Paying the ransom v. back-ups

    Over the last three years, hospitals and medical offices have been increasingly targeted by attackers. This trend will continue this year and well beyond. Hancock Health, a regional hospital located in Indiana, red-flagged suspicious activities indicative of an attack on January 1 of this year.

    The end manifestation of the attack was the employees being locked out of their systems and received a welcoming ransomware. This may not appear to be that debilitating, however when the extent of the encryption was noted, the issue was significant. The target was great than 1400 files. The file extensions were modified to add “.imsorry” at the end of the file. This rather daunting message was met with the hospital paying the ransom to secure the decrypt key. In the environment, this is not the norm. There are a number of significant issues with paying the ransom, including the attacker not providing the decrypt key, leaving behind a bit of special malware to be used later, other access points, and many other reasons not to pay.

    The hospital indicated no evidence of their patient information being released or sold. The curious aspect to this was hospital paid $55k to the attackers for the ransom, while they had viable back-ups. This is the anomaly, as it is mostly advised not to pay this. The rationale was the process to restore the back-ups would have cost more than the ransom. This calculation does not seem as if this took into consideration all the germane factors.

    The successful attack was not due to a phishing campaign, but through the hospital’s remote access portal, using a third-party vendor’s credentials. The ransomware applied was SamSam or Samas.

    This provides a lesson for other operators. This could have been avoided or mitigated with training and alert users. There are a number of programs available for training the users, which should be done throughout the year.

Attackers-2; Indiana Hospitals-0

            The healthcare industry has been and continues to be targeted by the attackers in their attempts to compromise systems, exfiltrate data and information, and collect fees from ransomware attacks. A handful of the recent attacks have been phishing oriented, due partially to their previous successes. Hospitals present a great source of sale-able data for the attackers. This includes, but is not limited to, the patient’s medical records with various data points that may be divided and sold separately or bundled into a packet for each patient. This includes the social security numbers, insurance information, home address, phone numbers, the patient’s point of contact, and other information.

            Recently Hancock Health had the opportunity to pay $55k arising from a successful ransomware attack. The attack vector here was a phishing attack. On the same day Hancock Health experienced their issue, Adams Memorial Hospital likewise was hit with ransomware. The other attack was successful due to an employee noticing something was not quite right with her system on December 11, 2017. She contacted the help desk and system Admins regarding the issue. Upon further examination, the files read “Sorry” and the network went blank. The ransomware tool used was believed to be a subset of the “Im Sorry” ransomware variant. This worked via appending files with “.imsorry” as they are encrypted. Post-encryption, a text file is placed on the system stating the instructions for paying the ransom.

            Due to this, the physicians were not able to access their patient’s history files or appointment schedules. The scope of the attack was relatively limited with only 60-80 patients affected. As of January 19^th, Adams Memorial Health had not stated if the ransom had been paid.

            This provides a valuable lesson for the Admins and the InfoSec department. The training to avoid such issues is needed and should be continued. This training would assist the staff in recognizing not only phishing emails, but also what to monitor for with other staff emails in the case these would have been compromised.

And you thought the Experian Compromise was Problematic

            Healthcare continues to bear the brunt of the attempted attacks. Over the last few years, the healthcare industry has been targeted repeatedly. This is due primarily to the data and information being held being marketable for a longer period of time than other forms of data and information. This coupled with lax security certainly is not helpful. For instance, with financial information, e.g. credit card numbers, the useful life is much shorter than other forms. Once the patient is aware of an issue arising from checking their accounts, a third party service or other form is contacted, the person simply has to call their credit card company, the present credit card number is voided by the credit card company, and a new card is issued to the user. The stolen credit card is no longer valid.

            With medical records, there is a different case. These have data that are useful for the attackers over a much longer period of time. Dependent on the record and the health care agency, the file’s composition may differ. These generally have the social security number, addresses, billing data, and other relevant, marketable data.

            The Health South-East Regional Health Authority, located in Norway, recently had the opportunity to experience an attack. The entity manages Norway’s hospitals located in its southeast region. Their system was compromised, which led to attackers to exfiltrate their client’s personal information and medical records. In the US, we are unfortunately becoming numb to this as there have been many of these over the last two years.

            Two factors stand out with this incident. The records exfiltrated counted at approximately 2.9M. This is over half of Norway’s population of 5.2M. This makes the breach relatively massive. In addition, the entity’s InfoSec staff did not notice any issues. The healthcare entity received a notification from HelseCERT regarding activity red-flagged as abnormal. Recently there had not been evidence of any patient issues arising from this compromise.

            The management does not quite appreciate though the long-term effects of this. The data is marketable for extended periods, which is inclusive of a few months. The attackers who compromised the systems don’t have to sell this immediately or use it for their gain within this time period.