Healthcare and ransomware: 5 critical steps to take

The outbreak of COVID-19 has put cyberattacks on healthcare providers into hyperdrive. Factors contributing to such attacks include, but aren’t limited to:

• Decentralized business operations
• Emergency COVID-19 facilities set up without planned security of IT infrastructure
• A significant rise in the amount of patient health data stored by healthcare organizations
• Telehealth, and remote workers flung around the world almost overnight, opening up security gaps

Ryuk ransomware, in particular, has seen a resurgence recently. Sophos recently identified a new spam campaign linked to the Ryuk actors, and our Managed Threat Response team assisted an organization in mitigating a Ryuk attack, providing insight into how the Ryuk actors’ tools, techniques, and practices have evolved.

The investigation showed an evolution of the tools used to compromise targeted networks and deploy the ransomware. But what was more notable was how quickly the attacks can move from initial compromise to ransomware deployment. Within three and a half hours of a target opening a phishing email attachment, attackers were already conducting network reconnaissance. Within a day, they had gained access to a domain controller and were in the early stages of an attempt to deploy ransomware.

The evasion techniques of ransomware are rapidly changing. In recent years, ransomware attacks have trended away from brute-force, large-scale attacks to focused, planned, and manually executed attacks that are much harder to detect and block. Humans are handcrafting artisanal malware.

The criminals have hybridized their attacks, combining automation to find victims with gaps in their defenses. Exposed servers with Remote Desktop Protocol (RDP) enabled, administrators without multi-factor authentication for remote access, unpatched web servers, or even these same issues at a trusted partner or service provider are enough to put your network, systems, and resources under ransom.

Here are the five things healthcare providers can do to protect against ransomware attacks:

1. Maintain IT hygiene. Make sure you’re practicing basic IT hygiene, which includes installing all the latest patches, shutting down RDP entirely (or putting it behind a VPN), and making regular back-ups and keeping them offsite where attackers can’t find them. It also includes applying multifactor authentication to services hosting the most sensitive data in your organization. These are just some of the fundamental steps you can take to protect yourself and your network today.
2. Educate your users. Teach them about the importance of strong passwords and roll out two-factor authentication wherever you can. Educate them on phishing, which is one of the main delivery mechanisms for ransomware.
3. Minimize the risk of lateral movement within your network. Segment LANs into smaller, isolated zones or VLANs that are secured and connected by the firewall. Be sure to apply suitable IPS policies to rules governing the traffic traversing these LAN segments in order to prevent exploits, worms, and bots from spreading between LAN segments. And if an infection hits, automatically isolate infected systems until they can be cleaned up.
4. Use endpoint detection and response (EDR) tools with your endpoint protection. Targeted ransomware today isn’t just about stopping one piece of malware; it’s about stopping an active adversary and disrupting the attack chain that puts them in a position to run the malware. Ensure every endpoint is protected and up to date. A device not functioning correctly may not be protected and could be vulnerable to a ransomware attack. Use tools like EDR, which allow you to ask detailed questions so that you can hunt for active adversaries and identify advanced threats in your network. Once you do, EDR also helps you take appropriate actions quickly to stop such threats.
5. Close the gap with human intervention. Computers, automation, and tools are amazing but human intellect, pattern recognition, and our ability to apply context provide an even more formidable defense. Managed detection and response (MDR) services are critical here. Pairing your internal IT and security teams with an external team of elite threat hunters and response experts helps provide actionable advice for addressing the root causes of recurring incidents.

Sophos Intercept X Advanced with EDR

Sophos Intercept X Advanced with EDR includes all the features you need to help protect your organization from ransomware attacks like Ryuk, Sodinokibi, Maze, and Ragnar Locker.

Intercept X includes anti-ransomware technology that detects malicious encryption processes and shuts them down before they can spread across your network. Anti-exploit technology stops the delivery and installation of ransomware, deep learning blocks ransomware before it can run, and CryptoGuard prevents the malicious encryption of files, rolling them back to their safe states.

Furthermore, Sophos EDR helps keep your threat hunting and IT operations hygiene running smoothly across your entire estate. Sophos EDR empowers your team to ask detailed questions to identify advanced threats, active adversaries, and potential IT vulnerabilities, and then quickly take appropriate action to stop them. It enables you to detect adversaries lurking in your network and waiting to deploy ransomware that may have gone unnoticed.

Sophos Managed Threat Response (MTR)

The Sophos MTR service adds human expertise to your layered security strategy. An elite team of threat hunters proactively looks for and validates potential threats on your behalf. If authorized, they take action to disrupt, contain, and neutralize threats, and provide actionable advice to address the root causes of recurring incidents.

Sophos Rapid Response

If your organization is under attack and needs immediate incident response assistance, Sophos can help.

Delivered by an expert team of incident responders, Sophos Rapid Response provides lightning-fast assistance with identification and neutralization of active threats against organizations. On-boarding starts within hours, and most customers are triaged within 48 hours. The service is available for both existing Sophos customers as well as non-Sophos customers.

The Sophos Rapid Response team of remote incident responders quickly takes action to triage, contain, and neutralize active threats. Adversaries are ejected from your estate to prevent further damage to your assets.

Related reading

• Endpoint Protection Best Practices to Block Ransomware – Full report
• Firewall Best Practices to Block Ransomware – Full report
• They’re back: inside a new Ryuk ransomware attack
• MTR Casebook: Blocking a $15 million Maze ransomware attack
• The realities of ransomware: Why it’s not just a passing fad