By Lynn Sessions and Suchismita Pahi on
Just four months into 2016,
the healthcare industry is already facing a permanent and increasing threat to
hospital operations: ransomware.
Previously, BakerHostetler reported that Hollywood Presbyterian Hospital paid 40 bitcoins to access its
own electronic health records after its information systems were locked with
ransomware. Since then, at least five other healthcare entities have been
infected with ransomware.
According to the March 31,
2016, United States Computer Emergency Readiness Team (US-CERT) Ransomware and Recent Variants Alert, ransomware variants “Locky” and “Samas” are the culprits for recent
healthcare incidents (Samas/Samsam/MSIL.B/C). Locky has infected computers in
healthcare facilities and hospitals in the United States, New Zealand, and
Germany. It is acquired through spam emails that have malicious Microsoft
Office documents or compressed files attached (.rar, .zip). Samas is acquired
through vulnerable webservers.
Although many types of
ransomware can be traced to human error and lack of training, such as
downloading or installing malicious files, the Samas ransomware targets a
specific vulnerability in a type of business software known as JBOSS, and
bypasses any human action. Samas, as detailed by Cisco Talos, exploits the software vulnerability in JBOSS using open source codes,
such as the JexBoss testing and exploitation framework for JBOSS, to gain
access and then spread the ransomware within the network. Cisco Talos has
already seen that the ransomware attackers are testing the amount of money they
can collect from affected entities. Cisco Talos has also released SNORT rules
and ClamAV signatures to help entities detect Samas.
In addition to Cisco’s
research team, Microsoft’s Malware Protection Center is also following the
Samas ransomware infections and chronicling the changes and patterns of the attack. The guidance from the government and companies working in the
cybersecurity space underscores the importance of making sure software is
up-to-date and networks are protected.
US-CERT’s recent alert also
provides the following preventive measures for individuals and organizations:
·
Employ a data
backup and recovery plan for all critical information. Perform and test regular
backups to limit the impact of data or system loss and to expedite the recovery
process. Ideally, this data should be kept on a separate device, and backups
should be stored offline.
·
Use application
whitelisting to help prevent malicious software and unapproved programs from
running. Application whitelisting is one of the best security strategies as it
allows only specified programs to run, while blocking all others, including
malicious software.
·
Keep your
operating system and software up-to-date with the latest patches. Vulnerable
applications and operating systems are the target of most attacks. Ensuring
these are patched with the latest updates greatly reduces the number of
exploitable entry points available to an attacker.
·
Maintain
up-to-date anti-virus software, and scan all software downloaded from the
internet prior to executing.
·
Restrict users’
ability (permissions) to install and run unwanted software applications, and
apply the principle of “Least Privilege” to all systems and services.
Restricting these privileges may prevent malware from running or limit its
capability to spread through the network.
·
Avoid enabling
macros from email attachments. If a user opens the attachment and enables
macros, embedded code will execute the malware on the machine. For enterprises
or organizations, it may be best to block email messages with attachments from
suspicious sources.
·
Do not follow
unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding
Social Engineering and Phishing Attacks for more information.
No comments:
Post a Comment