the rise of ransomware in healthcare · 2016-08-24 · ransomware and businesses 2016 17 recent...

Copyright 2016, Symantec Corporation

Reuben Koh Industry Manager - IoT Cybersecurity

1

The Rise of Ransomware in Healthcare


Symantec: Who We Are and What We Do

2


In 2009 there were

2,361,414

new piece of malware created.

That’s

1 Million 179 Thousand a day.

In 2015 that number was

430,555,582

3


What is Ransomware?

• A computer malware that installs covertly on a victim's computer, executes a cryptographic attack that adversely affects it, and demands a ransom payment to restore it.

• Non-encrypting ransomware may lock the access to a system in a way similar to a denial of service attack and display a message requiring payment to unlock it.

• Encrypting malware encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. The ransomware may also encrypt the computer's entire hard drive, rendering usage impossible without the decryption key.

4 Ransomware and Businesses 2016


Why Should You Care?


2015 was a record year for new ransomware – 100 new types identified in 2015. In 2014 that number was 77.

Ransoms are increasing. A US hospital paid $17,000 just to unlock their critical data.

Organizations are firmly in the sights of attackers – Employees in organizations represent 43% of infections

– There are ransomware families designed to infect organizations – Organizations are actively being targeted by ransomware attackers

Targeted ransomware attacks use advanced attack techniques


Victim organization profile

Services 37.8%

Manufacturing 17.2%

Public Administration 10.2%

Finance, Insurance, & Real Estate

9.8%

Wholesale 8.9%

Transportation, Comms, & Utilities

6.6%

Retail 4.3%

Construction 3.9%

Mining 1.0%

Agri, Forestry, & Fishing 0.5%



35% Increase in Crypto-Ransomware Attacks

7 2016 Internet Security Threat Report Volume 21

Copyright 2016, Symantec Corporation 8

Ransomware Families

• Desktops/Laptops • Servers • Smart Devices

Copyright 2016, Symantec Corporation 9 Ransomware and Businesses 2016

Healthcare as a Ransomware Target

• Healthcare has long been regarded as “soft targets”

• Hospitals are perceived to be more willing to pay ransoms due to criticality of data and sensitive nature of healthcare operations

• Healthcare patient records are one of the most coveted in the underground black market

• A very lucrative business providing huge financial benefits for hackers


Recent Healthcare Victims

Victim Date Ransomware Type/Variant

Hollywood Presbyterian Medical Centre

February 2016 Locky

Los Angeles County Department of Health Services

February 2016 Locky

Chino Valley Medical Center March 2016 Locky

Kentucky Methodist Hospital March 2016 Locky

Desert Valley Hospital March 2016 Locky

Kansas Heart Hospital March 2016 Undisclosed

Ottawa Hospital March 2016 Locky

Norfolk General Hospital March 2016 TeslaCrypt (Carrier)

MedStar Healthcare Group April 2016 SamSam

Benewah Community Hospital June 2016 Undisclosed



Where are the victims?

11

3% Canada

8%

5%

United

Kingdom

Belgiu

m

Netherlan

ds

Ind

ia 3%

Ita

ly

3%

4% Germany

2% Austra

lia

4%

8% Japa

n

United

States 31%


Growth factors

• Easy access to encryption

• Effective infection vectors

• Adoption of advanced attack techniques

• Ransomware as a service


100 new types of Ransomware identified in 2015 compared to 77 in 2014


Ransomware as a service



Ransomware sold on underground forums for $200


How are they getting in?


Email Exploit Kits Other Vectors

• Distributed through large spam runs

• Masquerades as invoice, unpaid bill or delivery notice

• Attached directly to email • Attachment launches

downloader which installs ransomware

• Link to exploit kit

• Hosted on compromised websites and exploit vulns in popular software

• Links sent through email, social media or malvertisements

• Angler was most popular kit in 2015 but is now believed to be offline

• Malvertisements • Other malware • Brute-force attacks • Server-side vulnerabilities • Worm techniques • SMS messages and app

stores (Android)


Locky (Trojan.Cryptolocker.AF)


Advanced attack techniques


Recent ransomware attacks use tactics and techniques typically seen only in highly sophisticated type of attacks

Infiltration Exploit server-side vulnerabilities to gain access to the network.

Reconnaissance Attackers gather information that may help in later stages of the attack, such as back-up policy. Information gathered may also be used in the ransom note.

Lateral movement Attackers use publicly available tools to plot out and traverse the network and gain access to strategic locations.

Stealth Once the attack has been successfully carried out the attackers attempt to hide their tracks by removing any tools used.


CASE STUDY: Inside an advanced ransomware attack

• Entry point was unpatched web server; attackers exploited a known vulnerability to gain access

• Once in, attackers used publicly available tools to traverse the network

• Deployed SamSam strain of ransomware

• Malware spread quickly to network drives and connected data repositories

• Deleted back-ups to make recovery difficult

• Removed copies of malware and associated tools to hide tracks

• Ransom was 1.5 Bitcoin (US$989 at the time of writing) for each computer



CASE STUDY: Lessons learned

• Regular patching would have blocked off the point of incursion

• Users were not following company policy and stored files locally instead of on file server

• Organization relied mainly on traditional signature-based anti-virus and intrusion detection capabilities



The ransomware protection story


• Email Security • Intrusion Prevention • Download Insight • Browser Protection • Proactive Exploit Protection • Application Sandboxing • Phishing awareness

• AVE • SONAR behavior engine • Intrusion Prevention • Sapient machine learning • Emulator

• Symantec Managed Security Services

• Symantec Incident Response Services

Symantec offers protection at every stage of the Ransomware attack chain

Prevent Contain Respond


How Can We Help? Achieve a higher level of security from endpoint to the cloud

21

THREAT PROTECTION

Block, detect and quickly

respond to the most

advanced threats, including

Ransomware.

STAY AHEAD OF TOMORROW’S THREATS

INFORMATION PROTECTION

Keep your sensitive patient and

medical information protected

while keeping your employees

productive.

PROTECT YOUR CRITICAL DATA WHEREVER IT LIVES

CYBER SECURITY SERVICES

Stay ahead of emerging threats

by extending your team with the

help of our team, around the

clock, around the world.

RELY ON EXPERTS TO WATCH OVER YOUR SECURITY

WEBSITE SECURITY

Deploy comprehensive

website security for your

internal and external

healthcare web portals.

TAKE ONLINE TRUST TO A WHOLE NEW LEVEL

Thank you!

Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Industry Manager, IoT Cybersecurity

Reuben Koh

the rise of ransomware in healthcare · 2016-08-24 · ransomware and businesses 2016 17 recent...

Documents