Reducing the Risk of Advanced Ransomware – Ryuk family
On October 28, 2020, the CISA, the FBI, and HHS released an advisory noting potentially hundreds of medical centers and hospitals would be targeted for ransomware encryption.
Although ransomware has been a serious threat for the past five years, the risk of an operational outage or a breach is ever expanding.
Ransomware has evolved over the last 5 years increasing its impact and ability to crush hospital systems. 2015 was the year of ransomware with the emergence of CryptoWall. The attack began with phishing to gain initial access to an endpoint. It would encrypt the drive and present the user with ransomware instructions. The machine then joined a botnet to spread the malware, repeating the phishing cycle. Individual computers were then targeted. Large companies including hospitals fell victim, but it was rare for hospitals systems to be targeted.
The next large evolution in ransomware occurred in 2017. A group of exploits (EternalBlue) allowed for remote compromise of Windows devices. Ransomware kits began to add EternalBlue vulnerabilities. This allowed for programmatic compromise of large networks lacking mature patch management. Hospitals were now seen as an easy target.
The latest evolution in ransomware is the incorporation of techniques once reserved for nation states. One of the latest groups to receive notoriety is UNC1878 or 2020 Wizard Spider. By combining phishing, credential harvesting, privilege escalation, data exfiltration, and ransomware, the threat is a worst-case scenario for a medical system. The impact is both a large continued operational outage and a potential breach scenario. By combining automation with human interaction, the malware can be spread quickly across systems. Re-imaging an endpoint can be ineffective as compromised credentials allow for quick reinfection and encryption. Even more devastating, attackers can exfiltrate and hold sensitive regulatory data hostage.
Prior to this attack, fending off ransomware included security awareness, email filtering, patching, and worst-case, restoration of data. But now because an attack can incorporate privilege escalation and lateral movement, the security department must also evaluate local administrative privileges, password entropy, service accounts with authority, domain administrator accounts, insecure protocols, and methods to identify the exfiltration of data. Attackers understand it can take years and massive capital to deprecate programs, service accounts, and protocols that a company has operationally relied on for years. When you consider expensive biomedical devices such as MRI machines, it is easy to understand why hospitals are targeted. In addition, the security department must have the visibility and training to detect lateral movement including log aggregation and correlation. That can be a specialized skillset.
If you are a medical facility or a hospital, where do you get started?
- Multi-factor Authentication – MFA is essential to protecting against compromised domains
- Backups – Although restoring data is the last line of defense, once encrypted it is the only option
- For workstations, consider using a cloud service with versioning control (e.g.,OneDrive)
- For servers, ensure back-ups are routine and protected from being corrupted and/or deleted by threat actors
- Routine Patching – Although credential theft can be successfully executed on a fully patched network, exploited vulnerabilities can lead to the same outcome. Patching alone will prevent ransomware.
- Remove end-of-life devices
- Identify and Filter Phishing Emails
- Security Awareness
- Routine training
- Phishing Simulations – Disciplinary action for repeated failures
- Centralized reporting for a suspected phishing attempt
- Enforce the Disablement of Macros – Macros are often utilized to gain an initial foothold in the environment.
- Log Aggregation – Logging data to a safe place is essential to be able to perform detection. Log aggregation is an extensive project.
- Network logging
- Security events for both workstations and servers
- Power Shell logging
- Sysmon logging
- Developing an Incident Playbook – Once you have logging, the security teams should begin building alerts, metrics, dashboards, and playbooks for both detecting and responding to malicious behaviors.
- Routine Attack and Penetration Testing & Tabletop Exercises
- Limiting Domain Admins – A compromised domain administrator will lead to a compromised domain controller. Once compromised, all workstations, servers, trusts, and users are compromised.
- Utilizing password vaults with rotating passwords can help limit exposure.
- User Account Passwords
- Increasing password complexity can help to remove common and/or easy to crack passwords from the environment
- Using password vaults can also abstract users from knowing their password
- Implement Windows Hello with pin codes or biometrics
- Service Account Passwords – Service accounts’ passwords must be long and difficult to crack.
- Service account passwords must be long and difficult to crack
- Managed Service Accounts- Managed service accounts utilize Windows to create a unique and programmatically rotated password
- Remove Administrative Rights from Endpoints – Removing administrative rights increases the complexity and steps required fora threat actor to execute powerful attack tools to harvest elevated credentials.
- Network Segmentation – By applying firewalls and other segmentation controls, zones can be defined to inspect traffic. Conceptually, this is like a border between nations.
- Deprecate older protocols such as SMB v1and RC4 from the environment.