It seems ransomware may be a common topic to talk about these days; however, many people do not truly understand ransomware and its risks.
Ransomware is a symptom of a much larger root cause, like getting a fever or chills from seasonal flu. To prevent it, we need to break ransomware into three distinct phases:
In this blog, we will discuss initial infection and spread.
Ransomware typically arrives via phishing or through a vulnerability. These two vectors reduce most of the risk associated with infection. There are a variety of controls, but some of the most common include:
Even with all these controls enabled, risk will be reduced but not eliminated. Someone will always click on something they shouldn’t.
The second phase of ransomware separates organizations with robust information security programs from others. Ransomware wants to spread once the initial infection has occurred. To do so, it uses one of two methods.
Method 1 – Using a common vulnerability within a deployed operating system.
In 2017, WannaCry (a ransomware cryptoworm) spread via the EternalBlue vulnerability. Other ransomware strains, including NotPetya, followed up this infection.
There was a failure to install existing patches (vaccine) to the infected networks in both cases. Healthcare was a prime target due to the lack of consistent patching in biomedical devices or unpredictable areas targeted for an attack, such as an Emergency Department. For the latter, the blame falls on the lack of high availability architecture/design.
EternalBlue type vulnerabilities are rare, and although there have been high-risk vulnerabilities since EternalBlue, the spread vector witnessed in the WannaCry attack made it unique. What if ransomware had a highly privileged account such as a domain administrator account? It would no longer need a coding/environmental vulnerability condition. It would simply move through the network, installing itself on every device.
Method 2 – Using a domain admin account to spread the infection to other systems.
What if the person initially phished had access to a server with their standard account? The malware or the threat actor behind the malware can quickly advance to the server environment using the target's permissions.
If a service account with administrator rights existed on the box (service account to perform backups), the malware/threat actor could retrieve the more privileged account from memory. The infection can repeat these steps until it retrieves an account that allows a high enough saturation of machines. Once there, the malware will begin exfiltrating data or encrypting drives.
As security professionals, we must focus on segmenting users from administrators. An IT administrator must have a regular account and a privileged account. Administrators must be careful where they utilize their account(s). Whatever that account authenticates into is now a target. If the malware can authenticate there, it can retrieve the elevated account. Reset administrator accounts frequently or reboot machines to remove stored tokens in memory.
MEDHOST controls include:
These controls have a positive effect on ransomware. MEDHOST provides hosted customers additional peace of mind knowing MEDHOST has taken complex steps in its journey to protect against the ever-increasing complexity of ransomware.
Our next blog will discuss recovery and required hosting capabilities to ensure hospital business continuity and patient safety.
To learn more about how MEDHOST can help protect your patient data and business operations, please reach out to us at firstname.lastname@example.org or call 1.800.383.6278.