Ransomware attacks continue to be a major threat for healthcare organizations. Cybercriminals know that providers, insurers, and other healthcare organizations have a wealth of sensitive data and mission-critical systems that are often vulnerable to attack. Criminals also know that these organizations will be highly motivated to end operational disruptions and restore access to data, even if that means paying hefty ransoms.
How can your organization best prepare for ransomware attacks? In addition to developing a strategy to prevent attacks, you also need a plan for responding and recovering. Adopting best practices for removing ransomware from your environment, for example, will be critical for resuming normal operations quickly.
What is Ransomware?
Understanding what ransomware is, how it works, and what forms it might take is the first step in building a plan for removing it from your environment.
Definition of ransomware
Ransomware is a form of malicious software—malware—that encrypts data, preventing authorized users from accessing it. Attackers demand ransom in exchange for the decryption key. Though there are several types of ransomware, and numerous variants, the strategy is generally to hold data hostage.
How ransomware works
Attacks often start with a phishing scheme or another social engineering tactic. Employees might be tricked into clicking on a link within an email or text. They are taken to a seemingly authentic website, where they are asked to input login credentials. Attackers then steal those credentials to access the enterprise network.
Cybercriminals might also use other tactics. For example, attackers might send malware to devices without the users’ knowledge. Or they might conduct a network intrusion attack, using a vulnerability to directly infiltrate an organization’s IT environment.
Once attackers have access to the network, they implant the ransomware. In many cases, the ransomware is programmed to self-propagate. It encrypts data or otherwise locks users out of apps and systems.
Different types of ransomware
Cybercriminals have created numerous types and strains of ransomware over the years. Some—like “scareware” and “extortionware”—are more frequently used to target individuals than organizations. Healthcare organizations and other businesses often encounter one of two general types:
- Crypto ransomware encrypts data, preventing users from accessing the data without the decryption key. Attackers typically demand ransom in cryptocurrency.
- Locker ransomware completely locks users out of their systems, though it generally leaves files and folders untouched. Users see a lock screen that shows the ransom demand, sometimes accompanied by a countdown clock.
Detecting a Ransomware Attack
The initial ransomware infection is not always obvious. Attackers do their best to fly under the radar until the ransomware successfully encrypts the target data. But there are a few signs that individuals and IT administrators should watch for.
Common signs of a ransomware infection
For individual employees using desktops, laptops, or mobile devices, signs of a ransomware infection might include slow performance, unexpected software crashes, operating system freezes, or reduced storage space. Users might notice that their usual web browser has a new toolbar or URLs are redirecting to odd pages.
IT and security teams might observe a spike in spam or phishing emails across the company. Administrators might also see numerous attempts to access network resources or to scan the network. They might subsequently discover the presence of known hacker tools, scrambled file names or contents, and attempts to disable access directories and domain controllers. Data backup activity might also increase if the backup system tries to back up newly modified files.
Monitoring tools and techniques
Continuously monitoring endpoints, network traffic, servers, and storage can help detect attacks early. Antivirus and anti-malware tools can provide a good first line of defense. Security information and event management (SIEM) systems can also help identify atypical or dangerous events by analyzing data for login attempts, files accessed, and websites visited. Whether operating in on-premises or cloud environments, some organizations will benefit from outsourcing 24/7 monitoring to partners, which can draw from threat-hunting intelligence and apply automated, continuous monitoring solutions.
Importance of early detection
Attackers want to go unnoticed until data is encrypted and it’s time to demand ransom. For IT and security teams, early detection is key for stopping the spread of ransomware and mitigating damage. If administrators can identify an infection early, before it has moved from an endpoint to a database with sensitive information, they can avoid a large-scale disruption and defeat attackers’ plan for demanding ransom.
Ransomware Infection: What Are Your Options?
Attackers want you to believe that you have no options when your IT environment has been infected: The only way to recover data is to pay. But in fact, you do have options for how you resolve the immediate crisis and how you can begin to return to business as usual.
Paying—or not paying—the ransom
If your organization is attacked with ransomware, and you are unable to access your data, you will need to decide whether or not to pay the ransom. There are several good reasons to refuse payment. First, the ransom could cost your organization millions of dollars. Second, paying the ransom rewards criminal behavior and could encourage more criminals to launch attacks. Consequently, many governments and law enforcement agencies discourage organizations from paying. Moreover, even if you do pay, there is no guarantee that the attackers will actually turn over the decryption key.
You also might be able to recover data and restore systems without paying the ransom. The availability of a clean, complete backup of data could help simplify the decision: You might have very little to lose by refusing payment.
Still, paying the ransom is often the fastest way to restore access to data and systems. If your operations are severely disrupted, you might be unable to adequately serve patients and provide critical care. It’s not surprising that healthcare organizations are more likely to pay ransoms than businesses in other fields.
Attempting to remove the ransomware
Before paying the ransom, you could also attempt to remove the ransomware. If you can detect the ransomware early, you have a better chance of succeeding. In the best case, you might detect ransomware in a single device, before it has spread deep into the corporate network. You could disconnect the device from the network, thoroughly disinfect it and wipe it clean, then restore its operating system, software, and data from a clean backup. Removing ransomware once it spreads is more challenging.
Restoring from backups
Even if the ransomware has reached critical systems and encrypted sensitive data, you still might have options. For example, if your organization has continuously backed up data, you could restore that data to clean systems. Having redundant systems in place would be even better: You could avoid service disruptions while you disinfect and wipe clean infected systems.
Removing Ransomware: Step-by-Step Guide
If you can detect a ransomware attack early, there are several important steps you should take immediately to reduce the likelihood of large-scale damage. The ransomware removal process can take anywhere from a few days to a few weeks depending on the strain, the spread of the infection, and of course, the skills of your team.
Isolate the infected system
Isolate the infected system before ransomware spreads across your IT environment. Whether the system is a desktop, laptop, mobile device, or server, disconnect it from the network and power it down if necessary. Your team can then work to eradicate the ransomware from the system and begin to rebuild it, restoring clean data from a backup.
Identify and terminate ransomware processes
If ransomware is spreading, you will need to identify it in your IT environment. Is this an encryptor or a locker? There are tools available to help you determine what particular strain you are facing, which will enable you to learn how it spreads and what you need to do to remove it. You should then try to terminate the ransomware process, preventing it from spreading further and encrypting your data.
Delete ransomware files and registry entries
As part of your eradication efforts, you need to remove not only the ransomware but also any modified files and registry entries. Anti-malware and anti-ransomware tools are primarily designed to prevent attacks, but some can also help eliminate ransomware and identify locked files, which might now contain ransomware file extensions.
It’s also possible you will need to employ specialized malware removal tools or remove modified files and registry entries manually. Partnering with outside security experts can help ensure you catch all traces of the ransomware as well as other files that might have been altered or damaged in the attack.
Decrypting Files
Whether or not you pay the ransom, you might need to decrypt the files affected by the ransomware.
Employ decryption tools
Fortunately, there are several decryption tools and keys available to help you regain access to your data—and some of them are free. Still, you might encounter a strain for which there is not a decryptor readily available.
Seek professional assistance
If you are unable to find an effective decryption tool, or are unsure about how to use one, you should consider working with an outside security expert to assist with the decryption process. In many cases, these businesses can help you restore access to files rapidly while sparing your team from having to learn how to manage the decryption process.
Reporting Incidents and Addressing Vulnerabilities
Even before the smoke clears from an attack, your organization will need to report the incident to the appropriate authorities and begin notifying affected customers or patients. You should also start the process of identifying and addressing vulnerabilities exposed by the attack.
Report the incident to authorities
Organizations attacked by ransomware need to report the incident to law enforcement and regulatory authorities. If your organization is subject to HIPAA rules and experiences a breach of patient data, you must report the incident to the U.S. Department of Health and Human Services (HHS).
You’ll also need to notify any customers or patients whose data might have been exposed. Then you’ll need to offer identity protection services to those individuals for a time after the event.
Identify and address security vulnerabilities
The work of forensic analysis should begin even before all systems are back online. You should perform a root-cause analysis to determine, for example, how you were attacked, which endpoints were infected, what data was encrypted, whether backups were altered, which customers or patients were affected, and whether any partners were also infected. Be sure to confirm that all infected systems have been quarantined and all ransomware has been eliminated before restoring data and resuming normal operations.
By understanding the causes and process of the attack, you can develop a strategy for closing any gaps. For example, if you determine that an attacker gained network access by stealing an employee’s username and password, you might decide to implement a more rigorous multi-factor authentication (MFA) policy. If the ransomware was able to encrypt your data backups, you might need to ensure that backed up data cannot be modified. Whatever your plan, the remediation process should start quickly, before attackers strike again.
Preventing Future Ransomware Attacks
Ransomware attacks are unlikely to ebb anytime soon. Healthcare organizations and other businesses must prioritize ransomware prevention to help reduce the likelihood of extensive damage from an attack.
Implement regular backups
Backing up critical data is an essential component of any ransomware prevention strategy. With a full, up-to-date, and unchangeable copy of data, you might be able to refuse attackers’ demands for ransom. If you have redundant systems, you can failover to those systems during an attack to avoid operational disruptions. Afterward, you can use your clean data backups to restore primary systems.
Keep software up-to-date
Updating applications and operating systems is an important means of stopping ransomware attacks. Application and operating system vendors often release patches and updates quickly after new malware variants and strains are discovered. By installing those updates promptly and completely across systems, you can help prevent malware from infecting your IT environment.
Enhance security measures
Many organizations need to augment their existing security capabilities. Antivirus and anti-malware solutions can help identify phishing attempts, spot virus-infused email attachments, and block users from accessing suspicious websites.
Employing network security solutions can provide additional layers of defense. Firewalls, web application firewalls (WAFs), and intrusion prevention/intrusion detection systems (IPS/IDS) can prevent malware from reaching corporate networks by scanning incoming traffic. These and other solutions can block suspect IP addresses, prevent unauthorized remote access, and restrict the flow of malicious files. If ransomware does spread, these solutions can prevent those programs from communicating with their external command-and-control systems.
Educate employees
Employee education is vital in preventing attackers from accessing corporate networks. Employees should learn how to recognize phishing attempts and understand how to alert security teams. They should also learn best practices for setting unique passwords, using MFA tools, and protecting devices from theft. Instilling these best practices in employees as part of a culture of security can play a central role in reducing risks.
Ransomware Trends and Future Outlook
Ransomware continues to evolve. Healthcare organizations need the agility to anticipate and respond to changing threats.
Emerging ransomware threats and techniques
Attackers today are continuously developing new methods for accessing networks and spreading infections. Meanwhile, they are adding new layers to their extortion schemes. For example, they are increasingly adding the threats of stealing data and attacking partners.
Cybercriminals are also capitalizing on emerging technologies to devise new types of threats and improve the effectiveness of attacks. They are using AI to craft more convincing phishing emails and tapping into Ransomware-as-a-Service offerings to launch new viruses without having to write their own code.
Staying informed and vigilant
Healthcare organizations and other businesses need to stay informed about the changes in the cybersecurity landscape. And they need to be prepared to shift the focus of their counter-ransomware efforts as new threats emerge.
For many organizations, partnering with outside cybersecurity experts will be the most effective way to stay on top of rapid changes. Those experts can tap into the latest threat intelligence and draw from multiple client experiences in constructing strategies that help prevent attacks and minimize damage.
Ready to start developing your plan to remove ransomware and recover from attacks? Cloudticity can help. Reach out for a free consultation today.
