Over the last few months, the healthcare sector has seen two separate providers permanently close and others forced into downtime after falling victim to ransomware. A McAfee report recently showed ransomware attacks have doubled in 2019.
According to two recent reports from Emsisoft and the Institute for Critical Infrastructure technology, 491 providers have fallen victim to ransomware so far this year and hackers are ramping up ‘disruptionware’ campaigns for a greater impact on its victims.
“Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent,” FBI officials wrote. “Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.”
Hackers have been leveraging phishing campaigns, remote desktop protocol vulnerabilities, and software vulnerabilities to infect organizations.
The phishing campaigns are typically generic, broad-based spam attempts, but FBI officials said that the recent ransomware attempts are much more targeted. Hackers may also compromise a victim’s email account first with precursor malware, which allows the infection to spread to other connected devices.
The FBI noted that brute-force attacks on the remote desktop protocol using trial-and-error user credentials, as well as those purchased on the dark web. And once access is gained, hackers deploy a wide range of malware variants, including ransomware.
Lastly, hackers are taking advantage of software vulnerabilities to deploy the virus. The FBI explained that a hacker recently exploited two remote management vulnerabilities used by managed service providers to launch ransomware attacks on three of the MSP’s customers.
The FBI also stressed that victims should not pay the ransom, “in part because it does not guarantee an organization will regain access to its data.”
“In some cases, victims who paid a ransom were never provided with decryption keys,” FBI officials explained. “Due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.”
“Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals,” they added. “However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
To the FBI, whether an organization has decided to pay the ransom or not, the ransomware incident should be reported to law enforcement to provide the agencies with information that can be used to track down hackers and hold them accountable.
In order to prevent these attacks, the FBI stressed that the time for organizations to implement backups and other defenses is before, not after an attack.
“Having a recent backup to restore from could prevent a ransomware attack from crippling your organization,” FBI officials explained. “As ransomware techniques and malware continue to evolve and become more sophisticated, even the most robust prevention controls are no guarantee against exploitation.”
“This makes contingency and remediation planning crucial to business recovery and continuity,” they added. “Those plans should be tested regularly to ensure the integrity of sensitive data in the event of a compromise.”
Organizations should regularly backup and verify the integrity of the data, while ensuring they are not connected to the computers and networks they are backing up – such as physically storing them offline. Awareness and training should be a key focus, as end users are prime targets.
The FBI also suggested other less-common techniques, including disabling macro scripts from Office files sent by email. Organizations can also consider using Office Viewer software to open Microsoft Office files sent through email, instead of the full Office application.
“Implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression/decompression programs, including those located in the AppData/LocalAppData folder,” FBI officials wrote.
“Employ best practices for use of RDP, including auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts,” they added.
Application whitelisting should be implemented, as well as virtualized environments to execute operating system environments or specific programs. Organizations should also categorize data based on importance, while implementing physical and logical data network segmentation.
“For example, sensitive research or business data should not reside on the same server and network segment as an organization’s email environment,” FBI officials explained.
The Department of Homeland Security has also released two similar advisories in the last few months regarding the sudden increase in attacks. On average, ransomware causes nearly 10 days of downtime, and organizations can lose about 8 percent of data, according to a recent Coveware analysis.