* HealthcareITNews features expertise of Clearwater's Rich Curtiss
Ransomware 2.0: It's coming, and healthcare needs to get prepared
Next wave of attacks will likely target Internet of Things and medical devices, which remain tempting targets for their lack of sufficient protections, experts say.
Some cybersecurity experts say healthcare has only dealt with “Ransomware 1.0” to date, which begs the question: How much worse will “Ransomware 2.0” be for a sector already under siege?
“The latest variation on a theme regarding this threat is what can appropriately be called a ransomworm,” said Rich Curtiss, managing consultant at Clearwater Compliance, a former hospital CIO, and liaison for cybersecurity vulnerability projects with the National Cybersecurity Center of Excellence. “This is a combination of two types of malware, ransomware and a worm. While we have become all too familiar with ransomware in the healthcare sector, we have ignored other forms of malware.”
The use of a worm coupled with a ransomware payload is a new exploit, but the techniques are not. A worm allows the ransomware payload to move laterally or across internal and external networks, exploiting unpatched vulnerabilities.
“A question on everyone’s mind is what is the next malware threat,” Curtiss said. “The malware ecosystem has changed dramatically from the days of zero-day exploits with newly crafted packages to modification of existing malware packages to quickly exploit identified vulnerabilities. Malware-as-a-service is quickly gaining traction on the Dark Web. This makes ransomware a commodity for any malicious user wanting to achieve financial gain with low risk and limited cost.”
One place Ransomware 2.0 is sure to strike the Internet of Things and medical devices. These devices remain tempting targets for their lack of sufficient protections.
“Healthcare security practitioners do not have authority or control over the medical or biomedical equipment that usually is vendor-managed,” Curtiss said. “Any new malware strains will impact the medical devices due to a protracted software update process that leaves vulnerabilities unpatched or uncorrected for extended periods of time.”
So far, ransomware has been relatively unsophisticated. For the most part, it has been developed and distributed looking for targets of opportunity. Knowing that a great number of organizations have not patched for a specific vulnerability, like how EternalBlue was leveraged for WannaCry, attackers can use a “spray and pray” method: Build ransomware to infect the greatest possible number of targets and hope that a good portion of victims pay the ransom.
“The main problem with this model is competition and trust,” said Kevin Magee, the global security strategist at Gigamon who previously held senior positions at Palo Alto Networks, Oracle and Hewlett-Packard. “There are simply too many bad actors out there plying their illegal trade and many users have lost any hope that if they are infected, paying a ransom will restore their systems. This means that the mass market days of ransomware are likely coming to an end.”
The industry is seeing the same approach to phishing today, where these types of mass email attacks are now being highly targeted to specific organizations and even individuals. This requires more up-front reconnaissance work, a greater understanding of the systems involved, but more important, what it will take to make an organization pay and what level of payment will be possible.
“The next evolution in ransomware likely will be similar,” Magee said. “Cybercriminals will choose their marks much more selectively, invest much more time in planning and customizing the attack, and will both require and expect greater rewards for their efforts.”
In many ways, the industry is beginning to see ransomware criminal gangs operate more like sophisticated legitimate businesses with concerns regarding branding, customer service, A/B testing and a shift from mass marketing to focused campaigns, he added.
“While the script kiddies will continue to be a nuisance, the real future threats to organizations lie in these outfits that are becoming more professional in their approach,” he said.
So the question becomes: What can healthcare CIOs and CISOs do today to prepare for the Ransomware 2.0 attacks of tomorrow? Cybersecurity experts offer a variety of thoughts that can boost preparedness.
“It is critical that operating systems and applications are patched or corrected in a timely manner,” said Curtiss of Clearwater Compliance. “Medical devices need to be better controlled for malware threat and software vulnerabilities. Medical devices are managed by the biomedical team, which limits an effective security response to a cyber-attack.”
There is an argument to be made for bringing the biomedical department under the authority of the CIO to ensure appropriate security incident response and compensating controls are affected for devices at risk of exploitation, Curtiss contended. An alternative approach is to ensure a tight coupling of information technology, information security and biomedical personnel to ensure medical devices are part of any incident response plan, he added.
“And it is and always has been about blocking and tackling,” he said. “It is critical that healthcare organizations apply fundamental information security principles to protect their patients. These foundational practices can’t be overemphasized.”
Magee of Gigamon agreed that the basics of cybersecurity often are overlooked and that to prepare for Ransomware 2.0 healthcare organizations need to really brush up on the fundamentals.
“The benefits of good hygiene practices are clear in a healthcare setting,” Magee said. “Simple measures such as vigilance in adhering to handwashing can drastically decrease the chances of contamination, the spread of disease and hospital acquired infection rates. A similar simple approach to security can yield comparable results.”
Patching, privileged credential protections, network segmentation, asset isolation and perimeter protections all are examples of good organizational security hygiene, he explained. These steps help ensure that attackers cannot break in and infect the organization, or at least it makes it much more difficult for them to succeed in doing so, he added.
“In this way, the organization can protect itself from being a target of opportunity and it forces the attacker to take additional or unnatural steps in order to gain access and spread the threat within the organization,” he said.
Healthcare organizations also should have a well-vetted cybersecurity plan in place before Ransomware 2.0 attacks hit. These plans should be thoroughly tested so that any holes can be identified and rectified.
“This should be a natural response for healthcare organizations who must plan for and prepare for all sorts of unknown threats such as pandemics, major disasters or accidents, and even other physical security issues such as patients who may become violent,” Magee said. “Engaging early with law enforcement, having an organization-wide response plan and team in place, and conducting table-top exercises to test the plan from the boardroom to the operating room to the server room will ensure overall readiness to deal with a widespread attack should one occur.”