8/12/2019 Ransomware and Digital Extortion Prevention and Recovery Presented By: CS-FO Thomas Gilchrist, FBI-Oklahoma City On Behalf Of: Explore Healthcare Summit 2019 My Bio • 2007: Intern at FBI-Birmingham • 2008: SSC/SST/OST at FBI-Birmingham • 2009: B.S. in Criminal Justice at UAB • 2013: M.S. in CIS at UAB • 2015: CS-FO at FBI-OKC • 2018: Adjunct Faculty at UCO Today’s Objectives • Overview of Ransomware/Digital Extortion and the Threat to Healthcare Industry • Case Studies of Healthcare Ransomware Attacks • Ransomware Tips/Strategies for Prevention, Mitigation Preparation and Recovery • Law Enforcement Involvement Considerations • Overview of Other Cyber Attacks – Denial-of-Service, Data Theft, Business Email Compromise, Malvertising, Cryptojacking • Q and A 1
8/12/2019 Ransomware and Digital Extortion • Digital Extortion is the act of coercing an individual or company to pay to access stolen or hidden cyber assets – Ransomware is the most common weapon for achieving this – 2016 was the “Year of Ransomware” Two Types of Ransomware • #1: Locker – “Locks down” a digital device – Blocks the user’s ability to access anything on the system until the ransom is paid – Files remain intact (just not accessible) – Common requested payment is prepaid cards and vouchers – Most commonly targets mobile devices • #2: Crypto – Weaponizes encryption – Searches through files on a system targeting specific file extensions – Encrypts targeted files and drops a ransom note for payment in exchange for the private key (required for decryption) – Common payment is cryptocurrency (Bitcoin) Locker Ransomware 2
8/12/2019 Crypto Ransomware Targeted File Extensions Ransom Note Encrypted Files Ransom Notes Text File HTML Splash Page Healthcare is Under Attack • Some 2019 Statistics: – 89% of healthcare organizations have experienced a data breach in the past 2 years – 50% of healthcare organizations have experienced a ransomware incident within 1 year – Average losses for ransomware on a business is $133,000 – Estimated losses for healthcare industry in 2019 is $25 billion • Reasons Healthcare Targeted: – Significant amount of PII in data – Downtime of systems means downtime in patient care – Its profitable! 3
8/12/2019 Case Study #1: Hollywood Presbyterian • 2016 – First well-documented attack on healthcare • Hollywood Presbyterian Medical Center – Los Angeles, CA • Targeted by Locky ransomware – Delivered through VBA Macro embedded Word Doc • 10 Days of Downtime – Systems for lab work, pharmaceutical orders, and emergency room inaccessible • Paid $17,000 Bitcoin ransom Case Study #2: MedStar Health • 2016 – First multi-site attack • Affected 10 hospitals and more than 250 outpatient centers – Baltimore/DC Area • Targeted by SamSam ransomware – Delivered via Web App security vulnerability (a patch existed) • Mass confusion caused by multi-site compromise • Paid $19,000 Bitcoin ransom • Two Iranian hackers indicted in 2018 by DOJ – Made roughly $6 million and caused $30 million in damages Case Study #3: To Pay or Not to Pay • 2016 – • 2016 – Kansas Heart Hospital Christopher Rural Health – Wichita, KS – Christopher, IL • Paid initial ransom • Did not pay ransom – Partial file access – Restored from backups! – Second ransom demand • The FBI DOES NOT support ransom payment – Cyber Division Assistant Director James Trainor • Reasons: – Access to files is not a guarantee (see Kansas Heart) – Payment can fund other criminal enterprises – Payment sets bad precedent and emboldens criminals 4
8/12/2019 2019 Attacks Continue… • While ransomware attacks are on the decline for most industries this is not the case for healthcare – Due to the success rate of these organizations paying ransoms quickly to regain access to important data and a lack of preparedness • NEO Urology – Paid $75,000 ransom – Suffered 3 days of downtime • Estes Park Health – Insurance paid the ransom…TWICE – Paid $10,000 deductible on ransom payment • Olean Medical Group • Seneca Nation Health System • Shingle Springs Health and Wellness Center • Boston Residex Software Ransomware Prevention • Prevention of ransomware is associated with understanding common delivery mechanisms and “plugging those holes” – Prevent the malware from getting on your systems in the first place! • Common Initial Attack Vectors – Phishing/Email Attachments – Social Engineering – Vulnerability Exploit Kits – Hacking • Let’s discuss some techniques to prevent each of these… Phishing/Social Engineering • Continual education of employees against phishing attacks and social engineering is critical • Train employees to never open email attachments with certain suspicious file extensions: exe, vbs, js, ps • Turn off JavaScript execution in Adobe Reader for PDFs • Turn off Flash player execution in Browsers • Be VERY cautious of Microsoft Office VBA Macros – Often code that reaches out to malicious server to download and execute malware 5
8/12/2019 More Email Tips • Train employees to be cautious with links – Shortened links are suspicious; sites exist to expand out shortened links without visiting them (checkshorturl.com) – Be aware a link can say it will send you one place and redirect you to a malicious site to download malware – Be aware legitimate sites can host ads that direct to malware • See Malvertising later… • Train employees to be cautious with unknown storage media – USBs exist that pose as a “virtual keyboard” entering commands into a system when plugged in; they execute commands on the system with no user interaction! Hacking • Hacking just means gaining unauthorized access to network – Its not always that sophisticated! • If the criminal can gain access to the network, they no longer need an employee to execute the malware…they can just do it themselves Hacking/Vulnerabilities Tips • There are many ways to prevent unauthorized access – Block remote access unless absolutely necessary – Severely limit users that can remote access – Whitelist specific devices allowed remote access – Enforce strong passwords and Two Factor Authentication – Enable logging of proxies and VPN concentrators – Keep systems patched for security risks – Run automatic vulnerability scans for security risks • Nessus – Hire pen testers to test the network and your security team • White Hat Hackers • Be wary of vulnerability scanners posing as pen testers! 6
8/12/2019 Ransomware Preparedness • Preparedness for ransomware is the process of putting protections in place to mitigate the damage of a ransomware attack BEFORE it occurs • #1 Key is BACKUPS! – BACKUP all operations critical data – Backups should be AIR-GAPPED • Store OFFLINE and OFFSITE • Anti-Ransomware Software – Antivirus vendors are offering Anti-ransomware software – Detects sudden mass changes to files and stops it from continuing – Companies like Malwarebytes are still Beta testing Ransomware Preparedness Cont. • Engineer Network Architecture with Security Precautions – Utilize host and network security appliances like firewalls and intrusion detection/prevention systems • Configure with default deny rules and event alerts instead of silent logs – Segment network with VLANs to prevent lateral movement – Use Virtual Machine environments • Snapshot to have restore points – Use Honeypots and Decoy Systems – Utilize a constant Network Security Monitoring team • Requires human inspection not just IDS/IPS auto alerting Incident Response and Recovery • Fully Develop Incident Response Plan – Fully scope your security landscape • Includes all sites and third parties with access like contractors/vendors – Fully identify job duties and roles • Typical plan: – Isolate infected systems from network – Identify the malware by researching encrypted file extensions • Some ransomware strands have known decryptors online! – Collect Evidence for/report to law enforcement • Image compromised systems, memory captures of live compromised systems, security log files, malicious executables, phishing emails with headers – Restore systems via backups – Fix security flaw to prevent similar compromise 7
8/12/2019 Law Enforcement Considerations • Things the FBI will not do: – Help restore your data – Determine who you should notify • Things the FBI will do: – Collect evidence for investigation – Indict the parties involved Denial-of-Service • A denial-of-service ( DoS ) attack has one goal: Make a networked service or resource unavailable • DoS is the older cousin of ransomware • There are two main methods: – Distributed DoS ( DDoS ) flood bandwidth with junk traffic – Exploit bug/weakness in application to cause it to freeze/crash DoS Prevention and Recovery • There are several vendors of DDoS protection services – Such as Imperva Incapsula, Akamai, and Cloudflare • There are things your organization can do to mitigate attacks – Engineer the architecture to have real-time scalable bandwidth and design failsafes for system crashes – Use black hole routing to route malicious traffic to another destination to be dropped – Keep services and applications patched for known flaws – Configure firewalls and IDS/IPS to use rate limiting and traffic filtering – Use load balancing for important services – Use a CAPTCHA to prevent bot access to a resource 8
Recommend
More recommend