Ransomware – How to Protect Yourself

How well are you really protected? Over the past year a lot of healthcare providers have been asking themselves this question because of the news stories on breaches, hackers, and cyber attacks of hospitals and health providers across the country. While these stories many times lead with the huge penalties that the organizations are hit with, there are also many other consequences that include the direct loss of revenue and the loss of clients. And to add to the concern, a new security attack has started to become much more common, which has been termed “ransomware.” Many people think that it’s not a question if you’ll be attacked with ransomware, but when you’ll be attacked. This case study is intended to provide you insight into two real stories of ransomware attacks, and will help to illustrate the security and protection needed to ensure that you aren’t caught at two in the morning trying to find a Bitcoin ATM to get access back to your business information.

What is Ransomware?

Ransomware is an evolution of an old “scareware” tactic that was prevalent in the early 2000s. Scareware was where an attacker would post a notification on your computer that claimed that a virus or malware would be released onto your system unless it was “resolved” with an easy one time payment. Due to a lack of education and awareness, scareware spread rapidly and cyber criminals got their payday. But once people became aware that these notifications had no real teeth the issue began to wane. Over time, and bolstered by the promise of more money, criminals began to get more sophisticated with their attacks. Today, they’ve evolved ransomware into an encryption based attack that targets files with specific extensions (i.e.- pdf, .docx or .xlsx) and encrypts them, preventing any access by the owners of the data and files. And unless you have the right protection in place, the only way to unlock and access your files is to pay the attackers whatever amount of money they’ve requested.

Case Study 1 – Brought down by a click

On a Monday morning in June of 2016, an executive leader of a healthcare provider in our area went to a compromised website that infected his computer with a virus. At that point, all of the drives that were attached to that user’s laptop were encrypted. This included all local and shared network drives storing company data to which this employee had read/write access, some of which contained Electronic Protected Health Information (ePHI). Along with the encryption, the virus placed a ransom note into each directory with instructions on how to decrypt the files and purchase the decryption key with a Bitcoin payment to the attacker.

We were quickly contacted to help, but once we identified a potential solution we found out that the provider had allowed their backups to lapse. At that point, there was only one option. Pay the ransom and hope that the key would be provided. Our team worked quickly to find a brick and mortar store with a Bitcoin ATM (which was 45 minutes away), and then went through the process to get the key from the attacker. Luckily, the attacker did provide the key after the payment was received, but even with this there was an enormous amount of work needed to decrypt all of the files and images to restore the system back to a working order. So, days after the attack began, the provider was finally able to access their information again.

Case Study 2 – Getting it right

On a Friday afternoon in July, an employee of a healthcare provider that we were supporting with our IT services clicked on a seemingly official looking email attachment that launched a ransomware attack. Even though this provider had up-to-date antivirus protection, this specific virus was so new that it hadn’t been flagged by the security software. At this point, the story goes down the same path as the first Case Study. All of the employee’s local and shared network drives were encrypted, and everyone lost access to their information. Within an hour, we were called and responded to determine a solution.

This is where the stories diverge. Our team responded quickly and was able to identify the issue and limit the spread of the virus. As importantly, though, we had worked with this organization previously to put protection in place to mitigate such attacks, which included a fully operational backup system and limited staff access to servers, applications, and storage that they didn’t need access to. Because of these protections, a cleanup of the infected files and backup restoration was started within two hours of the infection, and within 24 hours it was as if it had never happened.

How to protect yourself

1. People and Process. Take the time to educate staff about the dangers of opening unsolicited email attachments and what to watch for, even if they know the sender. Further, advise staff to contact IT immediately if they encounter a file that cannot be opened or if they receive a suspicious message or pop-up.
2. Backup your data and protect it. An obvious first step to mitigating risk is having frequent backups of your data. A less obvious best practice is keeping this data, and access to it, separate from the rest of your network. Additionally, make sure your backup solution offers at least a 30 day recovery period or you run the risk of it backing up the damaged files with no good version to restore from.
3. Up-to-date Anti-Virus (AV) on all endpoints and servers. No AV product is fool-proof, and new virus variants can go undetected by even the most sophisticated technology. That said, some products are more effective at stopping the spread of such an attack, and all products require up-to-date licensing and access to updates. Ensure every PC and Server on which your data resides are protected and updated. Having a centrally managed AV product will make monitoring and maintaining this protection much simpler than stand-alone installs.
4. Up-to-date Email Anti-Virus. Don’t assume your endpoint or server anti-virus is protection enough and don’t make the mistake thinking it also protects your email communications. It does not. Ensure you have a dedicated email filtering solution or service protecting your inbox from as many attacks as possible.
5. Limit individual user access to data following the principle of least privilege (POLP). In short, a user should be able to access only the information and resources that are necessary for their function and no more. Following this principle limits the damage resulting from an accident, error, or unauthorized use (such as a virus). Additionally, users who require significant access (such as IT admins) should follow the separation of privilege principle. Administrative functions, to the degree possible, should be separate from ordinary system access. In short, Administrators should have a normal user account following the principle of least privilege for daily use and another second administrative account that is only used when necessary.