Government agencies like the Department of Veterans Affairs (VA) and Centers for Medicare and Medicaid Services (CMS) house large amounts of personal data that bad actors are searching for. With cyber threats becoming more prominent in our digitally-driven world, these healthcare systems are prime targets. DCH Health System, an Alabama-based healthcare organization, was the latest to be targeted by a ransomware attack that impacted systems at three hospitals. The health organization paid the ransom, purchasing a decryption key and was able to recover hospital systems.
This attack highlights the increase in frequency and impact that cyberthreats are posing. Healthcare systems, schools, and government agencies have all fallen prey to attacks that impact systems, employees, and patients or constituents. Recently, GovCybersecurityHub, our sister publication, spoke to Dennis Egan, the Director of Healthcare East at CrowdStrike, about these attacks. Egan explored the motivations, trends, and malicious actors behind these attacks as well as why government agencies, like the VA and CMS, are often targets.
Here is what he had to say:
GovCybersecurityHub (GCH): DCH Health System was just the latest in a number of high-profile ransomware attacks against healthcare organizations and government agencies. Why are these organizations being targeted by malicious actors? What makes them particularly good targets?
Dennis Egan: Healthcare is a target that is perceived by adversaries to be low hanging fruit – so it’s kind of low risk, high reward in their eyes.
If you consider the value of medical records in nearly every type of fraud, the propensity for healthcare institutions to pay the ransom and the underinvestment in IT and security overall within this community, you can see why bad actors have formulated this opinion and why the attacks are on the rise.
GCH: What are these hackers looking for in these ransomware attacks? Is it just the financial payout, or are they also looking for personally identifiable information (PII) and other valuable data in these attacks?
Dennis Egan: Medical records provide a treasure trove of value on the dark web. Think about the value of this information represents in the realm of identity theft, medical fraud, pharmaceutical fraud and tax fraud. These records provide virtually everything an adversary needs in order build a digital profile of a patient. The value of these records are known to be worth as much as $1,000 per record, and they typically contain your date of birth, place of birth, credit card details, Social Security number, address, and an email address.
If we examine it strictly from an extortion perspective, healthcare institutions, who are in the business of saving lives, just have a much higher propensity to pay. As a result, to pay or not pay the ransom is a business decision.
What some fail to realize is that the vast majority of ransomware targets the small and midsize business (SMB) market, smaller organizations who are not well equipped to defend themselves. Ultimately, this has proven to be a significant factor contributing to business failure.
GCH: What happens to a healthcare system that falls prey to one of these attacks? What are some of the other, less-considered side effects of ransomware attacks?
Dennis Egan: Healthcare systems that fall prey to these attacks become less efficient and effective in providing care to patients, which again, is their core mission.
When technology is taken away and systems are forced offline because of these attacks, the business reverts back to being run in a very old-fashioned way – via paper and other manual processes. In turn, the ability to provide timely care, the ability to assess patients and perform diagnoses takes considerably longer. There is also more human intervention, leading to more errors being made, which means their mission is now put in a very compromising position.
It’s the last thing a patient under care should ever have to worry about.
GCH: Your organization, CrowdStrike, has found that the Ryuk ransomware used in the DCH Health System attack are often coordinated by a Russian group called GRIM SPIDER, and that GRIM SPIDER is a “big game hunting” cell of a larger hacker group. What is “big game hunting?” How does a health system or government agency qualify as “big game?”
Dennis Egan: The E-Crime family responsible for Ryuk, Grim Spider, is identified to be a cell of Wizard Spider, which is widely known for their Trickbot infrastructure.
The concept of “Big Game Hunting” can be explained by the fact that the adversary, or adversaries, are executing on a more intricate and strategic campaign targeting larger organizations for a higher ransom return.
It is also fairly common now for smaller, individual e-crime adversaries to band together in a more coordinated effort, effectively commercializing their attack methodologies.
GCH: How does ransomware, such as Ryuk, get installed on these systems? What pathways are taken to attack these organizations?
Dennis Egan: In many cases, Ryuk is what you read about, but this was only the last stage of a successful complex campaign leveraging multiple attack vectors. There are several stages to these attacks. It is often the case that a master dropper infrastructure like Emotet (Mummy Spider) is distributed via spam, allowing for credential harvesting via a Trickbot (Wizard Spider).
Once credentials are harvested, reconnaissance is performed to analyze and assess the conditions of the environment and, ultimately, we then see lateral movement, an indication that the adversary has begun to achieve action on their objectives.
Ryuk, in particular, represents the last stage of a couple lines of code that have been injected into PowerShell, an example of where known and trusted applications are leveraged to carry out an attack. Ryuk ransomware cannot currently be decrypted, which is why you see such a high prevalence of it today.
GCH: How can health systems like DCH and the government agencies that have recently been targeted- such as the municipalities that were recently victims of ransomware in Texas – better secure their systems to battle back against ransomware?
Dennis Egan: Achieving more effective security is not always easy. However, it can certainly be made easier with increased security awareness, having full visibility into your enterprise, leveraging new and innovative technologies that harness the power of machine learning and artificial intelligence and by reducing the complexity of your IT infrastructure so that you can operate with speed when under attack.
The human element makes it challenging. In every business, people play an integral role in day-to-day operations. No matter how well-trained on security best practices your organization may be, it is inevitable that employees will eventually click on things they shouldn’t.
This is where the visibility gap becomes a huge problem. In a post mortem review of most attacks, we find that nearly everything these adversaries are doing as part of their campaign can and should be detected. But you cannot defend what you cannot see.
Coming back to the low hanging fruit comment, adversaries have recognized that healthcare and other public sector organizations have constrained budgets for IT and security. There is also a significant gap in the human capital arena. Limited resources equals a softer target. So why not target organizations that are not properly equipped to defend itself?
[For healthcare organizations,] an honest internal appraisal needs to be performed in order to determine whether or not your organization is prepared for the fight they will wage against the adversary. If not, reprioritize, make some investments and ultimately find a better way to do more with less.
GCH: Is it enough to simply improve cyber hygiene and install security systems? What organizational and behavioral changes are needed within the enterprise to also battle ransomware?
Dennis Egan: It’s critically important to improve hygiene to make the attack surface smaller, but all security systems are not equal. For instance, one thing we know about every organization that has ever been breached was equipped with antivirus on their endpoints and firewalls deployed on the perimeter of their environment. Clearly that was not enough.
So, there are some things to consider. Are we able to defend our enterprise 24/7/365? Do we have sufficient human resources to manage our defenses? Do those resources possess the required skill set and knowledge base to do the job according to the highest standards? Is there a plan for how to react during an incident? Does the security team own the endpoint or is it owned by IT operations?
These are five critical factors that help define an organization’s ability and readiness to prevent breaches.
One of the best ways to protect your organization is to understand the full scope of the threat you’re facing. Click HERE to download a copy of the 2019 OverWatch Mid-Year Report and learn more about the threat landscape in 2019.