CyberheistNews Vol 6 #14 Why Hospitals Are Perfect Ransomware Targets. Are You Next?

CyberHeist News CyberheistNews Vol #6 14
Why Hospitals Are Perfect Ransomware Targets.
Are You Next?
Stu Sjouwerman

I've got some new information that seems very useful ammo for IT security budget discussions, here it is:

I was interviewed by WIRED magazine's Kim Zetter. She's written a great article that analyzes why hospitals are perfect targets for ransomware. She started out with: "Ransomware has been an Internet scourge for more than a decade, but only recently has it made mainstream media headlines. That’s primarily due to a new trend in ransomware attacks: the targeting of hospitals and other healthcare facilities." (link to article below)

Now, Who Else Should Be Scared?

Hospitals have shown themselves to be soft targets and are under full attack by several cybercrime gangs using different attack vectors. The SamSam ransom gang attacks server vulnerabilities in JBoss apps using an open source pentesting tool called JexBoss, so these are targeted attacks based on scans the bad guys did. Cisco technical background:

That is an exception though, the vast majority of ransomware infections are caused by phishing emails. Next are malicious links and ads leading to compromised websites with Exploit Kits causing drive-by-infections.

These types of spray-and-prey attacks can hit anyone. When the bad guys are done with hospitals, what industry will be next? It's a good idea to turn yourself into a "hard target" before the crosshairs get turned on your industry.

Should Ransomware Attacks Be Considered Data Breaches?

Now that hospitals suffer from ransomware attacks, are these incidents data breaches that they must report to the HHS Office for Civil Rights?

This is a question that federal regulators and healthcare industry stakeholders must start answering, says David Holtzman, vice president of compliance strategies and security firm CynergisTek and a former OCR official.

In a typical breach incident, hackers are pursuing patient data to try and monetize, he notes. But ransomware hackers are different. They are not interested in exploiting specific patient data, but electronically confiscate it to interrupt access and extort payment. However, recently one strain claimed they exfiltrated files and threatened to make the files public if no ransom was paid. Turns out this was an empty threat, but what if other strains start really doing this...

So, technically, has the data been compromised? Well, the lawyers are looking at this, and I have asked a legal specialist in this area to write a short summary for CyberheistNews, so stay tuned.

Ransomware Infection? Get Ready For A Class-Action Lawsuit

Even though a ransomware attack might not exactly qualify as a HIPAA data breach, you can anticipate class-action lawsuits against a healthcare institution for damages caused by the institution’s negligent security practices which led predictably to a loss of data access and thereby to a bad clinical outcome. This risk may very well expand to any industry that is regulated. Here is a link to the current discussion:

It is clear that a ransomware infection can have several bad consequences:

  • Immediate losses due to downtime
  • High ransom payment if backup/restore turns out to fail
  • Possible data breach liabilities
  • Lawsuit exposure

So, it becomes more important than ever to:

  • Have weapons-grade backup/restore
  • Patch all systems religiously
  • Deploy new-school awareness training with simulated phishing tests for all users

Here is the link to the WIRED Magazine interview with yours truly:

Learn more about how to create a human firewall by training and phishing your users with great results, fast ROI, and have fun doing it:

KnowBe4 Has Blowout First Quarter 2016

KnowBe4 had a blowout Q1, growing 299% year-over-year, and made it into the Cybersecurity 500, the definitive list of the world’s hottest and most innovative companies in the cybersecurity industry. We now have a record-setting 11 straight quarters of growth. Check out the blog post with more highlights and milestones:

We are excited to announce our brand new "Ransomware for Hospitals" training module, a short 7-minute flash-training to instantly improve hospitals' human firewall. Yours truly was interviewed by ABC TV about the recent ransomware attacks on hospitals. See it here:

More About Petya Hard Disk Lock BSoD Ransomware

March 25, news came out about a new type of ransomware that does not encrypt files but makes the whole hard disk inaccessible.

As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death (BSoD) and putting their ransom notes at system startup—as in, even before the operating system loads.

Imagine turning on your computer and instead of the usual Windows icon loading, you get a flashing red and white screen with a skull-and-crossbones instead. F-secure looked deeper into Petya, to see what can be done to stop this threat, which is much faster than encrypting all the files, it simply encrypts the Master File Table, which means the operating system is not able to locate files.

It installs itself to the disk’s master boot record (MBR) like a rootkit. But instead of staying covert, you get the red screen with instructions on how to get your files back. The infection vector is phishing emails sent to HR departments with a Dropbox link to "a resume". More at the KnowBe4 Blog:

Don't Miss Your April Live Demo: New-School Security Awareness Training

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, April 13 at 2:00 p.m. (EDT) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform and see how easy it is to train and phish your users:

  • Send Phishing Security Tests to your users and get your Phish-prone percentage.
  • Roll out Training Campaigns for all users (or groups) with follow-up emails to “nudge” users who are incomplete on the training.
  • Point-of-failure training auto-enrollment.
  • NEW Phish Alert Button for Outlook so employees can report phishing attacks.
  • NEW Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.

Find out how thousands of organizations have mobilized their end-users as their first line of defense. Register Now:

The Funny Story Of The Runaway Phishing Test

March 27, in the Scam of the Week, I reported on a phishing scam that used accurate GPS data to catch speeding drivers. The story went viral and a lot of sites and magazines picked it up. The funny part is that I got a phone call from an IT security pro who shall not be named, and said this was a phishing test that he created for the employees of his own company!

Someone had forwarded the phish to the local police and they put this on their website as a warning without any analysis. Then, The Verge picked it up and published it, which is where I found it. If the local police would have analyzed the link, it would have been clear that there was nothing malicious on the other end. I'm amused.

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"Beware of false knowledge; it is more dangerous than ignorance."
- George Bernard Shaw, Dramatist (1856 - 1950)

"All generalizations are false, including this one."- Mark Twain

Thanks for reading CyberheistNews

Security News
Digital Guardian Podcast: The Ransomware Problem - To Pay Or Not To Pay

"Thomas Fischer and Paul Roberts discuss the ransomware problem that is currently impacting businesses around the globe. Anyone who follows security and cybercrime has likely noticed the wave of ransomware attacks targeting business in 2016. Just last Wednesday the news broke that three hospitals had been hit with ransomware attacks in the course of a week, one of which was impacted so significantly that it had to declare a "state of internal emergency" while systems were being restored.

Before that, 2016 saw a successful ransomware infection fetch a 17,000 dollar bitcoin ransom from Hollywood Presbyterian Medical Center as well as ransomware attacks against two German hospitals. While the latter were successfully mitigated without paying ransoms (thanks to vigilant IT departments and automatic data backups), those two attacks still left the German hospitals without critical systems temporarily.

In one of those incidents the hospital estimated that it would rely on phones, faxes, and paper records for weeks while its IT department worked to restore systems. In some rare but serious cases, even critical surgical procedures were delayed due to the attack.

Recently global security advocate Thomas Fischer sat down with Paul Roberts for a Security Ledger podcast on the recent wave of ransomware attacks targeting businesses. Listen to their 20 minute discussion below for more on the latest ransomware attacks, tips for protecting against ransomware, and Thomas’ opinion on the notorious “to pay or not to pay” dilemma that typically follows ransomware infections." Great for your commute or a lunch break:

Federal Agencies Report Over 300 Ransomware-Related Incidents Since July

Since July of last year, 29 different federal agencies detected – via their own analysis or through the Homeland Security Department's Einstein program – 321 incident reports of ransomware-related activity on their networks, said DHS in a letter to congressional requesters.

The letter came in response to an inquiry the Senate Homeland Security and Governmental Affairs Committee sent DHS and DOJ in December 2015. On March 30, the committee's Ranking Member, Sen. Tom Carper (D-Del.) posted the departments' letters in full. More:

Nearly 1500 Vulnerabilities Found In Automated Medical Equipment

Security researchers have discovered 1,418 flaws in outdated medical equipment still in use by some healthcare providers. The vulnerabilities could allow hackers to remotely exploit systems.

Research carried out by Billy Rios and Mike Ahmadi, used automated security scanning tools on a decommissioned device. They found scores of bugs in equipment running customised versions of Windows XP.

The flaws were found in CareFusion's Pyxis SupplyStation medical dispensing system. Out of the 1,418 remotely exploitable flaws, 715 of those vulnerabilities in “automated supply cabinets used to dispense medical supplies” have a severity rating of high or critical. The flaws are found in Pyxis SupplyStation versions 8.0, 8.1.3, 9.0, 9.1, 9.2 and 9.3.

According to an ICS-CERT notification, an attacker with low skill “would be able to exploit many of these vulnerabilities”. More:

This Is the FBI's Official Position on Ransomware

The FBI has changed its official stance regarding ransomware infections after the US Senate inquired why it was recommending people to pay ransoms and indirectly supporting cyber-criminals by doing so.

At the end of October last year, while giving a presentation at the Cyber Security Summit in Boston, Joseph Bonavolonta, Assistant Special Agent in Charge of the FBI’s Cyber and Counterintelligence Program, disclosed some details about how the FBI handled companies and individuals that were infected with crypto-ransomware.

Mr. Bonavolonta said that, in most cases, because the FBI can't help these companies recover files, their agents often end up recommending they pay the ransom to get their data back.

Donald J. Good, Deputy Assistant Director of the FBI's Cyber Division, answered this letter at the start of February. The FBI does not "officially" tell companies to "pay up!" Responding to the most pressing issue, Mr. Good said the following: "The FBI does not advise victims on whether or not to pay the ransom." Read the whole letter at SCRIBD:

When Mobsters Meet Hackers: The New And Improved Bank Heist

I could not resist when I read that headline. I clicked. The story I found was at Venturebeat, and is great to send to C-level execs and board members to give them an update about the sophistcation of cybercrime:

"No need for stocking masks and sawed-off shotguns.

"The unprecedented heist of 81 million dollars from the U.S. account of Bangladesh’s central bank is the latest among increasingly large thefts by criminals who have leveraged the speed and anonymity of hacking to revolutionize burgling banks.

"Hundreds of millions of dollars, and perhaps much more, have been stolen from banks and financial services companies in recent years because of this alliance of traditional and digital criminals, with many victims not reporting the thefts for fear of reputational damage." More:

Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff
    • Google Maps shows Bruce Wayne's residence. Click on the black square at the end and check out the batcave. This is (very) cool:

Subscribe To Our Blog

Free Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews