“We have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” – FBI, CISA, and HHS
A cybersecurity bulletin was released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) on October 28, 2020.
The three agencies have issued a high-level warning about an increased, imminent threat of ransomware attacks in the healthcare sector. The cybercriminal group behind the TrickBot, Ryuk, and BazarLoader malware is now targeting U.S. hospitals and healthcare providers. Their fine-tuned attack patterns and highly-evolved functions have increased the ease, speed, and profitability of their attacks.
The report describes recent ransomware attacks and their methodology in detail, so it’s well worth a read.
The two main indicators of compromise to watch out for
No matter how advanced a ransomware variant is, every attack will exhibit these two indicators:
- Presence of suspicious executables: The most common attack vector used by ransomware to intrude into a network is a phishing email that appears legitimate, tricking the victim into clicking on a link or opening an attachment. Victims might be lured to a malicious website and tricked into downloading the ransomware executable. Regardless of the method, upon intrusion, the malware copies itself as an executable with a strain-specific pattern in its name (example: random eight-character EXE files in the case of TrickBot, or Report-Review26-10.exe, Text_Report.exe, etc. in the case of BazarLoader).
- Sudden surges in file activity: Most highly-evolved malware is capable of identifying critical data (such as financial details and personal information). It then encrypts this data and places its identifying tags in the corrupted files’ names. For example, files encrypted by Ryuk ransomware have a .ryk file name. Then, to prevent the victim from recovering encrypted files without the decryption program, the malware drops a BAT file that attempts to delete all backup files and Volume Shadow Copies. All these actions generate high numbers of file access events in a short period of time — far more than what is typically expected in an organization.
What you can do to mitigate this threat
To lower your susceptibility to a ransomware attack and elevate your overall cybersecurity strategy, here are four things you can do:
- Know the enemy: Learning about ransomware and its evolution will help you to be better prepared to face a potential attack. Our free e-book discusses the measures recommended by the FBI to help you prevent, detect, and respond to ransomware attacks.
- Follow best practices: With attacks on the rise, businesses and individuals should follow ransomware protection best practices. Here are our eight best practices to prevent ransomware attacks.
- Educate your employees: End users are the primary targets of cybercriminals. Make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Here is a descriptive ransomware infographic that will help.
- Take preventative measures: Create and test a ransomware response plan to check your organization’s preparedness to tackle and analyze a ransomware intrusion. This ransomware prevention and response checklist is a great place to start.
Should you take action even if you’re not in the healthcare sector?
Yes, definitely. An increased threat of healthcare-targeted ransomware attacks does not indicate that other sectors are safe. As attackers rapidly evolve their vectors and execution strategies, organizations across sectors should take every step possible to protect their network and data.
Safeguard against ransomware attacks with DataSecurity Plus
Preventing a ransomware attack is possible with a robust file system monitoring, alerting, and incident response solution in place. DataSecurity Plus, a real-time ransomware response tool, swiftly detects ransomware attacks using threshold-based alert profiles and an up-to-date library of known ransomware file types. It executes custom scripts to shut down infected machines and halt the progress of the malware, thereby mitigating damage to business-critical data.
Learn more about how you can detect and respond to ransomware attacks easily with DataSecurity Plus.