On October 28, 2020, the CISA, the FBI, and HHS released an advisory noting potentially hundreds of medical centers and hospitals would be targeted for ransomware encryption.
Although ransomware has been a serious threat for the past five years, the risk of an operational outage or a breach is ever expanding.
Ransomware has evolved over the last 5 years increasing its impact and ability to crush hospital systems. 2015 was the year of ransomware with the emergence of CryptoWall. The attack began with phishing to gain initial access to an endpoint. It would encrypt the drive and present the user with ransomware instructions. The machine then joined a botnet to spread the malware, repeating the phishing cycle. Individual computers were then targeted. Large companies including hospitals fell victim, but it was rare for hospitals systems to be targeted.
The next large evolution in ransomware occurred in 2017. A group of exploits (EternalBlue) allowed for remote compromise of Windows devices. Ransomware kits began to add EternalBlue vulnerabilities. This allowed for programmatic compromise of large networks lacking mature patch management. Hospitals were now seen as an easy target.
The latest evolution in ransomware is the incorporation of techniques once reserved for nation states. One of the latest groups to receive notoriety is UNC1878 or 2020 Wizard Spider. By combining phishing, credential harvesting, privilege escalation, data exfiltration, and ransomware, the threat is a worst-case scenario for a medical system. The impact is both a large continued operational outage and a potential breach scenario. By combining automation with human interaction, the malware can be spread quickly across systems. Re-imaging an endpoint can be ineffective as compromised credentials allow for quick reinfection and encryption. Even more devastating, attackers can exfiltrate and hold sensitive regulatory data hostage.
Prior to this attack, fending off ransomware included security awareness, email filtering, patching, and worst-case, restoration of data. But now because an attack can incorporate privilege escalation and lateral movement, the security department must also evaluate local administrative privileges, password entropy, service accounts with authority, domain administrator accounts, insecure protocols, and methods to identify the exfiltration of data. Attackers understand it can take years and massive capital to deprecate programs, service accounts, and protocols that a company has operationally relied on for years. When you consider expensive biomedical devices such as MRI machines, it is easy to understand why hospitals are targeted. In addition, the security department must have the visibility and training to detect lateral movement including log aggregation and correlation. That can be a specialized skillset.
If you are a medical facility or a hospital, where do you get started?