 CyberheistNews Vol #6 14 |
Why Hospitals Are Perfect Ransomware Targets.
Are You Next? |
.jpg)
I've got some new information that seems very useful ammo for IT security budget discussions, here it is:
I was interviewed by WIRED magazine's Kim Zetter. She's written a great article that analyzes why hospitals are perfect targets for ransomware. She started out with: "Ransomware has been an Internet scourge for more than a decade, but only recently has it made mainstream media headlines. That’s primarily due to a new trend in ransomware attacks: the targeting of hospitals and other healthcare facilities." (link to article below)
Now, Who Else Should Be Scared?
Hospitals have shown themselves to be soft targets and are under full attack by several cybercrime gangs using different attack vectors. The SamSam ransom gang attacks server vulnerabilities in JBoss apps using an open source pentesting tool called JexBoss, so these are targeted attacks based on scans the bad guys did. Cisco technical background:
http://blog.talosintel.com/2016/03/samsam-ransomware.html
That is an exception though, the vast majority of ransomware infections are caused by phishing emails. Next are malicious links and ads leading to compromised websites with Exploit Kits causing drive-by-infections.
These types of spray-and-prey attacks can hit anyone. When the bad guys are done with hospitals, what industry will be next? It's a good idea to turn yourself into a "hard target" before the crosshairs get turned on your industry.
Should Ransomware Attacks Be Considered Data Breaches?
Now that hospitals suffer from ransomware attacks, are these incidents data breaches that they must report to the HHS Office for Civil Rights?
This is a question that federal regulators and healthcare industry stakeholders must start answering, says David Holtzman, vice president of compliance strategies and security firm CynergisTek and a former OCR official.
In a typical breach incident, hackers are pursuing patient data to try and monetize, he notes. But ransomware hackers are different. They are not interested in exploiting specific patient data, but electronically confiscate it to interrupt access and extort payment. However, recently one strain claimed they exfiltrated files and threatened to make the files public if no ransom was paid. Turns out this was an empty threat, but what if other strains start really doing this...
So, technically, has the data been compromised? Well, the lawyers are looking at this, and I have asked a legal specialist in this area to write a short summary for CyberheistNews, so stay tuned.
Ransomware Infection? Get Ready For A Class-Action Lawsuit
Even though a ransomware attack might not exactly qualify as a HIPAA data breach, you can anticipate class-action lawsuits against a healthcare institution for damages caused by the institution’s negligent security practices which led predictably to a loss of data access and thereby to a bad clinical outcome. This risk may very well expand to any industry that is regulated. Here is a link to the current discussion:
http://www.healthdatamanagement.com/news/should-ransomware-attacks-be-considered-breaches
It is clear that a ransomware infection can have several bad consequences:
- Immediate losses due to downtime
- High ransom payment if backup/restore turns out to fail
- Possible data breach liabilities
- Lawsuit exposure
So, it becomes more important than ever to:
- Have weapons-grade backup/restore
- Patch all systems religiously
- Deploy new-school awareness training with simulated phishing tests for all users
Here is the link to the WIRED Magazine interview with yours truly:
http://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/
Learn more about how to create a human firewall by training and phishing your users with great results, fast ROI, and have fun doing it:
https://www.knowbe4.com
|
| KnowBe4 Has Blowout First Quarter 2016 |
|
KnowBe4 had a blowout Q1, growing 299% year-over-year, and made it into the Cybersecurity 500, the definitive list of the world’s hottest and most innovative companies in the cybersecurity industry. We now have a record-setting 11 straight quarters of growth. Check out the blog post with more highlights and milestones:
https://blog.knowbe4.com/knowbe4-has-blowout-first-quarter-2016
We are excited to announce our brand new "Ransomware for Hospitals" training module, a short 7-minute flash-training to instantly improve hospitals' human firewall. Yours truly was interviewed by ABC TV about the recent ransomware attacks on hospitals. See it here:
https://www.knowbe4.com/knowbe4-in-the-news/
|
| More About Petya Hard Disk Lock BSoD Ransomware |
|
March 25, news came out about a new type of ransomware that does not encrypt files but makes the whole hard disk inaccessible.
As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death (BSoD) and putting their ransom notes at system startup—as in, even before the operating system loads.
Imagine turning on your computer and instead of the usual Windows icon loading, you get a flashing red and white screen with a skull-and-crossbones instead. F-secure looked deeper into Petya, to see what can be done to stop this threat, which is much faster than encrypting all the files, it simply encrypts the Master File Table, which means the operating system is not able to locate files.
It installs itself to the disk’s master boot record (MBR) like a rootkit. But instead of staying covert, you get the red screen with instructions on how to get your files back. The infection vector is phishing emails sent to HR departments with a Dropbox link to "a resume". More at the KnowBe4 Blog:
https://blog.knowbe4.com/more-about-petya-hard-disk-lock-bsod-ransomware
|
| Don't Miss Your April Live Demo: New-School Security Awareness Training |
|
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, April 13 at 2:00 p.m. (EDT) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform and see how easy it is to train and phish your users:
- Send Phishing Security Tests to your users and get your Phish-prone percentage.
- Roll out Training Campaigns for all users (or groups) with follow-up emails to “nudge” users who are incomplete on the training.
- Point-of-failure training auto-enrollment.
- NEW Phish Alert Button for Outlook so employees can report phishing attacks.
- NEW Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how thousands of organizations have mobilized their end-users as their first line of defense. Register Now:
https://attendee.gotowebinar.com/register/6306710009986246916
|
|
| The Funny Story Of The Runaway Phishing Test |
|
March 27, in the Scam of the Week, I reported on a phishing scam that used accurate GPS data to catch speeding drivers. The story went viral and a lot of sites and magazines picked it up. The funny part is that I got a phone call from an IT security pro who shall not be named, and said this was a phishing test that he created for the employees of his own company!
Someone had forwarded the phish to the local police and they put this on their website as a warning without any analysis. Then, The Verge picked it up and published it, which is where I found it. If the local police would have analyzed the link, it would have been clear that there was nothing malicious on the other end. I'm amused.
|
Warm Regards,
Stu Sjouwerman |
|
|
