Ransomware attacks are among the most disruptive and costly cybersecurity incidents experienced by healthcare organizations and other businesses. Attackers see a tremendous opportunity to extract large sums of money by holding data hostage. And by preying on organizations that have valuable data, mission-critical systems, and insufficient defenses, these attackers too often succeed.
How can your organization protect itself from ransomware attacks? You need a multi-layered strategy that can address evolving threats, minimize disruptions, and keep your data secure.
The first step in combating ransomware is to arm yourself with information. Understanding what ransomware is, how it works, what forms it might take, and whom it typically targets
can help you begin developing your security strategy.
Ransomware is a form of malicious software that encrypts data, preventing authorized users from accessing it. Attackers demand ransom for providing the decryption key. Today many attackers layer on additional threats.
Attacks often start with a phishing scheme: Users are tricked into clicking on a link within an email or text. They are taken to a website where they are asked to input network login credentials, which attackers then steal and use to access the enterprise network. Attacks might also begin with a drive-by download, in which hackers send malware to a device without the user’s knowledge. In some cases, attackers conduct a network intrusion to directly infiltrate an organization’s IT environment.
Once the attackers or their ransomware enter the network, the ransomware can then spread across systems. It encrypts data or otherwise locks users out of apps and systems.
There have been numerous types and strains of ransomware over the years. For example:
Scareware and extortionware more frequently target individuals than organizations.
The severity of a ransomware attack can depend on multiple factors, including how far the infection has spread and who is the intended target.
Whether attackers gain network access by stealing login credentials, capitalizing on a software vulnerability, or conducting a drive-by app installation, they might be able to spread ransomware easily across an IT environment. In fact, today’s variants can often self-propagate laterally across a network. Unless an organization has effectively segmented systems and data, that ransomware can quickly find its way from network endpoints to the most sensitive information and applications.
The infection might not stop at the initial target’s network. Because ransomware can potentially infect any devices and systems connected to the network, it could reach into partner networks as well. Attackers might target small or medium-sized organizations, with less robust defenses, to ultimately access larger partner environments, with even more valuable data.
For healthcare organizations and other businesses, the impact of a ransomware attack can be devastating. At the very least, an attack can disrupt essential operations, which might include providing critical services to patients or processing insurance claims. Depending on the systems infected, and the resolution of the crisis, it could take weeks or months before an organization is fully functional.
The financial costs can be staggering. A ransom—if the attacked organization decides to pay—could amount to millions of dollars. The organization might then need to recover data and restore systems, conduct forensic investigations, and begin to patch vulnerabilities. Moreover, the organization might need to pay regulatory fines and the costs of subsequent litigation with patients. In addition, hospitals and providers could lose revenues from canceled appointments and procedures. A damaged reputation could further affect revenues in the months and years to come.
Disrupted healthcare operations can also put patient health at risk. If individuals are unable to communicate with providers, fill prescriptions, have procedures, or receive emergency care, they could suffer immediate and lasting health effects.
How can you best protect your organization from a ransomware attack? A few key strategies can help reduce the odds that attackers will successfully infiltrate your IT environment and hold your data hostage.
Updating software and systems is an essential means of thwarting ransomware attacks. Application and operating system vendors have a vested interest in protecting their products. They will do their best to discover vulnerabilities, and quickly release patches and updates. Install those updates promptly, and make sure they reach all of the applicable systems.
Backing up sensitive data and deploying redundant systems can help significantly reduce the imperative to pay ransoms. If you have a full, up-to-date, and immutable (i.e., unchangeable) copy of data, you might be able to refuse attackers’ demands. And if you can failover to alternate systems during an attack, you can avoid operational disruptions.
Phishing and other social engineering schemes are among the most common ways that attackers gain access to networks and release malware. Employee education is vital in preventing attackers from stealing the credentials that will allow them through the gates. Employees should know how to recognize phishing emails and texts, and understand how to alert security teams.
In addition, employees must integrate cybersecurity best practices in their day-to-day work. For example, they should learn best practices for setting unique passwords, using multi-factor authentication (MFA) tools, and protecting devices from theft. Instilling these best practices in employees as part of a culture of security can play a central role in reducing risks.
Antivirus and anti-malware solutions provide an important layer of defense against multiple types of attacks. These solutions might scan emails for phishing links, examine email attachments for viruses, and block users from accessing suspicious websites.
Security features built into operating systems can further help protect computers. For example, Windows Security scans for malware, viruses, and other threats. It also helps download patches and updates automatically to keep systems protected for emerging threats.
Employing network security solutions provides another layer of defense. Firewalls, web application firewalls (WAFs), and intrusion prevention/intrusion detection systems (IPS/IDS) can prevent malware from reaching networks by scanning incoming traffic. These and other solutions can also block suspect IP addresses, prevent unauthorized remote access, and restrict the flow of malicious files. If malware does reach the network, these solutions can prevent those programs from communicating with their external command-and-control systems.
Individuals should be counseled to avoid visiting un-secured or suspicious-looking websites. They should also refrain from opening any email attachments or clicking on any links in emails or texts received from unknown senders. Scrutinizing URLs and the content of emails can help individuals avoid costly errors: Phishing emails often have misspellings and direct people to websites whose URLs vary only slightly from legitimate sites.
Mobile devices are not immune to ransomware attacks. In fact, smartphones, tablets, wearables, and Internet-of-Things (IoT) devices can be appealing targets because they are typically less protected than desktops and laptops.
If cybercriminals successfully attack a device, they can prevent access to data, install disruptive apps, display threatening messages, steal data located on the device, or completely lock out users. But mobile ransomware engenders an even greater risk to businesses. If attackers can infiltrate the mobile device of one of your employees, they might use that device to gain access to your entire network. One employee clicking on a phishing email or accidentally visiting a compromised site could lead to a full-scale breach of your IT environment.
Installing the latest security patches and updating software are critical for protecting mobile devices. If you are managing employees’ devices, deploy patches and updates quickly and completely across all devices.
Education will once again be key. Make sure employees avoid clicking on dubious links, downloading apps from sites they don’t recognize, and visiting suspicious websites.
As with desktops, laptops, servers, and other IT systems, backing up data on mobile devices is key. Individual users should consider using cloud-based backup services to protect personal data. Organizations should make sure any corporate data that is accessed or stored on mobile devices is similarly backed up regularly.
Despite your efforts to protect the endpoints that are often vectors for ransomware, cybercriminals will continue attacking. How can you mitigate the risks to your organization?
Healthcare organizations and other businesses cannot afford to be reactive. Your organization should have a comprehensive cybersecurity strategy in place that addresses the potential for ransomware attacks and other types of breaches. That strategy must cover the technologies that can help block attacks; the processes for training personnel, identifying threats, safeguarding data, and restoring systems; and the policies for addressing ransom demands, notifying customers or patients, and contacting authorities.
Organizations should also implement robust business continuity and disaster recovery (DR) strategies. Conducting frequent, regular, and complete backups of data to offsite locations, for example, can help reduce the need to pay ransoms for decrypting primary data repositories. Deploying redundant systems, or running apps in the cloud, can also help healthcare organizations avoid disruptions that can cut into revenues and put patient safety at risk.
Attackers might succeed in infecting endpoints or network systems with ransomware. Having a ransomware incident response plan in place is critical for resuming operations quickly.
For individual employees using desktops, laptops, or mobile devices, signs of a ransomware infection might include slow performance, unexpected software crashes, operating system freezes, or reduced storage space. Users might notice that their usual web browser has a new toolbar or URLs are redirecting to odd pages.
For IT and security teams, one early sign of a ransomware attack is an uptick in spam and phishing emails across the company. Administrators might also see numerous attempts to access network resources, network scanning, the presence of known hacker tools, scrambled file names or contents, attempts to disable access directories and domain controllers, and increased backup activity (since a backup solution might try to backup newly modified files).
If an individual suspects a ransomware or malware attack, the first step is to disconnect from the network. The user should contact the IT or security team using a distinct device.
When IT or security administrators suspect an attack, they should first identify the systems that might be infected. They must quickly isolate them—by disconnecting them from the network or powering them down—to prevent the ransomware from spreading. Teams can then identify the ransomware and inspect other systems for infections. When they are sure they have found every trace of infection and sufficiently isolated systems, they can then start sanitizing infected systems. Next, they can restore systems and retrieve clean data from backups.
Of course, if attackers are holding data hostage, an organization might need to enact a secondary plan. Unless your company has a failover system and complete backups of data, your IT and security teams might need to wait until they can regain access to data and systems before beginning remediation efforts.
Organizations attacked by ransomware need to report the incident to law enforcement and regulatory authorities. For example, if a healthcare organization subject to HIPAA rules experiences a breach of patient data, the organization must report the incident to the U.S. Department of Health and Human Services (HHS).
An attacked organization also needs to notify any customers or patients whose data might have been exposed. The organization then needs to offer identity protection services to those individuals for a time after the event.
If your organization is attacked with ransomware, and your data is held hostage, should you pay the ransom?
Many organizations are reluctant to pay attackers to regain access to data. The high cost of ransom—which, for healthcare organizations, could amount to millions of dollars—might be sufficient reason to refuse payment.
Nevertheless, paying the ransom is often the fastest way to restore access to data and systems. When healthcare organizations are attacked, their operations can be severely disrupted, leaving them unable to serve patients and provide critical care. Consequently, healthcare organizations tend to pay ransoms more frequently than companies in other fields.
Governments and law enforcement agencies discourage organizations from paying ransoms. The International Counter Ransomware Initiative—which includes members from 48 countries, the European Union, and Interpol—released a joint policy statement saying that governments should not pay ransomware extortion demands. The United States signed, though the U.S. federal government has not banned companies from paying ransoms.
Organizations also have a legal responsibility to protect sensitive data. If a healthcare organization refuses to pay a ransom, and then attackers sell patient data, the organization could be subject not only to regulatory fines but also lawsuits. When presented with an ultimatum, organizations will need to weigh the legal—and financial—consequences of both paying and not paying.
There are also ethical considerations. Paying the ransom rewards criminal behavior. As more organizations give in to attackers’ demands, more criminals will launch attacks.
Some organizations can avoid paying ransom, or at least reduce the pressure to pay it. Backing up data and implementing redundant failover systems can eliminate the disruptions caused by attacks. If your organization has a complete (or nearly complete) copy of patient data available, and systems that are ready to go at a moment’s notice, you can continue business as usual while you address the ransomware that infected your environment.
If you’re attacked, how can you safely remove ransomware from your IT environment and get back to business?
Any infected systems should be disconnected from the network so the ransomware has no means of spreading further. You can then use security software to find malicious files and then delete them with antivirus tools.
If you pay the ransom, attackers are supposed to provide a decryption key. But in practice, not all these criminals honor their end of the bargain. Of course, you might also decide against paying. In either case, you will be left with encrypted data. Without complete backup copies of data, you would need a decryption tool from a security vendor to unlock those files and regain access.
If your organization implemented a data backup strategy before an attack, you have another option for restoring data and systems. You can wipe clean infected systems (being sure to remove all ransomware), reinstall operating systems and additional software, and then restore data from clean, secure copies of files. Regularly backing up data and software is an excellent method of reducing disruptions and minimizing data loss resulting from ransomware attacks.
The potential to generate large sums of money by holding data hostage will propel the continued growth of ransomware attacks. As cybercriminals tap into new technologies and devise new techniques, their targets must step up their defenses.
Ransomware attacks have occurred for several decades, but tactics and techniques have evolved substantially. Today attackers continue to create new ways to access networks and rapidly spread infections. Meanwhile, they are adding new layers to their extortion schemes, adding the threats of stealing data and attacking partners.
There’s no doubt that cybercriminals will continue to capitalize on emerging technologies to devise new types of attacks and to improve their success rates. Attackers are already using AI to craft better phishing emails, for example, and tapping into Ransomware-as-a-Service offerings to launch new viruses without having to write their own code.
How can your organization stay ahead of shifting threats? You need a multi-layered strategy that aims to protect data, prevent ransomware infection, mitigate damage, minimize disruptions, and rapidly return to business as usual. Beyond implementing the right cybersecurity solutions, you should also educate teams and present best practices for reducing risks. Ultimately, the best defense against evolving ransomware threats will be a combination of strategy, technology, and preventive actions, employed consistently across the organization.
Ready to start building a better cybersecurity strategy for addressing ransomware threats? Cloudticity can help. Reach out today for a free consultation.