offering their patients the best care as soon as possible. Hospital staff did their best to record patient data with pen and paper while they lacked access to digital records. Hancock Health contained the SamSam infection by January 12th, the day after the attack. That’s also the day they paid the ransom. By January 15th, Hancock Health’s entire network recovered completely and resumed normal operations.

Best Practice Tips

Billions of dollars are spent each year combating cybercrime and yet the number, intensity and severity of attacks keeps increasing.

Because hackers have an array of variants and infection techniques to choose from, ransomware infections do not all look or operate the same way. While one infection may begin with an email and result in all data being encrypted, another may come from a malicious website and end with the entire operating system being locked down. This variation makes it difficult for users to guard against threats – but protection is not impossible.

Everyone with sensitive or important data should make backups, preferably on external disks or some combination of cloud servers and external disks that one has physical access to. As the attack on Hancock Health makes disturbingly clear, focusing solely on backup and recovery puts organizations in an extremely risky, make-or-break position. All entities who make backups feel confident and believe that they’re prepared for ransomware to strike.

Part of the problem is a disparity in perception of risk between those on the ground– the IT teams that see the vulnerabilities and understand the threats– and those higher up. Board members don’t see the risk if everything is status quo. CFOs are more interested in spending time and money on efforts that will result in profit and gains, not the far less glamorous idea of protecting their data. Business leaders need to ensure they’re doing everything they can to prevent successful infections in the first place.Ask yourself if it’s pragmatic to restore from our backups if you become a ransomware victim.

Ransomware victims should avoid paying ransoms to their cyber attackers, as sometimes an attacker won’t decrypt files even when a ransom is paid, and all payments made to ransomware cyber attackers make ransomware profitable for criminals and encourages those actions to continue.

Secure, Secure, Secure RDP

Remote Desktop has become one of the most popular tools for attackers to abuse. Make sure you secure it by doing the following:

  • Restrict access behind firewalls and by using a RDP Gateway, VPNs
  • Use strong passwords and two-factor authentication
  • Limit users who can log in using remote desktop

Make sure you have a standalone cyber insurance policy and not a rider with minimum coverage of $25,000 or $50,000. These are inadequate coverage values given public documented costs as this risk continues to grow as a result of high-profile data breaches and awareness of the almost endless range of exposure businesses face.Whether it’s credit card fraud, identity theft, email hacking, ransomware, account stealing or any other number of activities – you’re in the midst of an online war and you may not even know it.

Because ransomware is so destructive, legitimate, and timely, it’s critical to review your incident response plan (if you have one), conduct proactive “ethical hacking” assessments, provide cyber awareness training to your workforce, and test your backup systems in order to ensure that you survive a ransomware attack.

In addition to fundamental best practices such as automating full and differential backups, keeping backups offline, conducting regular patching, maintaining strong access controls, and providing ongoing end-user awareness education, more steps for a defense in depth approach are required to combat ransomware. Withum has been responding to other cyber breaches covering spear-phishes for wire transfers, purchase of Apple iTunes cards and other criminal activities where we see a pattern connected to third party IT providers performance levels being subpar. The responsibility still rests with our clients. Because ransomware takes advantage of a broad attack surface area across applications, users, and devices, cloud-, endpoint-, and server-resident data assets are at risk of being encrypted and held for ransom.

Do The Basics And Plan

Security really doesn’t have to be difficult, or even expensive. Strong passwords, security patches, continuous end-user training, isolated backups, and hardened systems and networks can make all the difference. Patching is fundamental. What won’t help is throwing money at the problem and investing in thousands or hundreds of thousands dollar software if employees are neglecting basic system updates. Attackers are opportunists looking for an easy way in, and they look where they think you’ll have your guard down. Few companies have proper network segmentation, even today, when ransomware and other cyberattacks are rampant. Those that do put in the work, spend money on security, develop incident-response plans and train their employees, though, fare much better.

LEARN MORE ABOUT PROTECTING YOUR ORGANIZATION by contacting Joe Riccie (CPA, Partner with Withum) at 609-514-5597 or visiting

Previous Post

Next Post