How well are you really protected? Over the past year a lot of healthcare providers have been asking themselves this question because of the news stories on breaches, hackers, and cyber attacks of hospitals and health providers across the country. While these stories many times lead with the huge penalties that the organizations are hit with, there are also many other consequences that include the direct loss of revenue and the loss of clients. And to add to the concern, a new security attack has started to become much more common, which has been termed “ransomware.” Many people think that it’s not a question if you’ll be attacked with ransomware, but when you’ll be attacked. This case study is intended to provide you insight into two real stories of ransomware attacks, and will help to illustrate the security and protection needed to ensure that you aren’t caught at two in the morning trying to find a Bitcoin ATM to get access back to your business information.
Ransomware is an evolution of an old “scareware” tactic that was prevalent in the early 2000s. Scareware was where an attacker would post a notification on your computer that claimed that a virus or malware would be released onto your system unless it was “resolved” with an easy one time payment. Due to a lack of education and awareness, scareware spread rapidly and cyber criminals got their payday. But once people became aware that these notifications had no real teeth the issue began to wane. Over time, and bolstered by the promise of more money, criminals began to get more sophisticated with their attacks. Today, they’ve evolved ransomware into an encryption based attack that targets files with specific extensions (i.e.- pdf, .docx or .xlsx) and encrypts them, preventing any access by the owners of the data and files. And unless you have the right protection in place, the only way to unlock and access your files is to pay the attackers whatever amount of money they’ve requested.
On a Monday morning in June of 2016, an executive leader of a healthcare provider in our area went to a compromised website that infected his computer with a virus. At that point, all of the drives that were attached to that user’s laptop were encrypted. This included all local and shared network drives storing company data to which this employee had read/write access, some of which contained Electronic Protected Health Information (ePHI). Along with the encryption, the virus placed a ransom note into each directory with instructions on how to decrypt the files and purchase the decryption key with a Bitcoin payment to the attacker.
We were quickly contacted to help, but once we identified a potential solution we found out that the provider had allowed their backups to lapse. At that point, there was only one option. Pay the ransom and hope that the key would be provided. Our team worked quickly to find a brick and mortar store with a Bitcoin ATM (which was 45 minutes away), and then went through the process to get the key from the attacker. Luckily, the attacker did provide the key after the payment was received, but even with this there was an enormous amount of work needed to decrypt all of the files and images to restore the system back to a working order. So, days after the attack began, the provider was finally able to access their information again.
On a Friday afternoon in July, an employee of a healthcare provider that we were supporting with our IT services clicked on a seemingly official looking email attachment that launched a ransomware attack. Even though this provider had up-to-date antivirus protection, this specific virus was so new that it hadn’t been flagged by the security software. At this point, the story goes down the same path as the first Case Study. All of the employee’s local and shared network drives were encrypted, and everyone lost access to their information. Within an hour, we were called and responded to determine a solution.
This is where the stories diverge. Our team responded quickly and was able to identify the issue and limit the spread of the virus. As importantly, though, we had worked with this organization previously to put protection in place to mitigate such attacks, which included a fully operational backup system and limited staff access to servers, applications, and storage that they didn’t need access to. Because of these protections, a cleanup of the infected files and backup restoration was started within two hours of the infection, and within 24 hours it was as if it had never happened.