Ransomware attacks targeting the healthcare community are sending shockwaves through the industry. In late March, Washington DC-based MedStar Health became the latest in a series of providers to fall victim to ransomware.
The impact of a network-wide ransomware attack grinds operations to a standstill. Patient care is often at stake. In the wake of the MedStar attack, staff scrambled to provide services without access to emails and electronic patient records. It is not very surprising that Hollywood Presbyterian Medical Center in Los Angeles paid the perpetrators $17,000 in Bitcoin to regain access to their files after the February ransomware attack.
With these attacks, we’re seeing new attack strategies come into play. Ransomware, once a scourge largely against individuals, is now hitting companies and critical infrastructure where it hurts. These attacks demonstrate that data is becoming the new human ransom as criminals seek to cripple organizations by encrypting files with a private key – available at high cost – known only to the attacker.
When criminals target critical infrastructure, ransomware crosses an especially serious line, according to one of our partners who is a leading expert in cybersecurity law. “This case [the Hollywood Presbyterian incident] is an example of how cyber can impact the physical world – here, [it affects] the provision of medical services as some patients were diverted to other facilities,” says Tony Kim, global co-chair of cybersecurity at Orrick, Herrington & Sutcliffe LLP, a leading global law firm. “We’ve seen similar dynamics in relation to hacked vehicles, power grids, and other critical services.”
Criminals are also getting more aggressive in their attacks and demanding higher ransom payments, according to a partner who is a top expert on cyberinsurance. “Cyber extortion and ransomware are, without question, on the rise,” shares Toby Merrill, senior vice president, global cyber practice leader for Chubb, the world’s largest publicly traded property and casualty insurer. “A concerning aspect is that the demand values are increasing exponentially. What used to be a few thousand dollars with commoditized ransomware is turning into larger cyber extortion events."
The Hollywood Presbyterian hospital ransom was particularly vicious in that criminals sought an extremely high dollar payment of $3.4 million. The final amount negotiated, $17,000, was substantially less. Is this a new approach in which the terrorist expects the victim to negotiate, as with human ransoms? Start with an outrageous sum and settle for less? This figure is much higher than the average payout for ransomware. Will we see future ransomware victims adopt this practice of negotiating settlements to eke out maximum value from the payer?
Hospitals and companies can manage and minimize ransomware risk if they are prepared. These organizations must be as aggressive and flexible as the attackers to avoid hostile takeover of their networks, proprietary data and user information.
What can an organization do to bolster their defenses? Prepare! Best practice suggests the following strategy to handle a ransomware incident:
• Assess your current capabilities focusing on your users’ awareness posture and data security. This involves a risk assessment that looks at systems and employees. Companies also need to test email phishing vulnerabilities and safe browsing habits (e.g., social engineering). Deploy safe browser configurations and test your company’s ability to respond to an incident. It is one thing to have a plan and another to execute the plan successfully.
• Consider implementing session-based network detection tools that can detect, analyze and block exploit kit (EK) activity. As exploit kits deliver ransomware (teslacrypt, etc.) to your network, you may be able to block the EK and see the encryption keys exchanged prior to encrypting your data. You may also detect shifts in infrastructure, which will trigger an alert. Be proactive to avoid putting your entire infrastructure at risk.
• Develop a Disaster Recovery and Business Continuity (DRBC) plan and consider purchasing cyber insurance to transfer risk. Insurance companies are adjusting coverage based on a company’s security profile and response plans. For example, Ironshore insurance offers full policy limits for both network and data extortion. “But if the applicant doesn't have a DRBC plan in place, then we will cap the limit to $1 million,” says Kurt Suhs, vice president, Ironshore.
• Finally, if you are hit with ransomware, turn to outside counsel and forensics firms for help. They can negotiate and pay ransom fees if needed without creating a Bitcoin account. They can manage company fallout and repair brand reputation. Organizations may also need assistance in recovering data from backups, volume snapshots or restore points.
A solid (DRBC) plan and experienced cybersecurity partners are critical to keeping networks and information secure.