In 2010, I moved away from the financial industry into the world of cybersecurity consulting. My first consulting project was within the healthcare industry, and so was my next big project, and hundreds of projects in which I have participated since. I learned very quickly to appreciate the hard work that IT and cybersecurity groups do to support their healthcare organizations. I also learned about the different priorities and approaches unique to this industry.
Over the past decade, cybersecurity in hospitals has matured and become more refined. Yet, many cybersecurity professionals in healthcare specialize as excellent “firefighters” fixing security issues, working on rolling out secure solutions quickly and efficiently. While there is a solid strategy for many, there is often not enough time to go over the legacy components to ensure that all systems remain secure.
As a cybersecurity professional, I also watch how ransomware reshaped our society, causing real harm to organizations of all kinds. But medical facilities were always a more desired target in the eyes of the cyber criminals. First of all, there is a notion of urgency for a medical facility to restore its operations. Also, medical facilities did not have proper backups of everything. In addition to that, medical data was always considered to be more desirable on the dark web. Mass ransomware attacks like WannaCry and NotPetya rippled through health systems around the world and seriously affected many hospital networks.
Thus, over the past decade, I worked diligently helping hospitals and other medical organizations to stay secure and combat cyber attacks, especially ransomware, sometimes staying ahead of the adversary to stop attacks before ransomware was deployed, but unfortunately, more often, helping companies to recover from a successful attack.
When the COVID-19 pandemic hit, we leveraged our visibility into cybercriminal organizations to warn US law enforcement of infections within medical facilities targeted for ransomware. Some cyber criminals even paused in their attacks against medical facilities, declaring moratoriums against attacking these types of targets. These “heart of gold” intentions were short-lived.
The TrickBot botnet existed at least since 2016 and were operated by Russian-speaking cybercriminals, most of whom call Russia their motherland. The botnet always had two directions: stealing data like credentials or financial information to further data abuse, and much more menacing, installing ransomware from the Ryuk gang, which used Trickbot-infected devices as entry points into their networks. For the past few years, TrickBot, also known as Emotet, established itself as the largest network of infected computers. In late September, the US Cyber Command and then, separately, Microsoft, attempted to take down the botnet to safeguard the victims along with protecting the US election system. But the takedown only had a partial success. TrickBot lost most of its connectivity to victimized systems, leaving a large cache of stolen data and a bunch of livid cyber crooks.
This partial decimation possibly served as a trigger for the Ryuk gang to step up its criminal activities. Knowing that their easy crime streak is likely coming to an end, they continued their work in the de-centralized remains of the once-mighty botnet. In late October, the gang turned against healthcare. In private exchanges, they taunted hundreds of targets within hospitals, clinics, and other medical facilities. They promised panic and fear. While they were likely referring to a large number of medical locations rather than hundreds of healthcare systems, they have certainly delivered their malicious blow.
For well over a week, starting on 23 October, my days turned into hunting for names of the victim hospitals and indicators of compromise to enable us to notify them. Unfortunately, the Ryuk gang does not keep a list of its victims and uses de-centralized teams that don’t share their data. We were able to identify and alert a number of victims, but some of the others that we did not see were not so lucky. Now, looking at the aftermath and realizing that attacks are not over, what can we learn from this experience to make our healthcare networks more secure?
Most attacks start with a phishing campaign, and they are still effective! Detecting an average phishing email may not take a tech expert, but as our mailboxes are overwhelmed with messages, it is hard to keep your awareness constant. However, constant training, positive re-enforcement, and shame-free acknowledgement of mistakes will make your staff significantly less vulnerable to phishing. And when it comes to technology, how do you know that your filters are catching all malicious messages? Try testing them by sending yourself “de-weaponized” phishing emails identified by others from an external test email account. Will they all make it through? 50%? 10%? Test it; maybe your email filters need to be tuned up.
Is your perimeter protected? Even if a malicious email makes it through, will your EDR solution and/or anti-virus catch it? We often forget to ensure that we have 100 percent protection on end-user devices and, not only for those devices within your network, but all the devices used by your remote users to access your systems. Not only is the coverage important, but your exclusion lists should be minimal. In healthcare today, there are many very sensitive applications – do not let your application vendors dictate your anti-virus policies. Nearly all software should be anti-virus friendly, it should be reputable and it should not behave like malware.
The next line of defense is your network. Cybercriminals have a wide range of tools to attack your network. Attack frameworks like Cobalt Strike and EmpireProject are preferred, especially by the Ryuk gang. Your defenses must be tuned to unauthorized movements within your network, privilege escalation, disabling of anti-virus and other security tools, commandeering system accounts, and more. Make sure that you are not only protecting yourself but also setting up alerts for any anomalies.
In order to deploy ransomware successfully, the bad guys will go for your backups. They will try to delete them, and you need to be able to detect and stop them. They will try to disrupt them, change their scope, or even change the backup encryption keys. You need to be able to detect any changes in your backup processes!
The latest trend by some ransomware gangs is not even to go for the encryption part. If they are able to exfiltrate sensitive data, they can try to blackmail you while threatening data disclosures. Make sure that you are able to identify and swiftly stop any attempted data exfiltration. There are many additional targets for exploitation – from lack of MFA to weak passwords; system vulnerabilities to vulnerable third parties.
In today’s world, you need to be defending against ransomware as one of your top priorities in cybersecurity. And if you are tasked to defend a healthcare organization, you should be at your highest alert.
Here is a question for you: you conduct pen tests to test your system defenses; are you setting up tests to ensure that your red team will be detected in a ransomware test exercise?
As I leave you with more challenges than re-assurances, keep in mind that we are dealing with a cruel, ruthless enemy that will attack hospitals, elder care facilities, emergency rooms and medical research institutions. Our defenses should be effective, and our resolve should be unwavering in the face of our enemy.
Editor’s note: For insights on governance best practice in healthcare, download ISACA’s GEIT for Healthcare white paper.