Ransomware Threats And Mitigation Plan For Healthcare

Background

Discuss about the Ransomware Threats and Mitigation Plan for Healthcare.

The report is aimed to present the scenario of ransomware attack over several ranges of sectors such as healthcare, government, and telecommunication. The ransomware attack is identified as “WannaCry” and it gradually spread over 150 countries and within 300,000 systems. The most affected countries are recognized to be China and Russia and the reason is identified to usage of legacy software and significant impacts especially for UK National Health Service (Shackelford, 2017). The spread of ransomware clogged the working and activity of these sectors even after launching the attack in the first place. As per the major findings, the “Kill Switch” did the trick of slowing the activities of the affected sectors.

“WannaCry” ransomware attack is one kind of ransomware that extorts as a malware and it can encrypt files, disks, and it can lock computers. The malware makes demands of approximate value of $300 to $600 as payment over Bitcoin accounts within three days in place of decrypting the stolen files. “WannaCry” spreads throughout SMB (Server Message Block) protocol that operates over 445 and 139 ports (Mohurle & Patil, 2017). Windows operating system typically uses it for make communication between file systems inside a network grid. When the ransomware is successfully installed in a system; this ransomware first scans through the entire system to find out vulnerabilities exist. “WannaCry” ransomware first checks about backdoors inside the system such as DoublePulsar duly exist in the affected systems (Collier, 2017). DoublePulsar and EternalBlue, both can exploit SMB vulnerability and this information was disclosed from Shadows hacking group in April. How the attack is conducted and how it hampers the system activities are mentioned in following steps:

1. Attackers utilize yet-to-be-confirmed attack vector initially
2. “WannaCry” encrypts all files in victim’s system with using AES-128 cipher. The ransomware deletes the encrypted files’ shadow copies and then it shows a ransom note in front of user requesting $300 or $600 in Bitcoin.
3. exe is utilized from wannacrydecryptor.exe; and this initiates between tor node connections in order to connect with the attacker (Gordon, Fairhall & Landman, 2017). This way, the tor.exe makes the attack completely difficult for tracking the attacker and it is considered as impossible to track down the attacker.
4. For infected system, the IP address is checked and then the IP addresses over similar subnet are scanned so that additional insecure and vulnerable systems can be connected through port 445 over TCP protocol (Batcheller et al., 2017).
5. Once, one system is connected successfully, the containing data exploit payload is transferred.

Global impact of “WannaCry” ransomware is high and it stated that on an overall measure; over 226,800 ransomware occurred as of May 2017. On an estimate, approximately 30-40 publicly known companies were under likely category that faced major impact from ransomware attack (Martin, Kinross & Hankin, 2017). There were instances of Russian Interior Ministry, Telefonica (Spain’s largest telecommunication organization), and FedEx. UK National Health Service (NHS) was hit with ransomware along with 16 out of 47 NHS trusts were affected. Once, the service recovered from the ransomware attack; routine surgery checkup and some doctor appointments were cancelled (Martin et al., 2017). There exist some major reports that China and more than 40,000 organizations faced and were affected and this attack involved 60 academic institutions as well. Russia appeared to be most significant victim of this “WannaCry” ransomware attack. Kaspersky Labs investigated the case and identified that Russian organizations were running large proportion of dated and un-patched systems (Floridi, 2017). “WannaCry” ransomware was designed for conducting an international attack over several countries and multiple systems; this ransomware can demand the ransom amount in 28 different languages.

Risk and Security concerns of Ransomware

Initially the vector was chosen for “WannaCry” ransomware was reported to be phishing emails and no sufficient data existed to prove this information. However, some other sources claimed about other vectors such as public-accessible and vulnerable SMB (Server Message Block) for spreading malware in form of worm-life (Wirth, 2017). The infection took place and the “WannaCry” ransomware beacons out “Kill Switch” URL for determining whether the malware is in Sandbox environment. In case, the URL is irresponsive, then malware starts to encrypt victim system files with utilizing AES-128 cipher. The encrypted files are appended with file extension of .wncry along with other files (Clarke & Youngstein, 2017). In spite of other ransomware attacks, the “WannaCry” ransomware carries out encryption of victim system files with name changes and created new files regardless until or unless the system is infected. Furthermore, a ransom note is placed for showing in victim’s system (Swenson, 2017). The ransom note was prepared using text from library of .rtf format (rich text format) files and note was available at multiple languages based on system location. The ransom demand requires paying either $300 or $600 worth of Bitcoin for decryption key. Once the system is infected, the user can view only a screen with instructions for paying the ransom.

Figure 1: “WannaCry” ransomware screen

(Source: Young & Yung, 2017, pp. 25)

The “WannaCry” ransomware used EternalBlue for exploitation, NSA created this EternalBlue, and Shadows Brokers have released it during 14 April 2017. The malware has capability of checking backdoors existing such as DoublePulsar; this too was released from Shadow Brokers for helping in propagation within client networks (Yaqoob et al., 2017). In case, the organization is trying to route through proxy internet access; the “Kill Switch” will not pause the ongoing attack.  

In case the user notices about the ransomware attack occurred to someone’s system, and the user can view the extensions changed as the specified ones. The user can easily identify themselves as victims of this ransomware attack (Gandhi, (2017). When someone identifies about the scenario; then he or she can perform following actions to reduce the impacts.

• All network connections should be disconnected from internal and external storage immediately.
• The computer should be shut down and IT teams should be instantaneously informed.
• Any amount of ransomware should be paid to the hacker; as the payment of ransom to the attackers increase chances of illegal activities over the entire ecosystem and there exists no guarantee of getting stolen data back (Fimin, 2017).
• Before taking experts’ advice; all backups should be kept safeguarded.

These were general recommendations for users who suspect that he or she is a victim of this ransomware. However, before this ransomware attack occurs, there are some organization side recommendations and employee side recommendations (Millard, 2017). The organization-level recommendations are identified as following:

1. SMB ports, RDP (Remote desktop protocol) will be kept blocked over the network grid as well as 445, 139 port for SMB and 3389 port for RDP should be blocked. SMB should be kept blocked until the organization came up with a group policy or endpoint solution.
2. Privilege escalation request for users should be prevented from being granted in case one user requires running unknown software as an administrator (Mohurle & Patil, 2017).

• Windows operating system and Microsoft software should be patched up specifically for MS17-010. Unsupported or out-of-date operating systems should be reconfigured or upgraded for preventing SMB and RDP invasion.

1. All employees should be notified for not opening unknown attachments over emails (Gordon, Fairhall & Landman, 2017). In case any employee faces doubt about emails and attachment; they should read though the mail without opening the attachment.
2. Office macros should be disabled by a group policy.
3. Scanning of all attachments should be considered from every endpoint, terminal, and email gateways (Batcheller et al., 2017). The uPNP should be disabled over every gateway, firewall, proxy servers and routers.

Some additional precautions should be maintained as following that are mentioned with necessary details:

Strategies for addressing Risks and Security Concerns

Maintenance of backup: The critical data backups should be maintained and rate of data generation should be maintained (Martin, Kinross & Hankin, 2017). Timeline should be aligned with procedures for restoring system should be conducted over Business Continuity Plan (BCP). Organization’s incident response should be reviewed and disaster preparation plans should be verified over address recovery from ransomware event. 

Endpoint and terminal monitoring: The terminal monitoring tools can provide visibility to the IT team showing abnormal behavior that may occur over the terminals. The abnormal situations can identify how the ransomware can occur over the endpoints. Antivirus tools cannot track the ransomware it lags behind ransomware (Martin et al., 2017). Endpoint monitoring can perform visualizing that processes and network traffic that run in the endpoints; the endpoint can block the unnecessary (potentially harmful) processes until verification is scanned.

Email filtering: The email filtering is essential for scanning through the email attachments and this strategy will prevent a number of malware attacks along with Locky ransomware. The filtering can track down recommended blocking of executable and zip attachment files along with filtering attachments so that manual review can be performed (Floridi, 2017). The filtering can block the attachments for suing secure transfer option to allow the attachments without launching any harmful software.

Security Awareness Training: The security awareness-training program is essential for employees to take lessons from malicious hacking attacks. These tools are useful for implementation; though in long run, employees should be able to easily identify any insecure reason (Wirth, 2017). Security awareness training is identified as significant way to reduce susceptibility and vulnerability from personnel towards ransomware campaigns.

In an overall, Effective Enterprise Incident Response plan should be tested and measured for identifying effectiveness nature for ransomware attacks. The response plan can be updated for reflecting existing cyber threat environment. Critical systems should not be connected with internet or those systems will be accessible over any network (Clarke & Youngstein, 2017). Vulnerability management should be ensured within robust and natured enterprise-level program.  

Additionally, some useful Employee-level recommendations are identified for conducting safety against ransomware threats. The recommendations are identified as following:

1. Internet should be disconnected and all data should be kept under backup in encrypted format in removable hard drives. The hard drives should be disconnected into a secure location once, the backup is completed.
2. The attachments should not be opened from unknown sender emails; the attachments should not be downloaded (Swenson, (2017). Any unauthorized software should not be downloaded or installed.

• Personal emails should not be checked in office systems; as most of the free email services will not have advanced security protocol for scanning the attachments.

1. If unusual hard drive activity over computer is suspected; the user is recommended to shut down the system immediately and IT team administrator should be notified (Young & Yung, 2017).
2. In office documents, macros will not be enabled.

Some IT administrator side recommendations are identified as following that should considered in security planning and preventing risks from ransomware.

1. Network sharing should be stopped and disconnected from idle computers and servers. Network sharing should be rechecked with writing permissions.
2. All passwords will be changed for safeguarding the common domain administration accounts, the logging into system should be refrained and the accounts will be used for authorizing some specific actions for standard operating procedures.

• Backup solutions should be ensured for providing write access towards the accounts for hard configured over backup solutions (Gandhi, 2017). User accounts should have only read access.

1. Volume wise shadow copy option should be enabled and group policy should be enforced. Endpoint security solution and anti-malware or anti-ransomware modules will be enabled.
2. Privilege escalation should be escalated from unknown programs and processes (Yaqoob et al., 2017). Manual signature on endpoint security should be created and file hashes should be monitored.

Conclusion and Future Trends

The report stated that NHS hospitals faced ransomware hits once, EY cyber threat intelligence (CTI) to follow UK researcher. The researchers may obtain malware with which the researcher have analyzed and discovered for reference to unregistered domain. The domain is identified as worm-like attack; the researcher should consider the impacts and entire situation of ransomware so that security options can be obtained. However, new variants of malware such as Uiwix do not have this “Kill Switch”. Over new variants has not yet confirmed and the outcomes are limited at this moment; some updates should be published to make information available about the attack. Organization’s incident response should be reviewed and disaster preparation plans should be verified over address recovery from ransomware event. Endpoint monitoring can perform visualizing that processes and network traffic that run in the endpoints; the endpoint can block the unnecessary (potentially harmful) processes until verification is scanned.

References

Batcheller, A., Fowler, S. C., Cunningham, R., Doyle, D., Jaeger, T., & Lindqvist, U. (2017). Building on the Success of Building Security In. IEEE Security & Privacy, 15(4), 85-87.

Clarke, R., & Youngstein, T. (2017). Cyberattack on Britain’s National Health Service—A Wake-up Call for Modern Medicine. New England Journal of Medicine.

Collier, R. (2017). NHS ransomware attack spreads worldwide.

Fimin, M. (2017). Are employees part of the ransomware problem?. Computer Fraud & Security, 2017(8), 15-17.

Floridi, L. (2017). The Unsustainable Fragility of the Digital, and What to Do About It. Philosophy & Technology, 1-3.

Gandhi, K. A. (2017). Survey on Ransomware: A New Era of Cyber Attack. International Journal of Computer Applications, 168(3).

Gordon, W. J., Fairhall, A., & Landman, A. (2017). Threats to Information Security—Public Health Implications. New England Journal of Medicine, 377(8), 707-709.

Martin, G., Kinross, J., & Hankin, C. (2017). Effective cybersecurity is fundamental to patient safety.

Martin, G., Martin, P., Hankin, C., Darzi, A., & Kinross, J. (2017). Cybersecurity and healthcare: how safe are we?. Bmj, 358, j3179.

Millard, W. B. (2017). Where Bits and Bytes Meet Flesh and Blood: Hospital Responses to Malware Attacks.

Mohurle, S., & Patil, M. (2017). A brief study of Wannacry Threat: Ransomware Attack 2017. International Journal, 8(5).

Shackelford, S. (2017). Exploring the ‘Shared Responsibility’of Cyber Peace: Should Cybersecurity Be a Human Right?.

Swenson, G. (2017). Bolstering Government Cybersecurity Lessons Learned from WannaCry.

Wirth, A. (2017). It’s Time for Belts and Suspenders. Biomedical Instrumentation & Technology, 51(4), 341-345.

Yaqoob, I., Ahmed, E., Rehman, M. H., Ahmed, A. I. A., Al-garadi, M. A., Imran, M., & Guizani, M. (2017). The rise of ransomware and emerging security challenges in the Internet of Things. Computer Networks.

Young, A. L., & Yung, M. (2017). Cryptovirology: The birth, neglect, and explosion of ransomware. Communications of the ACM, 60(7), 24-26.