To paraphrase Mark Twain, reports of ransomware’s death have been greatly exaggerated.
Ransomware attacks resumed with a vengeance last year, despite conjecture by some researchers that CPU mining would overtake ransomware as a leading threat vector. Instead, the ransomware threat is stronger than ever, impacting more than 750 healthcare providers and racking up recovery costs approaching $4 billion.
Some healthcare firms managed to overcome their paralysis while others never fully recovered. Wood Ranch Medical in California, for example, closed its doors after management concluded it would be impossible to rebuild patient electronic medical records.
Increasingly, threat actors are double-crossing ransomware victims by encrypting and exfiltrating their data. In December, Canadian firm LifeLabs paid a ransom to recover personally identifiable information for up to 15 million patients. Ransomware attacks also threatened quality of care by forcing providers to suspend treatments until their systems and data were restored, with potentially fatal consequences for patients.
Healthcare organizations make attractive targets because of their huge stores of easily monetized patient and medical data, their limited security resources, and their sometimes-lax approach to cyber defense. More than half of the healthcare providers surveyed by Cisco’s Duo Security, for example, are still running critical applications on Windows 7 systems, leaving them vulnerable to the same exploits that fueled the WannaCry pandemic. Healthcare providers have also invested less in their security controls historically than other industries. On average, health systems devote only four to seven percent of their IT budgets to cybersecurity, whereas most other industries typically invest around 15%.
The ransomware risks for healthcare firms can only get worse. Cybercriminals are continually refining their tactics, techniques and procedures to make their attacks more efficient and profitable. In a recent blog, the BlackBerry Cylance threat research team profiled Zeppelin, the newest member of the Delphi-based Ransomware-as-a-Service (RaaS) family initially known as Vega or VegaLocker. Previous versions were designed for broad brush campaigns against Russian-speaking entities. The new version is optimized to attack a handful of carefully chosen tech and healthcare firms in Europe and the United States. Zeppelin is wily and sophisticated, utilizing obfuscation and environment-awareness techniques, among others, to successfully evade signature-based endpoint defenses.
The Way Forward
Healthcare organizations must recognize that well-organized and technically proficient threat actor groups can all-too-easily exploit glaring holes in their security fabric. To protect both themselves and the patients they serve, providers must move swiftly to replace reactive signature-based tools with proactive endpoint security solutions like CylancePROTECT® that utilize artificial intelligence (AI) to stop Zeppelin and similar ransomware from compromising their data.
CylancePROTECT stops WannaCry, Goldeneye, and Satan ransomware with mathematical models dating back to September 2015, long before the ransomware was first detected in the wild. This SE Labs-verified Predictive Advantage also extends to Emotet (816 days), GandCrab (795 days), GlassRAT (548 days), PolyRansom (862 days), Sauron/Strider/Remsec (548 days), Zcryptor (182 days), and many more.
Healthcare organizations must take other meaningful steps to modernize their security infrastructure and policies. All networked systems should be rigorously tested to identify and eliminate vulnerabilities that could otherwise be exploited by adversaries. Retainer relationships should be forged with incident response consultants to ensure that ransomware breaches are quickly contained and prevented from recurring. And if internal security staff is too over-burdened to triage alerts and proactively hunt for threats, then a managed detection and response service should be contracted to pick up the slack.
Finally, healthcare organizations must recognize that a stand pat attitude towards cybersecurity is no longer viable. A more comprehensive and nuanced approach to cyber risk management will be needed if they hope to survive and continue delivering quality care. BlackBerry Cylance stands ready to help, offering the cybersecurity solutions and consulting services healthcare organizations need to transition seamlessly from a reactive to a prevention-first security posture. Click here to learn more.