If you’re in the security world, you’ve no doubt seen the warning to hospitals from multiple government agencies about a specific ransomware threat. Here’s a short excerpt of the announcement:
This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.
CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.
I’ve reached out to our resident CISO expert, Mitch Parker, to see if he can share some thoughts on what this means and suggestions on what steps hospitals should be taking to prepare for a specific threat like this.
In the meantime, we’ve collected some interesting commentary from a few other security experts:
Peter Mackenzie, Incident Response Manager, Sophos Rapid Response, offered this comment on the news that the FBI is looking into a rise in recent ransomware attacks on US hospitals:
It is important to note that ransomware attacks on hospitals are common, but in our experience they are not affected more than other industries. Earlier in the pandemic there were fewer attacks targeting hospitals after many ransomware groups publicly stated that they would avoid them. It is clear the operators behind Ryuk are back from their summer break, and now targeting hospitals along with other industry sectors. Most of the heightened interest in these attacks stems from the attack on UHS hospitals a few weeks back. This saw many hospitals hit at once, but only because they were all connected. In other words, it wasn’t a string of attacks, but rather a single attack that affected multiple sites.
Kelvin Coleman, Executive Director at the National Cyber Security Alliance offered this perspective:
Threats against the US healthcare system continue to be a long running issue, made undoubtedly worse as the COVID-19 pandemic’s spread continues. The latest alert and joint statement released by CISA, FBI and HHS, Ransomware Activity Targeting the Healthcare and Public Health Sector, confirms that the persistent dangers of ransomware throughout our healthcare infrastructure are not to be taken lightly. Recent reports about the first death linked to a ransomware attack in Germany reinforces these dangers. Hospitals and other healthcare facilities are increasingly relying on connected devices, patient records are becoming more digitized and people are depending on telehealth services for medical help during the pandemic. Each of these healthcare components are vulnerable, making the need for increased cybersecurity awareness and education among consumers and healthcare practitioners paramount for safety and prevention. In terms of best practices, effective security policies, training roadmaps for IT teams and the integration of proactive cybersecurity education initiatives into the public health workplace culture are all incredibly important for keeping threats at bay. Addressing the specific threat of ransomware, it’s essential for facilities to regularly create backups of critical systems and files, and to house those offline from the network. Simultaneously, healthcare and public health facilities should also be vigilant about upgrading and updating their legacy hardware and software; ensuring that all connected devices and applications have multi-factor authentication enabled; and that employees know how to identify and avoid malicious email links and attachments from possible phishing scams targeting their workforce.
Chester Wisniewski, principal research scientist at Sophos, added this comments about Ryuk ransomware, its recent attack history and what this means for all types of organizations (not limited to hospitals) moving forward:
Considering the importance of their role during the pandemic, all healthcare organizations across the world should be on high alert and should be extra vigilant following this warning from CISA. Ryuk is a serious adversary and combatting them effectively requires such vigilance, comprehensive protection and detection abilities and strong human-led mitigation when the first signs of a breach are discovered.
Ryuk isn’t the only game in town either. While they may be distracted by focusing on healthcare providers as CISA alleges, there are many other groups targeting anything that moves that may have a bank account. REvil, WastedLocker and others are happy to continue to target the rest of us while we breathe a sigh of relief that we aren’t the CISO at a hospital.
To effectively defend against this type of attack, organizations must have ubiquitous security coverage of their computing infrastructure, locked down and patched remote access infrastructure and investigate security alerts as if they are the beginning of an incident, not the end.
Certainly hospitals have been worried about ransomware for a while, but having a specific threat feels different. No doubt, there’s more coverage of this to come, but we wanted to get this out there so hospitals are aware of the specific threat.