Ransomware: risks and preventive actions

Ransomware is a type of malicious software that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.

WannaCry, SambaCry, CryptoLocker, Petya and Locky are some of the more common names of ransomware that have become part of mainstream news, and even persons working outside of security related fields are very painfully aware of the threat ransomware poses .

Ransomware prevention in healthcare

A ransomware attack on a healthcare provider can potentially cause significant financial, reputational, health and safety harm. The level of harm depends on the effectiveness of existing security measures and the number of criticality affected systems.

ENISA’s webpage on Health Critical Information Infrastructures and Services gives more information on this topic:
https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/ransomware

Recommendations to protect against ransomware

Consider these five recommendations that cover most of the families of ransomware (to date). If these five recommendations are carried out well within an organisation, it can mitigate the vast majority of risks from the threat of ransomware:

  1. Education and Training

The vast majority of ransomware comes via phishing attacks. Training needs to cover the threat, the identification of phishing emails, and lessons on what one should and should not click on in addition to when and when not to open a file. Further, for most organizations, penetration testing with phishing samples is recommended to measure the success of your training initiatives.

  1. Secure backups

The worst case scenario is when the network infrastructure  of an organisation becomes infected with ransomware. If you follow the law enforcement’s recommendations, you should not pay the ransom requested by the attackers.

Secure backups is a key way to recover from ransomware incidents. While this recommendation is not preventative, it is the only one that can help you when all else fails. All data should be backed up, and most importantly secured such that a ransomware infection can not compromise the backup via mapped drives or network shares. The backup should also be tested on a periodic basis to ensure it can restore all files back to an uninfected state.

  1. Secure common software macros

Some of the newer ransomware takes cues from older malware leveraging Microsoft Office and other application macros. This type of ransomware attack is not easy to resolve because many spreadsheets and documents depend on macros to satisfy everyday business and functional requirements.

Newer versions of Microsoft Office contain a setting to drastically reduce the possibility of ransomware using macros to gain access to a system. This setting – Disable all macros except digitally signed macros – is found within the Trust Center settings will do what it states. That is, it will prevent a macro without a valid certificate authority from executing.

  1. Update the computer frequently

According to the Verizon Data Breach Report, 99% of attacks target known vulnerabilities. Even though this specific vulnerability may have been patched in a version or security update for the software, many organizations do not patch third party applications regularly let alone the operating system itself (this is precisely what occurred in the WannaCry case).

Maintaining software to be at their most recent version is has been crucial for security practices for many years, but organisations continue to have outdated – sometimes several years outdated – software in everyday use. It is critical to regularly schedule an assessment of the organisational environment for outdated or vulnerable software. Further, there must be tested and proven processes to remediate any findings.

  1. Adjust user administrator rights

Ransomware spreads by leveraging the user’s privileges to infect files that are within their normal scope and access. If the user only has standard user rights, the only files visible are the ones they may have locally or via a network share.

While the scope of this type of access may itself be fairly large, it can be much worse if the user actually has administrator privileges. In this case, potentially every file visible to an administrator has become accessible and therefore the entire environment is potentially susceptible to an infection. This assumes however that the ransomware can execute as a standard user.

You can find more information on good cybersecurity practices through this link: https://www.beyondtrust.com/blog/entry/ransomware-5-prevention-strategies

Further reading

Literature

D.F. Sittig, et al., “A Socio-Technical Approach to Preventing, Mitigating, and Recovering from Ransomware Attacks”, Appl. Clin. Inform., 7, 2016.

R.Z. Arndt, “Frequent employee training helps stave off ransomware”, Mod. Healthc., 47, 2017.

  1. Kelpsas, et al., “Ransomware in Hospitals: What providers will inevitably face when attacked”, J. Med. Pract. Manage, 32, 2016.
  2. Conn, “Ransomware scare: Will hospitals pay for protection?”, Mod. Healthc., 46, 2016.
  3. Goble, “Stop – Think – Connect. Preventing ransomware attacks”, Mich. Med., 115, 2016.