In early 2016, the world witnessed one of the most remarkable cyberattacks to date: a five-day, data-hostage crisis that literally crippled a Southern California hospital. Upon being infected with a type of malware that encrypts files, the Hollywood Presbyterian Medical Center lost access to entire drives on its network. As a result, staff resorted to pens and clipboards for documentation purposes, and fax machines as a means for data transfers – the facility's communication systems essentially regressed an entire decade. The hospital eventually regained access to its files, but at a cost. It was forced to pay the cyberattackers responsible for the lockdown $17,000.
In the next two months, two more hospitals in Southern California, one medical facility in Kentucky and several hospitals in Baltimore were affected by various strains of the same type of crippling and wildly prolific cyberthreat. If ever malware could be compared to a rampant medical epidemic, it would be now, and the name of the dastardly virus is ransomware.
What is ransomware and where does it come from?
Much as the name suggests, ransomware is a type of computer malware that extorts its victims. It does this by encrypting an organization's data once it gets on the network. Encryption is not inherently bad; it's how many companies safeguard their data. The problem is that you need a key to unlock files once they've been encrypted. The cybercriminals who infected the network are the only ones who have this key, and they won't give it up unless an organization pays a ransom. This amount is typically demanded in an untraceable currency, and usually in bitcoin.
One of the nastiest strains in circulation – and the one that's responsible for the Hollywood facility lockdown – is called Locky. According to Forbes contributor Thomas Fox-Brewster, the strain was estimated to be infecting up to 90,000 computers every day as of February. That said, there are hundreds if not thousands of different types or ransomware wreaking havoc across the globe. Some of them, like Samsam, exploit outdated server applications. Most of them, however, rely on social engineering to get downloaded onto the network. Hackers will spam health care organizations with emails that seem relatively innocuous. These might have a PDF or Word doc attached, or a link embedded in the body. Upon opening the file or clicking on the link, the malware downloads, runs and starts sweeping through the network, encrypting certain file types.
Alternatively, a user might open an Excel spreadsheet from an unidentified sender, or from a co-worker who has had his or her email account hacked, and be asked to enable macros – these are legitimate tools used by programs to automate certain functions. In the case of macro malware, this function is often to download and run ransomware. Once this happens, the options are limited to paying up, or saying goodbye to your files.
Why target health care?
It's no secret that health care organizations are regularly breached. However, these are usually aimed at stealing online health records so that Social Security numbers, credit card numbers and other personally identifiable information can be sold online. But why would hackers want to go after health care organizations with crypto malware?
"Ransomware has become a billion-dollar, underground industry."
First, it's important to note that cybercriminals don't have a conscience. The fact that they have targeted hospitals full of sick and injured patients for monetary gain should make that clear. Second, and more importantly, Wired contributor Kim Zetter noted that so much is at stake for hospitals when they lose access to data.
"Without quick access to drug histories, surgery directives and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits," Zetter wrote.
The assumption among hackers is therefore that hospitals and other health care facilities will do whatever it takes to regain access to their files right away, even if means paying a ransom of thousands of dollars. Often, they are correct in this assumption, and not just in health care. The FBI reported that cybercriminals made $209 million in just the first few months of 2016 from ransomware, according to CNN. At this rate, they're on pace to make $1 billion this year in extortion fees.
In other words, ransomware has become a billion-dollar, underground industry that thrives at the expense of its victims.
The solution: A CyberSOC
For health care organizations, the attack vectors are many, the stakes are high and the solutions are few, but all hope is not lost. The trick to beating ransomware is to live as though it might infect your systems any day, because it can and it probably will at some point. There are a number of ways to do this, but one of the best is to monitor network activity in real time, and at all times, with a security operation center.
A CyberSOC underpinned by an entire team of security engineers, and vigilantly overseen by one dedicated cybersecurity professional per network, can sniff out even the faintest whiff that ransomware may be threatening an organization. For instance, because most ransomware starts as an email, the dedicated engineer managing the SOC for a particular network will know based on the behavior of the message that it's malicious. Maybe it was sent from a foreign country, en masse to personnel or at an unusual time. If that doesn't work, the threat will be detected as soon it downloads. Admins can immediately quarantine the source of the download, effectively stopping the ransomware in its tracks. Normally, this level of detailed, ongoing monitoring would cost hundreds of thousands, or even millions, of dollars for an organization to deploy, manage and maintain. SOC-as-a-Service does all the work for health care organizations, and at a price that any mid-market business can easily afford.
Ransomware is a nasty cyberthreat, but a CyberSOC can smell it coming from a mile away. Start protecting your health care organization today with SOC-as-a-Service.