HIPAA Blog

[ Monday, September 23, 2019 ]

 

A friend at Stroz Friedberg (a part of Aon) let me know a few months ago that they are seeing a particular uptick in ransomware affecting law practices, but really it's a problem across all industries.  As noted from the news out of Wyoming earlier today, ransomware is a particularly big problem in the healthcare industry. 

I thought I'd post through what my friend sent, with her permission.  But I'd also like to point out the "big 4" words of advice to prevent ransomware or minimize its impact.
1. Patch software regularly.  Most malware exploits a vulnerability that has been reported and for which a patch is available.  You can't always patch immediately, but do so on a regular basis.
2. Practice good backup management.  Having a perfect backup is the golden ticket for defeating ransomware: simply remove the encrypted content and replace with the backup.  Modern ransomware variants typically seek-and-encrypt backup files, as well as data files.  If your backup files are accessible on the same system, you could lose them too.  Multiple serial backup versions, stored offsite, will speed recovery and save you the ransom payment.
3. Map your systems and remove unnecessary connectivity. It's better if an isolated portion of your computing environment is encrypted and not the whole thing.  And you need to be able to find how the incident started to clean it up effectively.
4. Train and test your staff to recognize phishing attempts. The phishing attempt that isn't opened is the ransomware event you don't have and don't have to fix.

Anyway, here's the Aon report:

Ransomware
Everywhere


Over the past two weeks we have seen a significant uptick in ransomware attacks across all industries involving the Ryuk ransomware. The initial foothold is typically flagged as Emotet malware, and is usually delivered through a phishing email. The Emotet attacker then sells its deployment/footholds to a group using the Trickbot banking trojan. The "trick" refers to the various modules the malware can dynamically load to augment its abilities. It uses common vulnerabilities, such as EternalBlue, to spread rapidly throughout the victim’s environment. The Trickbot group then sells its wide access to a ransomware group, currently Ryuk (we have also observed Trickbot working with Bitpaymer). Once the Ryuk group gains access, they interactively move through the environment, spreading ransomware to encrypt files. They typically also go after backups in order to block recovery efforts, forcing the victim to pay the often sizeable ransom in order to restore mission-critical files and systems.

Mitigating Business Interruption

Clients should pay close attention to any anti-virus alerts from their endpoints, with particular sensitivity to alerts for Emotet/Trickbot since Ryuk or a similar ransomware is typically a fast follow to these.  In order to minimize the business impact of a ransomware infection, we recommend the following preventative measures:
§  Notify employees to be aware of suspicious emails.
§  Secure email platform account access - MFA, continual log review, etc.
§  Activate malware detection capabilities within mail gateways.
§  Remove the users’ ability to enable document macros.
§  Ensure AV is deployed to every machine and all alerts are being collected.
§  Follow-up on AV alerts.
§  Verify that network logs are being aggregated and reviewed for suspicious connections; Trickbot downloads its payload as a ".png" file.
§  Limit access and closely monitor admin and domain admin account usage.
§  Do not use shared local admin accounts and passwords across machines -- this is an easy way for Trickbot to spread.
§  Have a robust backup process for business critical servers and files such that back-ups occur regularly, are tested for efficacy, and are stored offline.

Getting Back to Business: Response and Recovery

§  Do not power down or reimage infected systems.  DO disconnect them from the network.
§  Preserve machines/logs and contact an IR provider.
§  Ensure the AV solution does not delete the accompanying "ransom notes" (usually .txt or .hta files) as these are typically used to store a unique code that is necessary to decrypt the files if payment is made.
§  Be on the lookout for other malicious software and persistence mechanisms as the Ryuk group may install their own malicious backdoors into the environment as their approach evolves.
§  Make a copy of online backups and store offline.  Alternatively, segregate online backups to prevent them from becoming encrypted or deleted by the attacker.
§  Do not discuss the ability or appetite to pay the ransom via email.


Jeff [4:19 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template