CASE STUDY |
Ransomware, which is a type of malware that encrypts an organization’s data until a ransom is paid to attackers, is increasingly targeting health care organizations. Many hospitals do not prioritize cybersecurity, which creates weaknesses that attackers can exploit. Moreover, attackers know that health care organizations rely on the availability of their data in order to perform exams and procedures. Wanting to avoid a debilitating business disruption, many hospitals who get hit by this attack pay the ransom quickly in order to regain access to their data. For these reasons, hospitals are prime targets, and hospitals are growing appropriately concerned about their risk to this attack. Recently, one of these hospitals approached us for assistance in preparing for a ransomware attack.
We performed a ransomware assessment to better ascertain the ability of the hospital’s systems and antivirus solutions to prevent, detect and respond to a ransomware attack. The ransomware assessment involved both a risk assessment and a simulated ransomware attack to provide actionable evidence concerning the organization’s exposure to ransomware. The assessment pinpointed areas of weakness within the client’s network, enabling us to recommend short-term tactical fixes as well as long-term strategic solutions for hardening systems and strengthening processes against the threat of ransomware.
The first phase of the assessment involved an interview-based risk assessment to determine in-place controls for identifying, preventing, detecting, responding to and recovering from ransomware. Our process is based on NIST 800-53 and the NIST Cybersecurity Framework, and it reviews logging, monitoring, backup procedures, administrative controls, and other controls and processes.
The second phase of the assessment involved testing the effectiveness of the hospital’s controls and processes, such as next generation firewalls, antivirus, intrusion detection systems (IDS), and security information and event management (SIEM) systems. We developed a custom set of four simulated ransomware attacks to test the hospital’s network. All four attacks were tested on four different systems to see whether target files could be encrypted.
The ransomware simulations are designed to act as actual ransomware attacks, gaining access to the network and (temporarily) encrypting a set of files. We released this ransomware via four common delivery methods. Two methods utilized seemingly innocuous documents that were actually loaded with malicious macros and executable files. One method simulated the effects of a user accidentally downloading and running a malicious file. The final method leveraged the Windows calculator tool as a way to launch ransomware into the environment.
In almost every instance, we were able to encrypt the target file on the client’s system. None of the attack methods were detected by the SIEM, IPS or firewalls in place at the organization. One type of antivirus program stopped one of the ransomware attack vectors on one system. Overall, the hospital was rated to have an extreme potential for the loss of sensitive information, due to the success of the ransomware within the assessed environment.
The results from the ransomware assessment identified specific areas of weakness within the hospital’s network, including antivirus solutions that were not tuned to automatically block the malicious executable files that released some of the ransomware. Because the ransomware assessment mirrored real ransomware attacks, we were able to provide specific tactical recommendations for hardening systems, tuning security tools and improving user awareness of these attacks. With this client, we also recommended disabling macros throughout the environment and testing the effectiveness of backup procedures.
From a long-term, strategic perspective, we recommended investing in antivirus protections that are built specifically to counteract ransomware and programs that can monitor and intercept malicious shared files (which are a common ransomware transmission method). Considering that ransomware attacks against hospitals are on the rise, these solutions will likely prove wise investments. It was also recommended to segment the network to prevent the propagation of ransomware from the original environment. When implemented properly, segmentations is one of the most effective ways to secure infrastructure because it adds an additional layer of protection to the network by limiting access to resources.
There are lessons to be learned from this hospital’s simulated ransomware test. Since ransomware is becoming stealthier and more invasive, most organizations likely have vulnerabilities that ransomware can exploit. The best way to identify these vulnerabilities is to conduct a trial run with real—but controlled—ransomware. That way, the organization can prioritize the changes that will provide the most protection.
This hospital’s experience also serves as a good reminder for all organizations to implement sound security practices across the enterprise. For example, a good backup solution is perhaps the best protection against a ransomware attack. In addition to performing regular backups of all files, it is essential to develop and test a full procedure for restoring from backups so that the process can go smoothly if it is ever needed. In addition, since ransomware is often spread through user error or ignorance, it is important to train all users to spot and report suspicious files and activity. The threat of ransomware also reminds organizations of the importance of segmentation, to ensure that an issue that affects one area of the network does not necessarily affect another part of the network.
Though all organizations have potential risk for ransomware, hospitals in particular are prime targets because they are more likely to pay the ransom quickly to avoid lost revenue, the inability to treat patients and potential lawsuits. A ransomware assessment can help organizations evaluate their risk and test their procedures for preventing and responding to attacks. The results of this kind of assessment also help security and IT personnel advocate for better tools and increased budgets. Instead of speaking of ransomware hypothetically, our ransomware assessment provides concrete evidence for validating the risk an organization has to ransomware.