It’s not a question of “if”, but “when” - for patients, physicians, nurses, administrators and IT managers alike. At least that’s what new - successful - cyber-shakedown attacks this week against America’s hospitals by cyber criminals suggest.
IT administrators seem to not have heeded the writing on the wall, even after 18 similar cases have been reported nationwide since January.
Cyber security watchdog Brian Krebs reports on the latest incident - at the Methodist Hospital in Henderson, Ken. - in this post on his Krebs on Security blog.
The hospital had to declare an “internal state of emergency” when it lost access to its own data after it was struck by ransomware, malicious code from the web that secretly infiltrates local computers and networks and encrypts the victim’s files.
The program then presents a demand for ransom to regain access to the data, to be paid in digital Bitcoin currency.
The details Krebs shares on his blog are telling. Only weeks after widely publicized attacks against Hollywood Presbyterian Medical Center in Los Angeles and other medical facilities in the U.S., Canada and Germany, hospitals still seem wide open and defenseless against ransomware.
One conclusion, from the Henderson saga and other similar incidents reported this week: hospital management rather risked having to pay crime syndicates (Methodist Hospital's in the end decided against it, Hollywood Presbyterian paid $17,000) than taking timely, budget-friendly security measures to prevent web-based attacks in the first place.
Ransomware can only spread where remote code is downloaded and executed locally
As Krebs writes, “[r]ansomware infections are largely opportunistic attacks that mainly prey on people who browse the Web with outdated Web browsers and/or browser plugins like Java and Adobe Flash and Reader.”
Also common: infection via malicious emails. Methodist Hospital was invaded by a rampant strain of ransomware dubbed “Locky” because unsuspecting employees clicked on attachments in seemingly official emails they had received.
While the recent headlines may remind some of the computer virus scares of the 1990s, the rise of ransomware cannot be compared to that “experimental stage” of first deliberate and targeted digital sabotage.
Ransomware, which spreads much like a computer virus, has been around since 1989. But it has become big business for computer crime syndicates, as a result of the massive proliferation of traditional web browsers in corporate and organizations.
The reason: traditional browsers - such as the ones that come standard with office computers - render code downloaded from the web locally. As a result, they open up the whole local computer network to malware attacks, with ransomware or to steal medical records.
Experts estimate that one exploit kit alone, “Angler” - a software that delivers the malicious program to the victim’s computer or network - generates about $60 million in ransom money for the cyber criminals.
Only a week ago, Angler was used to spread ransomware via large online advertising networks to millions of Windows computer users - many of whom aren’t even aware yet that they’ve been hit - who visited major news sites like The New York Times or the BBC.
Now, local hospital websites spread ransomware, too. As MedCity News reported this week, the Norfolk General Hospital in Simcoe, Ontario (Canada) was spreading the same exploit kit to the computers of patients, family members who visited the Norfolk General’s website.
From denial to mounting an efficient defense
How to prevent ransomware attacks? Antivirus / Anti-malware software (AV scanners), often touted as the best bet IT security managers have to protect their infastructure against ransomware, have frequently failed to detect the highly sophisticated intrusion schemes cooked up by cyber criminals.
Henderson’s Methodist Hospital was lucky - i.e., prepared - because it had its data backed up when it was struck by “Locky”. To successfully recover from an attack like this, you have to be able to restore your network from a known-safe environment.
As Brian Krebs reports on his blog, Methodist Hospital had an incident response plan in place. This allowed IT administrators to bring up the hospital’s computers back online one by one, after they had been checked for any remnants of the malicious code.
Using a secure virtual browser like Authentic8’s Silo on recovered computers when they come back online can be crucial. Silo renders all web content in the cloud, and delivers only visual information - pixels - back to the local computer, via an encrypted connection.
AV scanners? A hit-or-miss proposition, at best.
Silo's “perfect layer” of insulation works both ways, for example when bringing “sterilized” computers back online after an attack.
That means it can also protect data assets in the cloud from potentially infected local devices, such as a computer that still harbors an - undetected - payload.
But the main advantage, compared to AV scanners that amount to little more than hedging your bets - hit-or-miss, and hope that insurance will pay when something goes wrong:
Silo’s patented secure browser prevents ALL web-borne malware - including ransomware - from ever reaching the local computer or network.
Background: Read more on how ransomware has evolved into today's million dollar criminal enterprise in the ICT Ransomware Report 2016 (Institute for Critical Infrastructure Technology) (PDF)