The Evolution of Cyber Threats: Analyzing a Major Ransomware Attack

90
Side view and close up of hands using laptop with digital business hologram. Innovation and technology concept. Double exposure


Photo credit: Depositphotos

By Gary Salman, CEO, Black Talon Security

Ransomware attacks target practices and healthcare entities of all specialties and sizes by exploiting their people and/or technology. When a healthcare entity is hit by ransomware, the damage done to the organization is substantial and often long-lasting. 

The reality of cybersecurity in healthcare

Most healthcare organizations are utilizing outdated cybersecurity approaches yet still believe their firewall, anti-virus software and IT resources will be able to defend them from ransomware attacks. However, owners and executives need to start thinking differently about the approach they are taking to secure their business continuity and, most importantly, patient data. Many organizations, regardless of size, can expect to suffer total business operational loss for a period of 7-10 days in the event of a ransomware attack. After the 10-day period, many still experience limited access to systems, patient records and billing systems. 

Most threat groups do not care about the size of the healthcare entity because they know that there is a high likelihood that the organization will pay the ransom to facilitate the decryption of the data or to prevent the threat group from selling the stolen patient and operational data.

What happens during a ransomware attack?

Let’s examine the post-mortem results of a primary care physicians group location in the Southwest. Upon arriving at the practice Monday morning, an employee noticed a ransom note on her screen and contacted her IT resources.  IT determined that the network was systemically impacted by the ransomware attack, all the servers were offline and the data appeared to be encrypted.

The IT company reached out to us to perform an Incident Response to help understand the depth and scope of the attack and provide a path to bring the healthcare organization back online as quickly as possible. Upon deploying our security tools on the network, our forensic investigation began. Within a few hours it was determined that a threat group named Conti was responsible for the attack. Conti is notorious for hitting healthcare organizations of all sizes and demanding significant ransom demands from them.

As our investigation and forensic analysis continued, it became apparent that this attack was systemic and almost 50% off all the computers were hit, including 100% of the servers. All the data on the servers and backup devices were fully encrypted with ransomware. This included the EMR/EHR system, which further complicated matters. At the end of day one, we provided the doctors and administration with a bleak picture of the status of their network and the availability of their data.

On day two, legal counsel and insurance became involved in the case. After briefing the attorneys, a decision was made to contact Conti to start the negotiation process to recover the group’s operational and patient data. As part of the negotiation, we asked and were given a snapshot of the data stolen by Conti as “proof of life” that they had the client’s data. Conti’s demand for the decryption keys was $500,000. The proof of life validated our fear that they did in fact exfiltrate the data. . Over the next few days, negotiations occurred to try and reduce the payment amount and ensure that the data would be recoverable. During this period of time, more detailed forensic data was being captured and the search for additional pieces of malicious code continued. 

The threat group also started emailing the practice’s employees, telling them that they had all their personal information and would perform identity theft on them if the practice did not pay the ransom, causing chaos and panic. 

After a few days of negotiation, all parties agreed on the amount for the extortion demand payment. Money was converted to Bitcoin, a background check was performed on the threat group’s digital wallet and the payment was made. The next day, a tool was provided from the threat group called a decryptor. This tool is used to unlock the encrypted data on the network. In many cases, however, the tool does not work 100% properly and often the computer’s operating systems have been damaged during the attack, which increases the length of time it takes to decrypt the data. In this situation, it took almost three full days to decrypt the data and another three days to rebuild the servers and workstations impacted by the attack.

How did the attack begin?

In this case, a laptop was identified as “patient 0.” An employee clicked on a phishing email that downloaded malicious code into the computer. The code then communicated with a command and control server. The command and control server downloaded tools onto the device that enabled hackers to exploit the machine and move around the network, gaining access to the servers and backups. Over a period of a few days, they exfiltrated (stole) all the patient and operational data. Then, over the weekend, they launched their ransomware attack, which ultimately brought down the network.

Takeaways from ransomware attacks

What can be learned from this event? First, this was not a large hospital or multi-location practice. It was a typical primary care group. So, practices of all sizes are at risk. Second, employees and technology are a risk to the practice’s operations. In this case, an employee made a mistake by falling for the phish. However, numerous vulnerabilities on the network allowed the threat actors to move around the network and deploy additional malicious code; all while going undetected by the IT resource.

Healthcare organizations must address cybersecurity awareness training and vulnerabilities, conduct a security risk assessment and implement technology to help minimize the chances of an attack. It is essential to have thorough policies and procedures in place to address risk. Almost all the attacks we have dealt with were preventable if “best practices” had been utilized by the healthcare organization. Search out specialist cybersecurity companies that can work with an organization’s existing IT resources to secure its network and data.

Gary Salman is CEO of Black Talon Security (www.blacktalonsecurity.com), a Katonah, NY-based company specializing in cybersecurity solutions for small- and medium-sized businesses. He has more than 30 years of experience in information technology and software design. Mr. Salman also lectures nationally on cybersecurity topics.