What started out as a challenging fall for Healthcare became much worse yesterday when the FBI, together with DHS and HHS, held a conference call describing ransomware activity aimed at U.S. Healthcare organizations.

After targeting¬†Universal Health Services last month‚ÄĒone of the largest healthcare providers in the U.S.‚ÄĒand causing¬†them¬†to¬†shut down¬†all of their IT systems,¬†yesterday‚Äôs news¬†made it clear that the FBI believes the group behind¬†Ryuk¬†ransomware is targeting a large number of¬†US¬†hospitals and healthcare providers.

Many¬†organizations may feel protected against ransomware, using the latest signatures provided by antivirus software vendors and network security organizations to detect and possibly even block ransomware before it can cause damage and take systems off the network. But as¬†ENISA¬†has pointed out in¬†its¬†recent annual report‚ÄĒand what is also known to happen with¬†Ryuk¬†specifically‚ÄĒransomware evolves, making detection harder and its evasion of defensive tools easier.

To make matters worse, determined bad actors have learned their lesson and are doing their homework before launching attacks. More specifically, they’re moving towards more personalized attack vectors that are similar to spear phishing and make use of an extensive reconnaissance phase before striking. This tactic increases the odds that ransomware will be successful in gaining a foothold on the network, causing maximum damage and increasing the gain for the attacker.

Preventing Ransomware Attacks

Agio has always recommended that organizations prepare for the worst. This includes training IT staff for handling a successful ransomware attack, as well as making all users aware that ransomware often gains a foothold through emails or by visiting websites that host malicious code. Now more than ever, the Healthcare and Public Sectors should emphasize these lessons to their employees.

In addition, the following recommendations still apply. The ability to detect and respond effectively to¬†this ongoing threat¬†requires a¬†well-tuned¬†platform that receives the right inputs from systems and solutions appropriately configured and tested to identify ‚Äúknown‚ÄĚ patterns of activity,¬†as well as deviations from established norms or baseline.

Agio uses‚ÄĒand recommends¬†using‚ÄĒa¬†Managed Detection and Response¬†(MDR)¬†platform¬†or service¬†that¬†is updated by global threat intelligence feeds¬†and¬†alerting on the known and evolving Indicators of Compromise (IOC) of¬†Ryuk¬†and all other variants of¬†known¬†ransomware.¬†In addition, we¬†deploy and recommend¬†a robust¬†Endpoint¬†Detection and Response¬†(EDR)¬†solution to address ransomware outbreaks. We¬†do¬†encounter organizations¬†with¬†incomplete deployments of this¬†type of¬†solution,¬†and¬†suggest¬†they¬†review¬†their¬†EDR¬†policies and confirm¬†that¬†all devices are enabled and configured to prevent malicious threats.

See also  Are You Ready for Ransomware as a Commercial Enterprise?

Finally, we encourage our clients review the alert published by FBI, HHS and DHC that lists various indicators of compromise associated with the group behind the Ryuk ransomware.

As previously indicated, it’s important to keep in mind that ransomware is evolving. Therefore, even keeping your security software up to date may not entirely protect against ransomware gaining a foothold on your network. Efforts directed at training your IT staff to respond to incidents and ensuring your technical defensive measures are in place to contain the incident and restore business operations in a timely manner may now pay off.

Common security mistakes when defending against ransomware

Based on our direct involvement in diagnosing, responding to, and investigating ransomware attacks on our clients over the past few months, we’ve put together the following tips and recommendations to inform your defense against this most troubling form of malware:

  • Inadequate or incomplete¬†cleanup of third-party remote access utilities
  • Inadequate prioritization of system updates
  • No verification of backup¬†&¬†restoration¬†of¬†key systems
    • Do you¬†have the ability to¬†shift to‚ÄĒor work from‚ÄĒanother¬†Domain Controller¬†or database¬†now?
  • Incomplete¬†operational picture
    • Are you ingesting¬†the¬†8 critical log sources?
      • Network Intrusion Detection System‚Äč
      • Endpoint Detection & Response‚Äč
      • Web Content (Umbrella, Zscaler, PAN¬†OS)‚Äč
      • DHCP‚Äč
      • Directory Services‚Äč
      • Firewall‚Äč
      • VPN/Remote Access‚Äč systems
      • Office365
  • Are you¬†routinely¬†reviewing logs? (The SANS Institute Critical Log¬†Review¬†Checklist¬†can help.)
  • No restricting¬†and monitoring/alerting/reconciling¬†of¬†‚Äúliving off¬†the land‚ÄĚ tools (psexec,¬†winrm, etc.)
  • Lack of agility in isolating systems or segments
  • No process for ad hoc¬†password¬†resets

Reduce your exposure

The following guidelines are framed using the MITRE ATT&CK¬ģ adversarial objectives.

Initial Access:  

  • Prevent¬†access via phishing emails¬†by¬†leveraging¬†an¬†email security platform with¬†configurability options;¬†consider geo-blocking on email platforms‚ÄĒnot just firewalls
  • Conduct¬†user¬†awareness training

Execution: 

  • Enable¬†Outlook¬†Safelinks
  • Validate¬†the functionality of the following¬†for your endpoint detection and response solution (EDR):
    • Application control
    • Isolation agility¬†(to prevent further infection)
    • Disabled¬†use of macros and scripts
    • Enabled¬†memory protection¬†(to¬†disallow attacker from grabbing clear text passwords
    • Signature-based detection

Privilege Escalation: 

  • Implement identity and access management tooling
  • Provision¬†Jumpboxes¬†for conditional access
  • Implement and enforce¬†Multi-factor¬†authentication¬†(MFA)

Defense Evasion: 

  • Validate access to the¬†vssadmin¬†is¬†executable¬†to prevent¬†actors¬†from¬†deleting¬†shadow copies¬†(these actions are monitored by a SIEM)
  • Create¬†a¬†detection rule for behavior analysis (part of log sources)
See also  Cryptocurrency Security Risks

Credential Access: 

  • Enable¬†EDR Memory protection¬†to¬†prevent the dumping of passwords and data leakage via memory

Discovery: 

  • Turn off responses to the ping command;¬†refuse connections for known scanners by user agents¬†(Nmap,¬†OpenVas, Nessus)

Lateral Movement: 

  • Disable SMB v1/2
  • Remove PSEXEC and tools that provide remote access from the network
  • Provision user accounts with the least amount of access
  • Separate usernames by purpose;¬†limit access based on this purpose
  • Segment your environment

Exfiltration: 

  • Use DLP to detect removal of data from your network
  • Limit access and log access to sensitive data¬†(i.e.,¬†crown¬†jewels)

Impact: 

  • Implement an Intrusion Detection System (IDS) to detect command and control (C2) activity and other potentially malicious network activity
  • Leverage a platform for security¬†optimization to¬†validate you¬†are able to¬†detect, block,¬†and¬†contain¬†ransomware

Looking Ahead

Ransomware attacks against the healthcare¬†industry¬†aren‚Äôt going away. The records housed by this vertical are too comprehensive and bring too much money to the dark net.¬†Agio¬†is aware of¬†the continuous threat and therefore the¬†services and programs¬†in Agio’s portfolio are¬†tailored to meet your organization‚Äôs individual cybersecurity needs.¬†Give us a call, we‚Äôre here to help.