More Ransomware Woe for U.S. Hospitals

February 07, 2018
Ryan Witt

In what has become an all-too-familiar story, a ransomware attack unfortunately hit a healthcare provider in Indiana. Below are the attack details and four ransomware recommendations to help your organization prepare.

The attack accessed the regional hospital’s network through a business associate’s account and quickly spread throughout the network. Ultimately data access to patient medical records and internal email was locked and more than 1,400 filenames were changed to "I'm sorry." Oh, the irony of the modern hacker.

In the end, the hospital chose to pay the ransom of four Bitcoin (approximately $50,000) to get their systems and data back. "It wasn't an easy decision,” said a hospital spokesperson. “When you weigh the cost of delivering high-quality care versus not paying and bearing the consequences of a new system, the amount of the ransom was reasonable in respect to the cost of continuing down time and not being able to care for patients.”

Given the impact ransomware has on a hospital’s ability to provide high-quality patient care, many healthcare CISOs have privately stated that there should be no stigma attached to paying a ransomware demand. Ransomware continues to plague the healthcare industry with attacks reported almost daily and what is particularly concerning is the customization of ransomware campaigns for specific industries, such as healthcare.

Ransomware Attack Trends

Our researchers have seen Philadelphia ransomware (a relatively new ransomware variant) used to target specific healthcare institutions. In one such case, email messages tagged as “Patient Referral” purporting to be from clinician in provider “A” were being sent in provider “B”. The patient chart included in the email was actually a link to a file that downloaded Philadelphia ransomware. In the same vein, Proofpoint research has determined that more than 90% of malicious email messages, that featured nefarious URLs, lead users to credential phishing pages. In addition, a full 99% of email-based financial fraud attacks rely on human clicks rather than automated exploits to install malware.

In a recent report, Protenus Healthcare Breach Monitor found that ransomware attacks on U.S. hospitals had doubled since 2016. In total,“ there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) …which affected a total of 5.579 million patient records [in 2017]…]”

Our research team has also seen similar growth; for example, we recently assessed the attack profile of a noteworthy pediatric care institution, noting a 600% increase in malware URL email volume from the first half of 2017 to the second half of the year. Sixty-four percent of that increase was due to ransomware attacks. Even more concerning was the observance of an average 1.4 net new ransomware strains daily during the period measured.

Four Ransomware Recommendations

Ransomware will continue to be a significant drain on healthcare information resources, but there are ways to amplify prevention, detection, and response to these attacks. Here are some tips to help hospitals prepare for ransomware attacks:

Before you are infected:

  • Defend your email. Email phishing and spam are the main ways that ransomware is distributed. Secure email gateways with sandbox protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious documents and URLs in emails being delivered to user computers.
  • Defend your SaaS applications and mobile devices. Mobile application security, when used in conjunction with mobile device management (MDM) tools, can analyze apps on devices and immediately alert users and IT to any apps that might compromise your environment.
  • Defend your web surfing. Secure web gateways can scan your web traffic to identify malicious online ads that lead to ransomware. Web browser isolation also provides a solution to help contain drive-by downloads from web surfing.
  • Monitor your server, network, and back up key systems. Monitoring tools can detect unusual file access activities, network C&C traffic, and CPU loads—possibly in time to block ransomware from activating. Keeping a full image copy of crucial systems can reduce the risk of a crashed or encrypted machine causing a crucial operational bottleneck.

If you are already infected:

  • Call federal and local law enforcement. Just as you would call a federal agency for a physical-world kidnapping, you need to call the same bureau for ransomware. Their forensic technicians can ensure your systems are not compromised in other ways, gather information to better protect you going forward, and try to find the attackers.
  • Restore your data. If you have followed best practices and kept system backups, you can restore your systems and resume normal operations.

For more information, please download our Ransomware Survival Guide or contact Proofpoint to arrange a security assessment for your environment.