On Friday of last week, Europol reported that a worldwide attack using a piece of ransomware known as “WannaCry” hit more than 150 countries and infected at least 200,000 victims. Europol Director Rob Rainwright said that “the global reach [of the attack] is unprecedented. The attack appears to be targeting businesses and large corporations in the healthcare, financial and infrastructure sectors; these sectors have highly sensitive information ripe for a hostage.
Ransomware is malicious software, a virus, that has two purposes. The first is to encrypt the contents of a machines hard drive, preventing the user from accessing the information without entering a unique key or password. The second purpose is to act as a worm and spread to as many machines as possible. With a large footprint of infected machines, the attacker can then hold the data for ransom, promising to provide the password or key to decrypt the data once the ransom is paid in bitcoin (untraceable digital currency).
The WannaCry ransomware appears to exploit a vulnerability in the Microsoft XP operating system that was discovered as a result of the recent NSA tool dump. It’s unclear at this time whether the ransomware was developed by the NSA or just as the result of the NSA’s day one exploit stockpiling. Microsoft president and chief legal officer Brad Smith responded to the attack stating that it “provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem”. Smith continued his comment stating that “this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action.
While IT and Security teams have no doubt been working around the clock over the weekend to prevent the spread and manage the fallout, some key actions organizations should take in the immediate fallout are as follows:
- Immediately backup important and sensitive data in case you are infected soon.
- Update to the latest Microsoft security patches.
- Update all anti-virus and conducting immediate scans.
- Scan all inbound and outbound emails for malicious attachments.
- Send out a companywide awareness email warning employees about the attack and to be cautious of scams and malicious emails.
Moving forward, organizations should consider a more proactive approach to dealing with ransomware as opposed to reactive. In August of last year, CyberSheath Security Engineers wrote about the rise of ransomware and how using sandboxing techniques in daily operations can be 100% effective against malware attacks when used in combination with least-privilege. Adding to defense in depth, implementing a privileged account management solution can be used to prevent ransomware from spreading to critical servers by securing privileged accounts, and in combination with isolating critical servers with a secure jump host such as CyberArk’s PSM, can be a highly effective combination in combating malicious threats.
Let the security professionals at CyberSheath help you become proactive, not reactive. You can learn more about our approach by viewing our Privileged Access Management service area or clicking the button below to download our detailed Privileged Access Management datasheet.
Shakur Stevenson, U.S. Olympic Boxer, is set to advance to the Championship bout of the Men’s bantam 56 kg weight class. The young prospect has already secured at least a silver medal for the U.S and is looking to break the gold medal drought, which hasn’t been won by an American since 2004 in Athens. Staying ahead of your opponent is key in boxing; having the ability to react quickly and counter are instrumental to a fighter. Those same qualities are imperative to organizations too, and should be baked into one’s security posture; and today, one of the toughest opponents is ‘Ransomware’.
A few short weeks ago, CyberSheath published an article titled, Three Things You Can Do to Prevent Ransomware Attacks, which discussed three key pillars to protecting your organization from a Ransomware attack. Today, we’re going to focus on a specific solution that will help improve your organization’s readiness. CyberArk’s Viewfinity allows organizations to fight against threats with a defensive posture that is conducive to quick reaction, allowing you to stay ahead of Ransomware.
The Viewfinity solution is a combination of the least privileged and application control. The idea behind it is to reduce administrative rights across an organization, reducing the attack surface of Ransomware, but also utilizing Viewfinity policies to allow users to continue to do work that requires administrative level access for tasks automatically and transparently. The application control functions as a combination of whitelisting and blacklisting applications; what trusted applications can users use, and what known bad applications or executables can they not use? Applications that fall in the unknown are known as ‘greylist’ applications, which is where many Ransomware applications fall into.
With Viewfinity, organizations can automate the analysis of an application or executable with a single click. This allows those greylist applications to be run in a sandbox mode where an application is restricted to standard privilege only and is prevented from accessing network shares, removable devices, and the internet. Viewfinity analyzes the application’s behavior and helps determine whether it should be whitelisted, or blacklisted. If it’s blacklisted, the application can be automatically be banned across the entire organization.
The team at CyberArk Labs put the Viewfinity solution through its paces, and in a recent test, when using application control and least privileged, Viewfinity was able to protect against Ransomware in 7,000 out of 7,000 tests; a perfect 100% success rate.
Ransomware attacks are on the rise, and they’re only going up and up. According to a report published by Check Point, a single Ransomware variant known as Cerber has collected nearly $200,000 in July 2016 alone. It’s time your organization thought about stepping into the ring and taking on Ransomware with CyberArk’s Viewfinity.
Let the security professionals at CyberSheath be your trainer, and prepare you for the knockout punch against Ransomware. You can learn more about our approach by viewing our Privileged Access Management service area.
With ransomware attacks on the rise in 2016, a lot of organizations are scared. According to the KnowBe4 2016 Ransomware Threat Concerns survey, many organizations don’t have faith in their backup systems, which compounds the fear of a Crypto-Locker style attack. The survey of over 1100 companies found that 38% of the companies asked had been hit with a ransomware attack in 2016, up from 20% in 2014. Ransomware attackers aren’t just limiting attacks to a single industry. They are hitting hospitals, banking institutions, the manufacturing industry, and state and local governments.
What can you do to protect your organization and prevent ransomware attacks from occurring in the first place? Here are three things you can do today to shore up your defenses:
- Awareness and Training: Distribution of ransomware generally occurs in a series of steps according to Sophos. First, the ransomware is installed on a victim’s computer, through a phishing email or malicious file downloaded from the Internet. Next, once installed, it establishes communication with a server that is owned by the criminal group that initiated the ransomware. Once communication is established, a series of handshakes and keys are exchanged to identify client and server. One key is kept on the victim’s machine, while the other is stored on the server. Once the key is established, the ransomware begins the task of encrypting every file it finds. Then finally the ransomware app displays a screen demanding money for the key to decrypt the files. Payment is usually in the form of some sort of untraceable currency such as bitcoin or other electronic payment. Armed with this knowledge, you can begin to develop and tailor your security awareness training to incorporate recognizing suspicious emails, and teach employees not to download software from untrusted websites. What’s that you say? You don’t have a security awareness program? Believe it or not, you are not alone. Many organizations include some type of computer security as part of an overall new hire training, but employees aren’t required to re-certify.
- Test your backup systems: As mentioned earlier, according to the survey, many companies do not trust their backup systems enough to feel confident recovering from a ransomware attack. The simplest thing to do is test your backups regularly. Develop a test plan and procedure, simulate a ransomware attack and see how everyone performs. Hold an after-action meeting, document the lessons learned and update your test plan. Then repeat. Sure, it’s easier said than done because we all have day jobs. But would you rather spend some extra money to support a backup test or give money away to cybercriminals to get your files back? Testing your backups can be worked into a quarterly cycle and the tests should be as realistic as possible on the hardware that your company uses. Not only should you focus on ransomware attacks, but other kinds of cybersecurity incidents and you can even work in a disaster recovery scenario.
- Assess your readiness: While 1 and 2 are important, you can take it one step further and test your readiness now. Assess your security team. Ask them questions about ransomware. “Do we have a cyber incident response plan? Does it incorporate all threat vectors including ransomware?” Those are just some good starters. To be really effective, a full information security assessment might be necessary to get the bigger picture of your organization’s security posture. While ransomware attacks are keeping many CIOs up at night, there are far worse things, like data theft due to a breach. That is much more damaging to your business’s reputation and has a significant financial impact.
Whatever keeps you up at night, let CyberSheath help you get started to shoring up your security.
Recently, Hollywood Presbyterian Medical Center paid attackers for the decryption key that held the hospital’s systems and data hostage. While this style of attack is not new, increased attacks have businesses on edge. Ransomware is malicious software that blocks access to a network or system until a ransom is paid. In many cases, the data is encrypted and there is no economical way to retrieve the data until the decryption key is given to the victim. Usually this only occurs when a ransom is paid. In the case of the Hollywood Presbyterian, they decided to pay the ransom of about 40 bitcoins, worth approximately $17,000.
Security consultants who have assessed healthcare practices have likely interviewed medical staff and got a strong sense (if not directly told) that their work was diverting attention away from patient care. This mentality is one of the reasons why the healthcare industry is facing challenges when it comes to information security. The culture of providing healthcare over all else, the justification for neglecting information security, has finally hit an impasse – patient health and safety was jeopardized by a cybersecurity incident. The attitude toward information security – the time it takes, the costs – has to change. It’s unfortunate, but it seems to have taken an incident like the one seen at Hollywood Presbyterian to highlight how information security actually aligns with the healthcare industries health-first ideals.
A New Precedence
The precedent has been set with this recent attack and the people behind these ransomware campaigns, given Hollywood Presbyterian paid the ransom, now know that attacking healthcare organizations is lucrative. The weeks of incident response required to strong-arm a computing environment away from attackers, recover operations, and the economic impact of such an endeavor, it’s no surprise that Hollywood Presbyterian paid. The incident exposed industry-wide neglect toward information security and put a target on the backs of medical practices throughout the entire industry.
Blindly Accepting the Risk is Unacceptable
Is $17,000 is a bargain compared to building an information security program and capability? Remember that these attackers will get bolder with demands, and for an organization to accept risk based on that price is misguided. It should be expected that the demands will get higher as we see more of these incidents, especially if they begin to target healthcare specifically. The Hollywood Presbyterian incident should be seen for what it really was, a digital hostage situation. Preventing medical care is not much different than holding a gun to someone’s head. Once the magnitude of this comparison is realized, there will surely be more risk for the attackers by way of law enforcement, and the demands for reward will reflect that risk.
It’s time the healthcare industry took information security as seriously as something like infection control. Poor information security, just like poor hand hygiene, for instance, put’s patients at risk. Patients expect sterile, safe environments to receive healthcare services, and in this digital age, that expectation should extend to the confidentiality, availability, and integrity of the systems, devices, and information managed by healthcare service providers.
5 Actions Necessary to Produce an Effective Information Security Program
If your organization is new to information security, or you have only a partially implemented information security capability, consider taking the following steps:
1: Identify Your Sensitive Data
Determine where your most sensitive and critical data is stored, whether that be in your data center, a server closet, a third-party service provider, or in the cloud. It is difficult to take a strategic approach to information security without knowing what you are protecting. Continuously maintain this awareness.
2: Inventory Your Critical Systems
Evaluate what systems and system components are storing, processing and transmitting your sensitive data, or are providing critical services to your operations. Understand the data flow, and know which systems present the highest risk to your operations as it relates to the confidentiality, availability, and integrity of those systems and the data they process.
3: Assess Your Risks
Assess your environment for risk. Anything from electronic records, physical media, and the availability of critical systems, services, or devices should be considered. Consider an independent assessment by a respected third party firm if internal resources and expertise are unavailable.
4: Implement Security Controls
Select, apply and manage security controls programmatically based on risk. The PC that cycle’s employee event information in the lobby is not as important as your electronic health record repository where careful consideration of security controls should be taken.
5: Monitor Effectiveness
Periodically evaluate the effectiveness of your risk-based information security strategy, the security controls applied, and the proper implementation of security technologies proactively, and apply corrective actions, remediation, and lessons learned to ensure preparedness for the evolving threat landscape.
How CyberSheath Can Help?
In order to implement an effective information security program, a picture of your network must first be obtained. Whatever your security needs are, CyberSheath can assist you along the way. From conducting an information security assessment, to building a security program, let us help you secure your data.