Ransomware is malware that phones home to the criminal’s server to retrieve an encryption key and then proceeds to encrypt the user’s hard drive, along with anything the user has access to on the network. The main targets of ransomware are network file shares. These shares are available to many others on the network. Ransomware takes advantage of file sharing to encrypt as many files as possible. The motive of ransomware is to make you pay a ransom to get a decryption key so that you can decrypt the files. If you don’t pay the ransom, ransomware promises that you will forever lose access to these important departments, organizational files, and even federally-regulated data like Protected Health Information (PHI.)
The biggest attack vector for ransomware is email phishing. The attacker sends out thousands of phishing emails, hoping the recipients will click on a link or open an attachment. A connection is made to the attacker’s server, and the ransomware is executed, encrypting data.
The ransomware starts encrypting the user’s device and reaches out to everything the user has access to. Consequently, this security event turns into a major incident, with data on the network becoming unavailable. This type of event is so critical because most organizations rely on that data to operate.
In the most recent past, we have seen two major targets of Ransomware – Healthcare and Government Municipalities. Ransomware works in these organizations because they usually don’t have the budget or human resources to have built-in protections to mitigate ransomware mostly. These organizations provide critical services, and when those services become unavailable due to ransomware, a critical situation ensues. In fact, for both types of organizations, people can die due to the absence of services such as healthcare imaging, 911 dispatch, etc. Therefore, if the organization cannot quickly mitigate the ransomware, they have no choice but to pay the ransom and hope they get the decryption key. The problem with paying the ransom is that the organization is now seen to the attackers as an easy mark. This ensures that the attackers will continue to attack these organizations.
"Ransomware is the biggest threat many organizations face today. If everyone properly isolated their networks and had great backup/restore plans, Ransomware would not be a big deal. It is the absence of these common-sense controls that allow Ransomware to be such a threat"
In my organization, we have PACS – PACS is the system that takes in all the images from the Biomedical devices – X-Rays, MRIs, CAT/CT scans, etc. PACS allows those images to be presented to a viewing station, where the Doctor can review and see any potential issues in the scans. Imaging is the most critical aspect of healthcare – if a Doctor cannot image and view that image on a patient, the Doctor cannot possibly help that patient. In healthcare, this absence means that the Doctor cannot possibly diagnose the patient. The result is that the hospital must go on Divert. Divert means that the hospital cannot take any new patients. In financial terms, a hospital can lose about $8,000/ minute or about $80 Million per week. In patient terms, this means a patient has a critical healthcare issue that must be diverted to a hospital farther away. The risk is that patients may suffer more significant health issues, including death.
Why would we allow any unnecessary traffic into our PACS network? The answer is convenience. It is easy for PACS administrators or Doctors to access the PACS network. If we implement restrictions, the organization must spend additional money and resource time to isolate traffic only to that which is necessary. However, the alternative is to have PACS encrypted by ransomware – using the most conservative estimates – the organization has to consider being on Divert for 2-4 weeks, at the cost of $160 - $320 Million.
The answer is that we must have the relationships, trust, and expertise to influence change – to be able to put roadblocks on multi-million-dollar initiatives or retrofit existing infrastructures. That means we have the trust of the organization and can translate this risk into something our executives and Board understand.
Once we have organizational support, we must undertake several critical actions. First, we must stop servers from phoning home. Ransomware must be able to phone home to get the encryption key. This control, by default, allows only those Internet addresses required, and by default, blocks anything else. Ransomware becomes inert if it cannot phone home.
While TCP/IP is a very technical concept, we must engage or hire staff that understands the technical concepts, so that we can determine how ransomware works. Ransomware uses file share browsing, called Server Message Block (SMB) – and that protocol happens over port 445. Do you allow all users to use SMB to browse into the PACS network? If so, any user infected with ransomware will eventually encrypt your PACS images. The answer is to isolate the PACS network so that users cannot access PACS over SMB 445. Users must be on an isolated network and device to access these file shares and images. This solution seems to be easy; however, retrofitting isolation on an existing network/application infrastructure can be risky and difficult.
Besides proper isolation, the most important action to mitigate ransomware is data backup. If you cannot access the data, and you cannot decrypt it, you must be able to restore the data from backup. This action requires a lot of pre-planning and some cost in terms of budget and resources. If you cannot restore the encrypted data, you limit your choices greatly. If you properly backup your data and protect those backups from ransomware, you should be able to restore the impacted data without having to pay the ransom. However, as previously mentioned, you must understand how much time it will take to restore the data and use that in the equation of overall impact to the organization.
Often the question arises – should I just pay the ransom? This question is very valid; however, it misses some important points. The ransom cost is often more than it would have cost to put in the proper security controls to protect against ransomware. Additionally, having the right backup plan will, in most cases, alleviate the need to pay the ransom. Finally, even if you pay the ransom, you are not guaranteed that the attacker will honor the arrangement. Instead, they will likely see your organization as an easy mark and will continue to attack you.
In conclusion, ransomware is the biggest threat many organizations face today. If everyone properly isolated their networks and had great backup/restore plans, ransomware would not be a big deal. It is the absence of these common-sense controls that allow ransomware to be such a threat.
We must take ransomware seriously and address it properly. It can be an existential threat to your organization.