Ransomware: A Threat to Life, Education and National Security

Ruth Lanigan

Ruth Lanigan

Ransomware: A Threat to Life, Education and National Security

Since the global onset of COVID-19 this year, cybercrime heights have soared. In a recent PWC report, almost 80% of Irish companies are struggling to keep up with the complexity of evolving cyber threats. Not only has the attack surface massively expanded but cybercriminals have leveraged the pandemic by sending out various ransomware attacks that lure internet users to click on malicious links or files. This has allowed the hackers to steal sensitive data and often take control of a user’s device and use it to direct further attacks. Ransomware attacks are becoming more and more sophisticated and are now starting to become a daily threat to our lives.

Hospitals and healthcare continue to suffer the most

Healthcare organisations continue to be the most exposed industry to cyber attacks this year, with the industry accounting for more than four in ten breaches. As hospitals continue to shift their focus and resources to their primary role and the demand of managing this extraordinary emergency, has once again placed them in a very vulnerable situation. This time – it has led to a death occurring after a patient was diverted to a nearby hospital after the Duesseldorf University Hospital suffered a ransomware attack.

German authorities are now investigating the death of a patient following a ransomware attack on a hospital in Duesseldorf. The patient, identified only as a woman who needed urgent medical care, died after being re-routed to a hospital in the city of Wuppertal, more than 30 km away from her initial intended destination, the Duesseldorf University Hospital. The Duesseldorf hospital was unable to receive her as it was in the midst of dealing with a ransomware attack that hit its network and infected more than 30 internal servers on September 10, last week. The incident marks the first-ever reported human death indirectly caused by a ransomware attack.

The patient’s death is currently being investigated by German authorities. If the ransomware attack and the hospital downtime are found to have been directly at fault for the woman’s death, German police said it plans to turn their investigation into a murder case. According to German news outlet RTL, the ransomware gang has withdrawn its ransom demand after German police reached out. The hospital has since received a decryption and is restoring its systems.

In a tweet earlier today, hospital officials blamed the ransomware infection on a vulnerability in a widely used commercial software. In a subsequent tweet, the same officials said they notified German authorities, such as the German cybersecurity agency BSI, who are responsible for issuing appropriate security warnings. A day earlier, the BSI had issued a warning, out of the blue, asking German companies to update their Citrix network gateways for the CVE-2019-19871 vulnerability, a known entry point for ransomware gangs.

The Associated Press also reported today that the entire ransomware attack on the hospital’s network appears to have been an accident, with the ransom note being addressed to the local university (Duesseldorf Heinrich Heine University), and not the hospital, which was only part of the larger network.

Another ransomware attack at a Wyoming health system that includes a long-term care facility has affected all 1,500 computers, disrupted service provision and forced the use of paper charts instead of electronic health records. And one official says such incidents are increasing across the country. The attack at Gillette, WY-based Campbell County Health — which includes The Legacy Living and Rehabilitation Center, with a secure memory care wing, as well as a hospital, medical group with almost 20 clinics, and a surgery center — occurred around 3:30 a.m. Friday, according to system officials. By Saturday morning, system officials said in an online post that long-term care residents and home health and hospice patients continued to be cared for. “We are working with regional facilities to transfer patients who need a higher level of care,” they said.By Tuesday, some system services were being provided “on a case-by-case basis” and others still were not being offered. Radiology services are being affected the most, Chief Operating Officer Colleen Heeter had said at the previous day’s press conference. Campbell County Health is not disclosing the number of people affected by the ransomware attack.

Weeks after malware disruption, New York hospital is getting back online

For three weeks, a 290-bed medical facility in upstate New York has been grappling with a cybersecurity incident that prevented doctors from accessing patients’ electronic medical records (EMRs). The EMRs and payroll and accounting systems are now back online, the Samaritan Medical Center said in a statement Wednesday, but restoring the entire computer network will still take time. The not-for-profit Watertown, New York, institution — which says it generates $395 million annually in economic activity — blamed a “malware attack” for the disruption. There was no evidence that patient data had been compromised. For Samaritan, the recovery process has been gradual and remains ongoing.

Ransonware as a threat to education

The U.K. National Cyber Security Centre (NCSC), issued an alert about a surge in ransomware incidents targeting educational institutions, urging them to follow the recently updated recommendations for mitigating malware attacks. This warning comes after the NCSC investigated in August an increased number of ransomware attacks on schools, colleges, and universities in the country. A recent study conducted in the UK found that a third of all universities suffered a ransomware attack. (This study did not include a recent DoppelPaymer ransomware attack at Newcastle University, who refused to take part in the initial study.)

Targeted weaknesses

Apart from forewarning about ransomware threats, the government organization also provides the common initial infection vectors seen for this type of cyber attack:

  • Insecure Remote Desktop Protocol (RDP) configurations
  • Vulnerabilities in unpatched software and hardware devices, especially equipment on the network edge, such as firewalls and VPNs.

Phishing emails

Once on the network, the attackers seek to move laterally searching for high-value machines to encrypt. Backups, network shares, servers, auditing devices, are all targets.

Effective defenses

The NCSC recommends having an incident response plan and implementing a “defence in depth” strategy, providing general tips for disrupting the most common ransomware attack vectors.

  • Effective vulnerability management and patching procedures, along with properly securing RDP services using multi-factor authentication are at the top of the list of recommendations.
  • Running updated antivirus software, having proper defenses against phishing, and disabling or setting up restrictions for scripting environments and macros can help thwart a large portion of cyberattacks, not just file-encrypting ones.
  • Implementing mechanisms for quick data recovery from up-to-date, valid offline backups are also included in the defense strategy against ransomware events.

For more specific action, the organization points to the recently updated guidance aiming to prevent malware attacks and to recover from ransomware incidents.The spike in cyber attacks since schools all over the world started to resume activity has been noted by private security companies, too.

Kaspersky and Check Point published reports earlier this month about the education sector being a more frequent target since the beginning of the year, more so over the past two months. In particular, these two cybersecurity companies noticed a surge in distributed denial-of-service attacks, although the threats varied from one region of the world to another.

Ransomware hitting national security

The U.S. Department of Homeland Security has alerted energy and other infrastructure firms to review their cybersecurity after a ransomware attack interrupted a natural gas compression facility.

The attack caused the unidentified pipeline facility to lose access and visibility to certain data and operations but it did not lose control of its overall operations. Management decided to deliberately shut down operations as a precaution. Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days, according to DHS.

According to the department’s Cybersecurity and Infrastructure Security Agency (CISA), the cyber threat actor used a Spearphishing Link to obtain initial access to the organization’s information technology (IT) network before pivoting to its operational technology (OT) network. The attacker then deployed commodity ransomware to Encrypt Data for Impact on both networks. The government did not say if the attackers asked for payment of any ransom to halt their attack.

CISA, which responded to the event, was critical of the facility’s emergency response plan for focusing on threats to physical safety but not cyber incidents.

Although the facility’s plan called for a full emergency declaration and immediate shutdown, management “judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures,” according to CISA. The limited measures included a four-hour transition from operational to shutdown mode combined with increased physical security. CISA is encouraging asset owner operators across all critical infrastructure sectors to review the details of this attack and take mitigation steps to protect their organizations against similar ransomware attacks. CISA did not identify the source of the attack.

Last August, CISA said China was the greatest threat to the U.S. and its operational priority was reducing the risks to the global supply chain.

In 2019, cyber experts suspected Iran was stepping up its cyber attacks against the U.S. government and critical infrastructure.

In 2018, the FBI and the Department of Homeland Security issued a report saying that Russian hackers have been attacking the electric grid, power plants, air transportation facilities and targets in the commercial and manufacturing sectors — attempting to gain remote access or install malware or make spear phishing attempts.

What do we do after an attack?

While you are working to repair the damage from the present breach, you also need to ensure that your organisation will not be compromised again. Conduct full risk assessments, penetration tests and invest in technologies that will help you prevent future incidents. Consider outsourcing your security operations to have 24/7 monitoring and visibility.

Ransomware isn’t going anywhere so you must be prepared and maybe it’s time to rethink your active defence.

Ruth Lanigan

Ruth Lanigan